6 holiday scams you need to know about

Whoa, we blinked and it’s mid-November! The days are shorter, your to-do list is longer, and scammers are ready to catch you off guard. Luckily, you’ve got me on your side with the top holiday scams.

📲 ‘Hi, I’m calling from Amazon’

Criminals and AI voice bots are calling, emailing and texting, claiming to be Amazon employees. Oh, no, your account is on hold! Or there’s been suspicious activity you need to deal with now. They’ll ask you for your payment info — that’s a glaring red flag.

Stay safe: Only put payment details for Amazon directly into the website or the official app. If you get one of those calls, hang up and Google the phone number. I bet you’ll see reports from others who got the same call.

💻 An offer you can’t refuse

There’s an email in your inbox from Macy’s, and whoa! Everything is 50% to 70% off! Click the link, head to the site and all looks normal. Once you check out, though, you’re in big trouble.

Scammers use real brand assets (like logos, fonts and photos) to make you think Macy’s or another big retailer is having a major holiday sale. Then, they direct you to a site that looks like the real thing … but it’s not.

Stay safe: Always, always triple-check the URL. If you’re not sure of a retailer’s website, search in your browser, but don’t click any sponsored results. Type in the address yourself if you know it.

📦 Your package can’t be delivered

You receive a text or email saying your order is stuck at a shipping center. With all the online shopping we do, you probably don’t remember every purchase. Click on the link they sent you and you’re well on your way to a phishing scam.

Stay safe: FedEx, UPS and the U.S. Postal Service will never text you from an unknown number. If you’re worried about a delivery, call the shipping company directly. In emails, watch out for any subtle misspellings in the email address or the sender’s name. Block and report anything fishy.

🤑 The fake seasonal job

Continue reading

📨 You’ve hit the scan-pot! Cybercriminals are sending paper letters to launch new phishing attacks. They’re including QR codes to download a weather app that — you guessed it — unleashes malware to steal sensitive data, like banking info. PSA: Don’t scan random QR codes.

Porch pirates are smarter than ever: Across the U.S., they’re stealing AT&T iPhones delivered by FedEx. They’re using tracking numbers to get real-time updates and swipe packages in seconds. Even worse? The info might be coming from rogue AT&T employees. Get a lockable porch box and a video doorbell.

We may receive a commission when you buy through our links, but our reporting and recommendations are always independent and objective.

I can bearly believe this story. Four dopes used a bear suit and fake claws to ruin a Rolls-Royce and claim the insurance money.

🦴 A robot dog is patrolling Trump’s Mar-a-Lago: “Spot” is unarmed and has a “Do not pet” sign on each leg. The Secret Service isn’t saying what it’s being used for, but with cameras, thermal sensors and a $75,000 price tag, surveillance to protect the President-elect is obvious — he needs it.

I had a joke, but someone stole it: I thought this was interesting. Radio-emitting threads could replace metal tags to stop shoplifters. A company called Myruns is behind the tech. The threads are five times thinner than a single human hair. Special ink inside the threads would transmit signals to set off alarms.

Oops, they did it again: First, Communist China copied the U.S. military’s F-35 jets using stolen drawings and secrets. Now, their military is ripping off our robot dogs, too. China’s “robo wolves” follow commands, like “sit,” “stand” and “move,” and they can do other tricks, like running, carrying supplies and firing rifles. Who needs spy movies when our military secrets are practically doing press tours?

Social Security recipients get a 2.5% raise in January: Scammers are on it. The increase will show up automatically in your bank account or as a check in the mail, no action needed. If anyone contacts you asking for “extra steps” to get your raise, it’s a scam. Report any suspected fraud.

Bad idea: Mozilla has collected more than 30,000 hours of voice recordings from volunteers worldwide. Its Common Voice project is a free public dataset anyone can use to train AI software in 180 languages. Here’s the catch: Mozilla won’t say how or who will use your voice. Don’t add yours.

Just say no: An Uber or Lyft driver might ask you to pay in cash so they can take home more money. They make as little as $9 an hour (paywall link) through the app, but a cash payment means no safety features like the emergency button, and you’ll get hit with cancellation fees.

🎣 Reeled in a big one: A 33-year-old Nigerian man was sentenced to 10 years for a phishing scam that stole $20 million in nest eggs from over 400 U.S. homebuyers. He sent phishing emails to real estate professionals, tricking them into providing their login credentials. Using those, he redirected home purchase payments to compromised accounts and laundered the money into bitcoin via Coinbase, according to the DOJ.

Pass on this NAS: Over 60,000 D-Link network-attached storage (NAS) devices let hackers slip in data-stealing code. Affected models include the DNS-320 Version 1.00, DNS-320LW Version 1.01.0914.2012, DNS-325 versions 1.01 and 1.02, and the DNS-340L Version 1.08. D-Link’s advice? Replace it. Here’s an alternative.

We may receive a commission when you buy through our links, but our reporting and recommendations are always independent and objective.

🚨 North Korean hackers are targeting Macs: It starts with an email containing a fake crypto news headline, like “Hidden Risk Behind New Surge of Bitcoin Price,” and includes a link to a PDF. The link actually leads to a malicious app that lets the sender take control of your system. If you’ve clicked on a random PDF link recently, scan for malware ASAP.

😤 Hackers are breaking into Ticketmaster accounts: They’re stealing tickets to resell. Just ask Mika, who changed her Ticketmaster password but was still scammed out of $400 worth of tickets. Live Nation, Ticketmaster’s parent company, controls around 80% of concert ticket sales and says they can’t fix this problem.

Working the system: Cybercriminals are using hacked government and law enforcement email addresses to request customer data from Big Tech companies. Police usually need a search warrant for files and messages, but for basic details like phone numbers, login credentials and approximate locations, a request is all it takes.

Feature or bug? Criminals’ iPhones are rebooting on their own when seized by the cops, and it’s all tied to a recent iOS 18 security update. Law enforcement is calling it a nightmare when it comes to retrieving evidence. Here’s the issue: When the phone reboots, it defaults to a “Before First Unlock” state. Even if police use third-party tools to try to access the data, they can only get limited information. No word yet on a fix.

Job scam warning: Retailers and shipping companies are hiring in droves ahead of the holidays. UPS, Amazon, FedEx, Target and all the rest are looking for folks, but they won’t make initial contact with you via email or text. Go to a potential employer’s website and find the “Careers” section to apply directly.

😡 WTH? Black people in over 20 states are receiving racist text messages ordering them to report to plantations for slave labor. These hate-filled messages, which target kids and adults alike, are sent from unknown numbers, many of which are through the anonymous TextNow app. 

Console yourself; it’s game over: Malware called Winos4.0 is targeting Windows gamers. It sneaks in through infected third-party game mods. Once it’s on your system, cybercriminals play their own games, looking for crypto and taking screenshots of what you do so they can blackmail you. PSA: Skip the mods.

📩 Email espionage: Hackers are using compromised government emails to steal business info. Here’s how it works: You get an email about an emergency data request from the “federal government,” and the email address looks legit. It’s not. If you open the attachment or click a link, you’ve just landed a one-way ticket to malware. This kind of request will never come in the form of an email, folks.