Illustration of a fishhook in front of a laptop for article on Apple and Amazon phishing scams.

Over the holidays, be aware that you could get email confirmations for products you never bought. If that happens, the email is probably a fake—the work of a scammer who is trying to steal important personal information from you.

According to the website Consumer Affairs, people have recently been receiving phishing emails that appear to come from Amazon or Apple confirming purchases that were never made.

Shoppers need to be especially wary because these emails come during the hectic holiday season, says Pam Dixon, the founder and executive director of the World Privacy Forum, a nonprofit, nonpartisan public interest research group.

“These [emails] are beautiful fakes,” she says. “That makes them particularly pernicious.” 

They come under the names of companies that are e-commerce behemoths and typically send purchase confirmations through email. 

More on Scams

The Consumer Affairs article says emails have carried subject lines such as “Your Amazon order #873857 for $866.47 has shipped” or “Your invoice from Apple #ID 675821.” 

The scammer is hoping that you’ll open the email and then click on a link to learn more about the purchase.

“Don’t fall for it,” says Chuck Bell, programs director for Consumer Reports. “Always remember that an email that shows up in your inbox may not have directly come from the merchant you think you are dealing with.” 

Bell says that if you click on even one link in that message, it may download malware to your computer or lead you to a fake website that asks for your log-in credentials to resolve the apparent billing problem. If you give that information, someone could hijack your account and run up a huge tab, he says.

Tips to Avoid a Phishing Scam

Think before you click. If something doesn’t seem right about an email, just delete it—ideally before you open it. That’s especially true if you get an email about a product you didn’t buy. 

Examine the link. Before you click on a link, try hovering your mouse over it. This will reveal the full address, which can expose signs of fraud. An “.ru” on the end, for example, means the site was created in Russia; “.br” means Brazil.

Never click on links in an email. Instead, navigate directly to the website of the company and contact the customer service department to confirm that the notification is either a mistake or a scam. Dixon says that Apple, for instance, typically sends you a receipt via email for charges made as well as links you can click on for information about your purchase. The trick, she says, is to not click on the link but to log in to your actual Apple or iTunes account and then search for the information you need.

Look for misspellings.
If you do click on a link and it takes you to another site to input information, look for misspellings, which indicate a fake website. You can also open a window in your browser, search for the retailer’s web address, and compare it with the one in your email.

Don’t assume that a website is legitimate just because its URL starts with “https.” Criminals like to use encryption, too.

Be wary of attachments. They may contain malware. And you should never type confidential information into a form attached to an email. The sender can potentially track the info you enter.

Guard your financial information. Be wary of emails asking for account numbers, credit card numbers, wire transfers, and failed transactions. There’s no reason to share such info via message or an unsecure site.

Turn on auto updates. This goes for your computer, smartphone, and tablets. Up-to-date security software goes a long way toward stopping malware.

Use security tools. Install an antivirus program on your device and keep it up to date. You can also use a website reputation rating tool, which comes in the form of a browser plug-in, to warn you if you try to go to potentially dangerous websites. Cybersecurity companies such as Kaspersky, McAfee, and Norton offer them. But keep in mind that these tools aren’t foolproof.