The holidays are almost upon us. Black Friday and Cyber Monday are less than two weeks away. For retailers, it’s the most wonderful time of year—revenue goes up as shoppers scramble to snag the best deals and finish their Christmas shopping early (like they always say they’re going to do, but somehow never succeed in doing).

Unfortunately, this time of year is also a favorite of scammers. When there is a great deal and a finite number of products, consumers might not look too closely at whether a website is the real deal or not.

Scammers take advantage of this to throw together a fake website that could fool someone at first glance (and sometimes on even more thorough inspection.) All they need is for you to enter your credit card information and they’re off to the races.

The best defense against scams and phishing attempts this holiday season is to know the signs. Knowledge will be your strongest weapon. Here’s what to look for as you begin your Christmas shopping so that you come out the other side with your identity, bank account, and sanity intact.

Check The URL & Sender

It’s dead simple to make a website that looks just like a real one. It’s not unusual to encounter a website or receive an email asking you to confirm some information or to log into your account to investigate suspicious activity.

The email might look like it comes from a trusted source. You can read it a half-dozen times and find nothing out of place. However, there are two things to remember.

First of all, the URL they provide isn’t necessarily the one it sends you to. Here’s an example. Open the link below in a new window. 

http://www.google.com

Surprise! The URL might be written out, but it takes only a few seconds to direct a hyperlink somewhere else. Phishing attempts use this to direct customers to a fake sign-in page that steals their user IDs and passwords for retail sites, banks, and more. 

Another trick is a domain name that has a valid domain name attached along with a fake part, making the domain completely fake. Below is an example. It may look like it’s super easy to spot, but on a mobile device, the address bar normally only shows the first 10 to 15 characters in the domain name, meaning the last part will be hidden.

http://www.microsoft.com-gooddeals.com

The second thing to remember is that any site (that you should use, anyway) will log you in through a secure protocol. Look at your URL bar. See the “HTTP” at the very start of the URL? That’s an acronym for hypertext transfer protocol. When you log into a website, make sure it says HTTPS. The added letter stands for secure. This means data sent through the website is encrypted. 

Hover your mouse over the hyperlink and look at the destination. As a rule of thumb, no legitimate website or bank will ever email you and request your username and password. This is almost always a sign of a phishing attempt. If something seems suspicious, contact the organization directly and ask before you submit.

Finally, check the sender of the email. Often it will have a name or might say something like Customer Support. However, if you look for the actual email address, it’s often something like xsdflkjsf@fakemailprovider.com—clearly a fake account. 

Search The Text

Most phishing emails are variants of one another. An easy way to check whether something is legitimate is to search the sender and a few sentences. Just copy and paste the text into Google with the word “scam” and see what results it returns. The chances that you’re the only one to be targeted by a scam is minimal; most of these attempts originate out of farms and are sent to thousands of users at once. 

Many phishing emails will warn you that your account is about to expire or that you need to log back in or enter billing details, often with an apology for the inconvenience. The majority of institutions will not request these details via email, but will instead ask you to check your account.  

Channel Your Inner English Teacher & Look For Spelling & Grammar Mistakes

You might stumble across a website with some amazing deals, but you’ll notice something seems off—namely, the spelling and grammar are atrocious. Many fake websites and scam emails share this trait in common. 

Proper spelling and grammar is a key aspect of presentation, and proper presentation is a key aspect of professionalism. Websites go to great lengths to ensure readers can understand their message.

These blogs might use affiliate links which will earn them a commission if you buy the product at no extra cost to you. Amateur sites might not always have the best spelling or grammar, but as long as they are not asking you to enter credit card or other personal info, they should be safe.

Look For Too-Good-To-Be-True Deals

Online retailers exist to make money. If the deals seem like they would lose money on them, they probably would—which means the deal is likely fake. Sometimes you might still receive a product, just something lower-quality than you thought. The website Wish is a great example of this. 

While popular, Wish products are often counterfeit or significantly lower in quality. The website is not a scam or a phishing attempt, but it isn’t entirely honest, either. 

Joseph Heller said “Just because you’re paranoid doesn’t mean they aren’t after you”. Cybercrime has steadily increased year after year and it’s impossible to keep track of every new scam. Between 2013 and 2018, the FBI reports that businesses lost $12.5 billion to scams online. Almost 91% of all phishing attempts start with an email; unfortunately, many people receive notifications of sales through their email. 

Be vigilant and trust your gut. Once you know what to look for, the majority of scams are almost laughably easy to identify.