suspicious guy looking into mailbox

Holiday email scams: Avoid unwanted gifts in your inbox

4 min read
Todd Redfoot

With the holidays quickly approaching, you might be anxiously awaiting packages in the mail. Cyber criminals use this time of year to send fake emails to unsuspecting recipients. These email scams look very similar to shopping or shipping notices from companies such as DHL, FedEx and Amazon. But instead of notification of the newest gadget on the way to your door, they deliver a virus to the recipient.

Many of these malicious emails also include attachments or links to a familiar-looking website — attachments and links that instead deliver unwanted software to your computer or lead you to a fake login page in an attempt to steal your credentials.

Red flags in your inbox

To protect yourself from cyber crime during this time of year, be on high alert for the following:

Shipping notices. These messages appear to come from legitimate mailing services (FedEx, UPS, etc.), alerting you to an update on your shipment. Many ask you to review an attachment or click a link to confirm shipment of the package.  

Tip: Legitimate shipping notices do not ask for interaction from the user or send attachments. Think about it -- when is the last time you had to verify the shipment of a package via email?

Phantom order emails. These fake order confirmations from sites that you might or might not have visited in the past are usually for expensive or random items, drawing the end user into clicking through the “order details” links to see more information about the order.

Tip: If you didn’t order something from the site, you probably shouldn’t get a receipt for it. Delete it immediately. Also, if the order email is from a site you purchase from frequently, check your order history through their website by navigating there directly.

“Seasons Greetings” e-cards. These electronic cards definitely deliver a message, but not exactly the greeting that you were expecting. They usually deliver a gift of malware, through either an attachment or link.

Tip: Most e-card services usually include the name of the sender (in the subject line or the body of the email). If you do not recognize the sender, or it is only a first name that is common, delete the email. These services also do not send cards as attachments.

One liners from family and friends. These emails, which usually come from someone you know, might include one or two sentences accompanied by a link. They generally tell you to check out an “Unbelievable Deal” or “Something you can’t miss!”

Tip: Your family members and friends probably don’t send you one-liners (unless they are busy, of course). If you’re sure, reply to the email and ask. It won’t hurt to ask if it’s a really good deal, right? Just don’t click the link.

More email safety precautions

Here are a few more things to look out for while navigating your inbox:

Stay away from junk (or bulk) mail. Any email that lands in this folder is probably there for a good reason. Most can be purged immediately.

Test your URLs. A quick test you can perform to determine where a link will resolve is to hover over the link (DO NOT CLICK!) with your mouse. Give it a try with these two examples. Can you tell which one is suspicious?

Be careful with attachments. It’s no longer safe to only avoid attachments with .zip, .jar or .exe files, as attackers are now using more common formats such as Office documents or PDFs. The rule of thumb is to always be careful with any attachment that you were not expecting, especially if it comes from an external source. When is the last time your bank sent you a .doc? Never. Delete it immediately.

Last, and most important, if you are not expecting an email with an attachment or link from someone, DO NOT OPEN IT. Your curiosity is the one thing that the attackers need to entice you to fall for their trap.

Want to learn more? Here are some hoaxes (plus tips and tricks) that were active this time last year.