Computer with the words 'click me' on the screen.

Holiday traditions take many forms—greeting cards, lighting displays, Secret Santas, ugly sweaters. And every year, the also-ugly tradition of holiday frauds and scams takes new forms. Here's how to avoid losing your money to five common ones making the rounds now.

Stolen Rewards Points

Just when you're ready to spend your loyalty rewards at a retailer or travel site, you could find your points missing. 

For that, you can blame recent data breaches at major companies including Marriott, T-Mobile, MyFitnessPal, Facebook, and Orbitz, says Ivan Novikov, chief executive of the South San Francisco-based e-security company Wallarm. By now, most Americans have had some of their credentials compromised, he says.

more on scams

"You can be sure that at least your current e-mail [address] or one of your previous e-mails has been hacked," Novikov says. 

Bad actors count on the fact that many of us use the same email and password combinations for a number of sites. Once they've stolen your log-in information from one website, they use software to plug it into thousands of other sites, looking for matches. Such "credential stuffing" provides them access to your accounts with retailers and banks, for example. Then they can use your rewards to buy things for themselves or even open new accounts in your name.

Defend Yourself: Vary your passwords and change them frequently. Consider using passphrases—strings of words, rather than just one or two. A password like ConsumerReports is easier to hack than, say, Consum3rRep0rts1sMyF@vorite!

Better still, use a password manager, advises Novikov. This software application securely stores and encrypts all your passwords. You can use the password manager to generate strong, long, and unique passwords designed to foil hackers. The software also remembers PINs, answers to security questions, and CVV codes—those three- and four-digit security codes on the front or back of credit cards. To apply that information, you use a single password, the one you need for the password manager.

Novikov says he likes LastPass, which is free. Other major names, including 1Password, Dashlane, and KeePass, may cost you a few dollars a month.

Go to Consumer Reports' 2018 Holiday Central for updates on deals, expert product reviews, insider tips on shopping, and much more.

Gift Card Fraud

If you've received a gift card you can't use—and don't want to regift—you can find buyers online willing to take it off your hands. But be careful about whom you deal with.

Scammers offering to buy gift cards may ask you to do a three-way "balance check" in which they listen in on the phone while you confirm the balance with the card issuer, says Shelley Hunter, who blogs as "Gift Card Girlfriend" on the website What they're really doing is capturing the sounds of your keystrokes to determine your log-in information. "That way, they can use the value of the card without your knowing it," she says. 

Gift card buyers needn't worry so much these days about criminals secretly uncovering activation codes from cards in store display racks, Hunter says. In that formerly common gambit, scammers would scrape off the code covering, write down the code, cover the code back up, and wait for a buyer to load on money before using the stolen activation code to access the funds. 

"I don’t think it happens as much now because gift cards are better protected," she says. Improved packaging or an additional PIN needed for activation have helped solved that problem, she explains. 

Defend Yourself: Steer clear of posts on social media for gift card purchase offers, or from individuals offering to pay 100 percent of your card's value, Hunter says. A legitimate buyer will pay you, say, 80 percent of what the card is worth. Sellers are better off using gift card marketplaces like and, which have customer-service contacts and are tracked by the Better Business Bureau. 

Hunter says she sometimes hears from consumers who say they can't access the stored value in their gift cards, particularly Visa cards from Walmart. In fact, the cards purposely don't let recipients use them until 24 hours after they're activated. "It's a security measure against money-laundering," she says.

Check the packaging or the card itself, which should indicate when it will be active, she advises. 

Bogus Charities

During the holidays, many of us open our wallets to charity. But be careful that your generosity doesn't meet the Grinch. 

Recently, a couple from New Jersey and a homeless "Good Samaritan" were charged with bilking donors out of more than $400,000 when they set up a page on the crowdfunding site GoFundMe. The couple asked for help for the man, characterized as a Marine veteran, because he'd helped them out when they ran out of gas—a story that later proved to be false. 

"It’s still a newer fundraising tool, so people don’t pay too much attention to vetting," notes Daniel Borochoff, president of CharityWatch, a Chicago-based not-for-profit that appraises other charities. "A scammer could throw up the information and make you believe it’s legitimate."

Another questionable practice is phone and postal mail solicitations by charities that end up spending most of the money they collect on administration rather than on actual services, Borochoff notes. They're not outright scams, but they devote few resources their actual mission work, he adds.

Defend Yourself: Don't give to crowdfunding sites established by people you don't know. Check how much a charity actually gives toward its "good works" on websites like CharityWatch and Charity Navigator. If you want to get a tax deduction, you can also go to the charity's website to confirm its tax-exempt status or check with the IRS. See our advice on the best and worst charities for your donations for more information.

Copycat Websites and 'Phishing' E-mail

Those super deals you'll find on social media, in marketing e-mail, or through web searches could lead you to sites that look an awful lot like a legitimate retailer's but aren't. Some of those players are out to sell you goods that are inferior or counterfeit—or don't arrive at all. 

Other sites encourage you to provide your personal information, which they then use to establish credit cards in your name, steal from financial accounts, and divert payments meant for you.

Defend Yourself: Look for telltale misspellings on e-mail addresses of familiar web addresses (i.e., instead of In e-mail, hover your cursor over the sender's web address; something may be awry if the address ends in .ru (for Russia).

"Watch out for URLs that use the names of well-known brands along with extra words," says Katherine Hutt, a spokeswoman for the National Better Business Bureau, based in Washington, D.C. 

To further protect yourself, type the URL of the company directly into your browser rather than clicking on it in an e-mail or social media post, which could take you to a fraudulent site. And make sure any payment page has an "s" after "http" in its URL, which indicates the page is secure. 

Shipping and Delivery Scams

It can be satisfying to get a gift you weren't expecting. Scammers count on that psychology—and the upsurge in seasonal package deliveries—to defraud consumers during the holidays. 

You might find an official-looking notice in your mailbox, for instance, stating that a package-delivery attempt was made. You call the given number and are told to provide personal information—say, a credit card or Social Security number in order to get the package delivered. A crook can then use that info to set up credit accounts in your name and commit other forms of identity theft. 

Another scam involves an e-mail claiming there's a problem with a delivery to you. But when you click on the link, you're directed to a bogus site that asks you to confirm personal information.

The e-mails usually graphically mimic UPS, FedEx or the U.S. Postal Service, but they can also mimic retailers, a bank, a credit card company, Hutt says. "People are shopping more now. Scammers are opportuntists, so that’s when they pounce."

• Defend Yourself: Before you call the phone number on the mailbox notice, check it for web addresses and tracking numbers. If the delivery is legitimate, you should be able to research it on the delivery service's website. If you receive an e-mail that there's a problem with a delivery from a retailer, go to the website yourself instead of clicking on a link, and log on to your account if you have one.  

Matt O'Connor, a spokesman for United Parcel Service, says a legitimate delivery person who comes to the door will never ask you to pay a fee or supply a credit card as identification in order to receive a package. The only time you'll need to show an ID like a driver's license is for alcohol deliveries, he notes.  

How to Avoid Online Scams

Do you know how to protect yourself from online threats? On the "Consumer 101" TV show, host Jack Rico and Consumer Reports' digital privacy expert Thomas Germain play a quiz game to reveal important steps you can take to keep your personal information safe.