If you’re anything like me, you probably did the bulk of your holiday shopping online. Especially since the shopping season this year is so much shorter than usual.

Maybe — also like me — you’re looking forward to spending the days post-holiday craze wrapped in a blanket browsing the internet, looking to spend any gift cards you received.

First of all — if you’re spending so much time online, you ought to be paid for it.

Second, you have to be smart about it.

The internet is rife with bad actors any time of year. Nefarious folks who will steal your information, your money, your identity… no personal tidbit is sacred. But instances of cybercrime tick way, way up during the holidays.

There are a few common scams that pop up this time of year more than any other, including…

    • Delivery scams — These are phishing emails sent after you make a purchase that contain a fake tracking link. Clicking on the link could download malware to your device, compromising it — and all your personal information
    • Discount app scams — Come December, you see a deluge of discount shopping apps on your mobile app store. Sure, it may seem convenient to download a new app so you can shop on the go at a huge discount. Unfortunately, it’s also a really easy way for hackers to skim your credit card information — or push malware to your device
    • Stolen cart scam — Lots of folks will leave items in their online shopping cart for days until they’re ready to make a final purchase. This is a terrible idea. It gives hackers an opportunity to sneak in and steal your credit card information
    • Donation scams — With so many people in the giving spirit during the holidays, it’s no surprise that hackers mock up all sort of emails spoofing charitable organizations. Clicking a link in one of these emails could take you to a malicious website — donating means you’ve just given away your payment information.

People love to think these types of situations will never happen to them — that they’re too smart to be taken in by a suspicious link or an unexpected email.

But the truth is we are all so overstimulated this time of year — and these scams are getting harder and harder to identify — that it’s easy to overlook some minor detail that would give away the ruse.

The bottom line is hackers keep setting up these scams because people keep clicking.

Luckily, you don’t have to be one of them.

Here are a few steps you can take — plus some critical security reminders — to avoid being a victim of one of these fraudulent schemes.

If You Receive a Suspicious Email…

Here are a few steps to follow when receiving a questionable (or unexpected) email…

1. Verify the sender

Phishing scams tend to impersonate trusted people or brands. Note that the “name” field is set by the sender — so it can be anything. Do not rely on this field to verify the sender. Instead, look at the sender’s actual email address to see if it’s legitimate.

2. Verify the other recipients

Are there other recipients? Do you know them? Does it make sense to be receiving the same email? If you’ve answered no to any of these questions, be on alert. Phishing emails are often sent to multiple random recipients at the same time. This can be a dead giveaway of a scam.

3. Verify any links

If the suspicious email contains any links, you can use your mouse to hover over the link to see the URL of the link’s actual destination — but DO NOT click. Usually, fake links will spoof a trusted website — with a subtle difference or two, like a variable spelling or extra punctuation. These are telltale signs of a bogus link.

4. Don’t download any attachments

If you receive an attachment you weren’t expecting, leave it alone. Reach out to the sender to verify its legitimacy if you know them personally. If you don’t, just use common sense. If something feels off, it probably is.

Read Before Downloading

In 2017, a seemingly innocent photo editing app called Meitu was downloaded over a billion times by users all over the world.

In addition to its advertised editing capabilities, the app collected data from phones like photos, calendars, contacts — even geolocation.

It also collected the phone’s serial number, manufacturer information and model number, which could be used to clone the device. When a criminal clones a device, they are effectively stealing the identity of the target phone.

Think about how much personal information you have stored on your phone… If you download an infected app, you could be putting all those data at risk.

When downloading a new app, look for misspellings in the description… a contact email address from a free account like Gmail or Yahoo… or permissions that don’t line up with the app’s function.

Get Ready for a Password Reset

Come January, after the flurry of holiday activity subsides, take some time to reset your passwords.

But the rules have changed…

For years now, we’ve been told that a secure password contains numbers, symbols and both upper- and lowercase letters.

But Bill Burr, retired analyst from the National Institute of Standards and Technology and the person who outlined these original rules, recently said he regrets promoting the guidelines he helped create.

The new standard for hack-proof passwords from the National Institute of Standards and Technology is as follows…

Create a password made up of a string of simple English words — words that mean something to you (and only you) that will be easy to remember without writing them down.

Take OctopusChampagneDuchessPotato, for example. Believe it or not, it would take a computer 46 nonillion years to figure out this password. Compare this with a password such as Se@hawk$1, which would take a computer only about four weeks to crack.

Before changing them, check your passwords by plugging them into www.howsecureismypassword.net. If this site doesn’t give you the green light, go back to the drawing board.

One final note: Along with these new guidelines, the National Institute of Standards and Technology says you no longer need to change your passwords every 90 days (unless a certain website requires you to).

The only reason to change a password is if you believe your account information has made its way into the wrong hands.

Or, perhaps, after a particularly frenzied shopping season.


Lucille St. John

Lucille St. John
Editor-in-chief, Unconventional Wealth

P.S. Another thing you can do to proactively protect yourself? Use a secure VPN connection whenever you’re online — like the one you can get through our partners at TunnelBear.

A VPN will add an extra layer of protection to all your online activities — disguising where you go, what you do, where you buy, even who you are. Check out TunnelBear to see all the things a VPN can do for you — and how you can get one at a special UCW reader rate today.

(Editor’s Note: We do receive compensation when you buy from TunnelBear— that’s how we keep the lights on. But we only choose partners we believe in and use ourselves — so you can rest assured our recommendations are real.)

Lucille St. John

Lucille St. John is the managing editor of Unconventional Wealth. A gentlewoman and a scholar, Lucille never received much in the way of a financial education. But what she lacks in fiscal knowledge she makes up for in taste.

She’s going to take you with her on her unconventional wealth journey — starting from...

View Bio & Posts

Your exploration
of opportunities unknown begins now
Get Started »