Skip To Content

Don't Fall for These Holiday Cyber Scams


With the holiday season in full swing, cybercriminals looking to take advantage of the hustle and bustle. We encourage everyone to take extra precautions to avoid landing on Santa’s naughty list, or worse, falling victim to these holiday cyber scams. Share these tips with your team to help them protect themselves and your organization.

Even Santa Has Supply Chain Issues

Due to ongoing supply chain disruptions, many holiday shoppers see the regrettable "sold out" indicator when searching for gifts. Scammers are cashing in by creating fraudulent websites that offer an alternative to long gone goodies. These sites could steal your payment and personal information and make yours a very unhappy holiday.

Make sure you're doing business with reputable websites. If you’re unsure, search the site address with the word ‘scam’ and see what comes up.

Holiday Gift Exchange, Anyone?

Cybercriminals constantly tweak their holiday cyber scams to stay one step ahead of victims. The Better Business Bureau cautions consumers to be on the lookout for this year’s version of the Secret Sister scam. Here’s how it works.

The victim, usually a woman, gets an email promising that if she buys one gift for a “Secret Sister,” she will get between six and 36 gifts in return. If the victim agrees, she is prompted to share additional personal information to receive her gifts. In some cases, the attackers then pose as law enforcement agents and claim that Secret Sister is a form of mail fraud and demand federal fines be paid immediately, or the participant will be arrested.

We “vish” You a Merry…

You better watch out! That incoming call may be from a grinch! Voice phishing, also known as ‘vishing’, comes in the form of unsolicited phone calls.

Vishing attacks increase during the holidays because so many online purchases and expedited deliveries are in motion. Attackers may call and masquerade as a delivery service, an online vendor, or your financial institution. They might request that you confirm your credit card number, your account name and login, or other personal information to ensure that your holiday purchase arrives on time.

Be wary of unsolicited calls, and think twice before providing personal information to a stranger.

These vishing scams are hot this holiday season. In both cases, fraudulent phone calls could be replaced by phishing emails designed to trick you into clicking on a link that infects your computer or steals your login information.:

  • Package delivery: About one-third of adults in the U.S. report that they received fraudulent notifications from USPS, FedEX, or UPS in 2020, according to an AARP study. The scammer calls or texts claiming to have a delivery and requests personal information to confirm that you are the correct recipient. They may also send a link to a website where you can confirm your identity to receive the package. This link will lead to a website that installs malicious software on your system, or it will harvest your personal information. In some cases, scammers are even leaving missed delivery notices on recipients’ doors with a phone number that directs you to a scammer. When in doubt, always check the official company website, or contact their customer support.
  • Amazon: Malicious actors assume many folks are doing their holiday shopping online due to the pandemic. Posing as Amazon customer support representatives, they call and ask if you recently purchased anything from their website. If you did, they then express concern that someone fraudulently charged a large purchase to your account.  To confirm your identity and sort out the incorrect charges, you share personal account and financial information. The hacker now has everything they need and will terminate the call.

How to Guard Against Holiday Cyber Scams

In organizations that have built strong cybersecurity cultures, everyone takes responsibility for protecting sensitive data. Share these best practices with your employees before they leave for the holiday break.

Protect District Devices

If you’re taking your district-assigned device home, take extra care. School may be out for holiday break, but criminals are just getting started. Continue to report suspected cyber-attacks and lost or stolen devices immediately.

Avoid Free Wi-Fi

If you do visit brick-and-mortar stores, protect yourself by following public health best practices and restrictions in your area. You should also protect your employer’s sensitive information by understanding the risks associated with public Wi-Fi.

Coffee shops, restaurants, bookstores, and other public places often maintain low-level network security cybercriminals can easily hack. Any information you view or passwords you enter on public Wi-Fi are fair game.

Avoid logging into district accounts or connecting school computers to public Wi-Fi networks when possible. If this is unavoidable, always use a Virtual Private Network (VPN) to secure the connection and protect your data.

Restrict Privacy Settings

Preserve data privacy and security by selecting the appropriate privacy settings for documents in public cloud-based services such as Google Drive and Dropbox.

  • Never use anonymous sharing on documents that contain personally identifiable information.
  • Don’t be fooled by the false sense of privacy provided by the “anyone with the link” feature or the easy-to-use “get shareable link” feature on the context menu and simplified sharing dialog box.
  • Avoid granting access requests to Google documents from individuals you do not know. Criminals often get access to personal information or sensitive school documents by simply requesting it.

Ready to Test Yourself?

If you’re worried about falling victim to holiday cyber scams, test your knowledge with this quiz. If you want to stay one step ahead of cybercriminals year-round, sign up for our emails and keep an eye out for our member-exclusive webinars

Editor's note: This article was originally published in December 2018 and has been updated for accuracy and comprehensiveness.

Have Cybersecurity Questions?

Members with Privacy and Information Security coverage can request training and support from our Privacy and Cyber Risk Consultant Lucas Anderson at 800-482-7276, x2893 or

Lucas Anderson headshot
Lucas Anderson
Privacy and Cyber Risk Consultant

Lucas Anderson joined TASB Risk Management Services in 2019, bringing more than a decade of experience in cybersecurity, network administration, and information technology. He advises districts on preemptive mitigation against ongoing and emerging cybercriminal threats targeting the education sector, as well as cybersecurity-related regulatory compliance. 

Over his career, Anderson has supported public and private organizations, including Booz Allen Hamilton, the White House Office of Management and Budget, the Department of Defense, and the Texas Association of Counties. 

Get the Inside Scoop

Want to receive our newsletter and training emails? Sign up to get the latest risk management information that will help you succeed.