Holiday shopping scams surge this time of year, especially those tied to package deliveries and “too good to be true” deals.

One increasingly common tactic is brushing. In these schemes, a threat actor sends an unsolicited package containing a random item along with a QR code. Scanning the code may lead to malware installation or prompt you to enter personal or account credentials.

Other common delivery-related scams include fake text messages claiming a package could not be delivered by USPS, UPS, or FedEx. These messages often contain malicious links designed to steal personal information.

How to protect yourself:

  • Never scan QR codes from unknown or unexpected sources
  • Avoid clicking delivery links in unsolicited texts or emails
  • Verify deliveries directly through official carrier websites or apps
  • Be skeptical of unusually large holiday discounts
  • Always check website URLs for misspellings or subtle typos, a common sign of fraudulent sites
  • Never enter login credentials on unfamiliar or untrusted websites

If something feels off, trust your instincts because it likely is.

Phishing & Impersonation Attempts

Phishing scams remain one of the most effective tools for cybercriminals, and they tend to spike during the holiday season. Common examples include emails claiming you’ve received a holiday bonus, payroll update, or e-gift card.

These messages may appear legitimate, but often originate from suspicious or slightly altered email domains.

Red flags to watch for:

  • Unexpected emails involving money, gifts, or urgent requests
  • Messages from unfamiliar or oddly formatted email addresses
  • Pressure to act quickly or click a link

When in doubt, don’t click. Verify requests through a trusted channel or contact the sender directly using known contact information.

Travel scams are especially common during peak holiday travel periods. Scammers may claim your flight has been canceled or require you to call a number immediately to confirm details.

Public Wi-Fi also poses risks. Cybercriminals can set up fake access points that look legitimate and trick travelers into connecting.

Best practices while traveling:

  • Only contact airlines through official apps or verified phone numbers
  • Avoid public Wi-Fi when possible; use mobile data or a personal hotspot
  • Connect only to official, trusted networks if Wi-Fi is necessary
  • Never use charging cables or USB ports at public kiosks, such as airports (a tactic known as “juice jacking”)

Account Takeovers & MFA Fatigue Attacks

Another growing threat is MFA fatigue, where attackers repeatedly send multi-factor authentication requests, hoping you’ll approve one out of frustration.

If you receive MFA prompts you didn’t initiate, do not approve them.

What to do instead:

  • Deny all unsolicited MFA requests
  • Immediately change your password
  • Use a password manager to generate and store strong, unique passwords
  • Avoid reusing passwords across accounts to prevent credential-stuffing attacks

Stay Cyber Aware This Holiday Season

The holidays are stressful enough without the added risk of cybercrime. By staying alert and following proactive cybersecurity best practices, you can significantly reduce your risk.

Trust your instincts, slow down before clicking or responding, and remember: legitimate organizations won’t pressure you into urgent action or request sensitive information unexpectedly.

Stay cyber aware, and enjoy a safer, more secure holiday season.