4 holiday scams to watch for, and how to outsmart them

Couple using mobile devices near holiday tree.

Holiday scams: The 4 biggest scams to watch for (and how to outsmart them)

by Kate Hernandez | December 16, 2025 | Threat Lab

Reading Time: 5 mins

Your friendly guide to staying safe while shopping, giving, and celebrating online this season.

December is the busiest shopping month of the year—and one of the easiest times for scammers to blend in with the holiday rush. With you juggling last-minute purchases, nonstop delivery updates, and a flood of promo emails, cybercriminals take advantage of the chaos by disguising themselves as retailers, shipping companies, charities, and even family members.

And the risk is significant. About 1 in 3 U.S. adults report experiencing an online shopping scam, making fake deals, phony tracking alerts, and fraudulent storefronts more common than ever during the holiday season.

The good news? Once you know what these scams look like, they’re surprisingly easy to spot. This guide breaks down the four holiday scams you’re most likely to encounter in December—and the quick steps you can take to avoid all of them.

1. Delivery Scams: “Your package couldn’t be delivered”

If you're expecting packages this month, you're an automatic target. Delivery scams are one of the most widespread holiday threats because everyone expects shipping updates—and scammers know it.

What these scams look like

You may receive:

A text claiming “Your package is delayed—update your shipping info.”
An email saying “We couldn’t deliver your package. Pay redelivery fee.”
A fake tracking page designed to steal your login credentials or credit card number.

Graphic showing three examples of scam holiday texts on mobile phone screens.

These messages often impersonate UPS, USPS, FedEx, Amazon, or other major carriers—right down to look-alike logos and URLs.

Red flags

Urgent language: “Final notice,” “Delivery blocked,” or “Action required.”
Shortened or strange URLs that don’t match the carrier’s official domain.
Requests for personal info that carriers never ask for via text or email.
Messages coming from random long phone numbers or email addresses.

How to avoid it

Never click tracking links in unsolicited texts. Instead, go directly to your retailer or shipping carrier’s tracking page.
Check your order history. If you didn’t buy anything that matches the message, it’s fake.
Enable identity protection. If you accidentally clicked a suspicious link, immediately monitor your data with tools like Webroot™ Premium.
Report the scam to the FTC or your mobile carrier by texting 7726 (SPAM).

2. Fake online stores and scam deals

The holidays create the perfect recipe for copy-cat stores: high demand, low stock, and shoppers chasing fast deals. Cybercriminals spin up thousands of fake retail sites every December.

Why these scams spike in december

You feel urgency from holiday shipping deadlines.
Big deal events like Black Friday and Cyber Monday normalize deep discounts.
Social media ads make scam storefronts look shockingly legitimate.

Red flags

Prices significantly lower than competitors—especially on hard-to-find items.
No customer service phone number or physical address.
Poor grammar or AI-generated product descriptions.
Checkout pages missing HTTPS or showing a broken padlock.
Limited payment options, such as gift cards, wire transfers, or Zelle.

Graphic showing an example of a scam print promotion for shoes.

How to Avoid It

Search the store name + “scam” before buying.
Use credit cards, which typically offer better fraud protection.
Avoid stores you’ve never heard of that advertise exclusively on social media.
Check official retailer lists, product availability warnings, and FTC holiday shopping safety tips.

Turn on a VPN such as Webroot® Secure VPN to protect your browsing activity from malicious ads, trackers, and fake redirects.

3. Fake charities and donation scams

December is the biggest charitable giving month of the year. Unfortunately, scammers use this goodwill to impersonate charities, disaster-relief organizations, or local fundraisers.

How scammers get you

They may:

Clone a legitimate charity’s website.
Create fake GoFundMe-style donation pages.
Send emotional emails with “urgent” donation requests.
Use spoofed phone numbers to mimic well-known nonprofits.

Fraudulent charities cause millions in losses every year.

Red flags

High-pressure tactics: “Donate now or families won’t get help tonight.”
No clear explanation of how donations are used.
Requests for unusual payment types like prepaid cards or cryptocurrency.
Misspellings or slightly altered charity names (e.g., Red Cross vs. RedCrossHelpNow).
Email domains that don’t match the organization.

How to avoid it

Research before giving. Confirm the organization through official registries such as:
Donate directly through the charity website, not through a link sent by email or text.
Avoid crowdfunding campaigns unless you know the organizer personally.
Use a VPN and a security solution to prevent malicious redirects or spoofed donation pages.

4. Gift card and emergency scams

Gift card scams are one of the fastest-growing fraud types reported to the government. According to the FTC’s fraud database, gift cards remain one of the top payment methods scammers demand, especially during the holidays.

These scams target urgency and emotion—two things that run high in December.

What these scams look like

Someone pretending to be a grandchild or friend messages urgently:
“I’m in trouble—can you send gift cards?”
A scammer impersonates a boss or coworker:
“I need five gift cards for the team today. Don’t call—I’m in meetings.”
A fake retailer or tech support agent asks for gift card numbers as “payment.”

Graphic showing an example of a scam text asking for funds.

Source: New York Attorney
General's Office

Red flags

Emotional pressure or urgency (“I need help right now”).
Requests for secrecy (“Don’t tell anyone”).
Demands for gift cards, cryptocurrency, or wire transfers.
Messages coming from new or slightly altered email addresses.

How to avoid it

Always verify the request by calling the person directly using a known phone number.
Never pay anyone with gift cards. No government agency or legitimate business uses them as payment.
If you think a scammer has your info, freeze your credit and use Webroot Total Protection to monitor for breaches.

Report gift card scams immediately to the retailer and to the FTC

Year-end cybersecurity checklist

As the holiday rush winds down, take a few minutes to reset your digital life. A little cleanup now can protect you all year long.

1. Update all devices
Phones, tablets, computers, routers—software updates close known security vulnerabilities.

2. Install security on your new devices
New phones, laptops, and tablets are top targets for malware the moment they’re online. Install antivirus before browsing or downloading anything.

3. Refresh your passwords + turn on MFA
Use a password manager and enable multi-factor authentication everywhere you can.

4. Enable automatic backups
Cloud backups protect holiday photos, tax documents, and more from ransomware or accidental loss.

5. Review bank alerts and credit monitoring settings
Real-time alerts help detect fraud faster—and early detection dramatically reduces financial damage.

Protect your holiday season with Webroot

Scammers count on chaos, distraction, and seasonal generosity—but with a few smart habits and the right protection, you can shop, donate, and celebrate with confidence.

Whether you want safer browsing, identity security, or protection across all your devices, Webroot Total Protection has you covered: get comprehensive protection including antivirus, identity monitoring, dark web alerts, secure VPN, password manager, and more.

Stay safe, stay merry, and enjoy the season—without letting scammers steal your cheer.