Experts advise online shoppers to have a merry, wary holiday season


Every year, holiday online sales ramp up as consumers continue to flock to the virtual space. And each year, criminals are either close behind or already waiting.

It is estimated that 76 percent of U.S. adults shop online and it grows every year. In 2021, the Wild West that is the internet showed no sign of slackening, as users and their abusers took to their keyboards. As online shopping is a growth industry, so is online thievery.

While retailers and cybersecurity officials are always working on ways to protect consumers and shut out thieves and scammers, the game of cat and mouse never ends.

In conjunction with ReadyOC and SafeOC, which are part of a national safety campaign that asks if you “See Something, Say Something,” we talked to cyber-crime experts about the current climate in cyber crimes and some solutions to protect holiday shoppers.

Responding to the growing cybercrime threat, SafeOC launched a Cyber Security element to its site to provide residents with information on how they can protect their home, wallet and business.

According to Lance Larson, a Cyber Investigator and law enforcement officer assigned to the Orange County Intelligence Assessment Center, there are basic procedures he has called “cyber hygiene” that all can practice for protection.

Whether it’s by failing to update operating systems on our devices, conducting transactions on public wi-fi, failing to create complex crosswords, or clicking onto unfamiliar sites and attachments, there are numerous traps that are easily avoided, he said.

According to the FBI’s 2021 Internet Crime report, an annual dive into the growing trends and threats of cybercrime, the field of prey for crooks continues to expand.

“In 2021, America experienced an unprecedented increase in cyber attacks and malicious cyber activity. These cyber attacks compromised businesses in an extensive array of business sectors as well as the American public,” according to the report.

Once again, the Internet Complaint Center (IC3), where the public can report internet complaints and crimes, fielded an all-time record in complaints from the American public in 2021. The 847,376 reported complaints were a 7 percent increase from 2020, with potential losses exceeding $6.9 billion. Since its inception in 2000, IC3 has recorded more than 6.5 million complaints.

In the past five years, complaints to the FBI center have grown 280 percent, while losses have ballooned 490 percent. The COVID-19 pandemic only accelerated the process.

This year, complaints are at a similar rate to last year, “the only difference is the dollar loss values are higher,” according to Chris Elverson, a Unit Chief with the FBI Cyber Division.

Crypto honey pots to ransomware

Among the complaints received in 2021, ransomware, business e-mail compromise (BEC) schemes, and the criminal use of cryptocurrency are among the top incidents reported. In 2021, BEC schemes resulted in 19,954 complaints with a loss of nearly $2.4 billion.

Elverson said one notable jump was in scams and theft of and through cryptocurrency, a practice called “pig butchering” in the crypto crime world.

The term comes from scammers fattening up and luring investors to make large deposits into so-called “crypto honey pots” with seemingly big profits before the slaughter.

US Secret Service Special Agent Shawn Bradstreet told, “Once they (the victims) see how easy it is to invest, they see a rise in their screen account, and then they end up investing their entire life savings in a matter of days.”

Victims are often dealing with fake platforms impersonating legitimate crypto-trading sites and sending funds straight to the crooks.

A particularly susceptible and growing segment of victims are elders, prompting the government to issue an Elder Fraud Report companion to the IC3 document.

“In 2021, over 92,000 victims over the age of 60 reported losses of $1.7 billion to the IC3.” according to the report. “This represents a 74 percent increase in losses over losses reported in 2020.”

The 60-older age group is the largest reporting losses, and victims 50-older lost more than all other age groups combined with 2.9 billion in losses compared to 2.6 billion for those between 20 and 49. (Note: these numbers reflect only complaints that include an associated age range.)

Heading into the holiday season, Elverson said the traditional cautions and protections hold.

Whether from phishing (not to mention variants such as spear phishing, vishing, smishing, and pharming), spoofing, masking, romance scams, fraudulent tech support, sham sites, or extortion, the consumer world can be a digital minefield.

And that doesn’t factor in the countless phone trolls and robocall thieves out there, or porch pirates on the back end.

What to do

The simplest advice, as hard as it may be amid the excitement of holiday giving, is to maintain healthy doses of skepticism and common sense. Scammers bank on the opposing theory of a sucker being born every minute.

According to a recent study by Norton, a cybersafety company, one in three American adults admit to taking more risks shopping online during the holiday.

“People need to be skeptical and do their homework,” the FBI’s Elverson said. “Step back and ask. ‘Does it look right?’”

And if you have been taken, Elverson said it’s important to be proactive. The faster a person reports a suspected crime, the better the chance of blocking the theft. Victims should contact the FBI’s  Internet Crime Complaint Center as well as local law enforcement. Many cities have cyber crime details and since February, all Orange County Sheriff’s Dept. Regional Training Academy have gone through Cyber Liaison Officer training to better familiarize themselves with cybercrime.

Because of the sheer volume of cases the FBI investigates, local agencies may offer more personal interaction.

What to look for

Before diving into holiday shopping, here are some warnings and suggestions from cybercrime experts:

  • If you are being solicited by a company or business you didn’t expect to hear from, especially via email, be careful. Usually, it is best just to delete those emails.
  • Phishing and its related scams remain far and away the most common schemes, with criminals posing as legitimate companies sending out mass fake emails and text messages, sometimes hundreds of thousands at a time. Many now come via social media. During the holidays such schemes may have enough of a whiff of truth to lure in victims.
  • In general, don’t open attachments or enter unknown sites. Hackers often place malware in email attachments. Legitimate retailers and shipping companies won’t send offers, promo codes, and tracking numbers in attachments.
  • Check for a physical address, a customer service phone number, and a professional-looking site. Be sure tracking numbers are offered.
  • Only buy from secure sites with SSL encryption. These are URLs starting with https (rather than http) and contain a lock icon in the upper left corner of the toolbar. Even these can be spoofed, so remain careful.
  • If a site from a purported trusted retailer seems “off,” step back. Warning signs of sketchy sites include poor spelling, odd design, and slow loading. Scammers often hastily post bogus sites, and international scammers may have poor English-language skills.
  • If a seller requests funds be wired directly to them via a money transfer company, prepaid card, or bank-to-bank wire transfer, it’s a big red flag. Money sent these ways is virtually impossible to recover.
  • A credit card is still the safest way to pay for an online purchase because most have built-in protections. Alternatively, use a reputable third-party vendor such as Paypal or Venmo. Do this independently rather than using a vendor’s link. Never give a seller direct access to your savings or banking accounts.
  • Parents who buy electronic devices for their children should consider purchasing a parental control product for android and iOS devices. With these, parents can more easily monitor a child’s online activity through web filtering, location tracking, and app management and blocking.

Maintain proper hygiene

As Larson says, “cyber hygiene” is critical for those who engage on the internet.

“We suggest people have good cyber hygiene, or best practices to protect your computers and devices,” he said.

 Among his suggestions:

  • Invest in a respected antivirus and malware detection system. Many are commercially available and easy to download. They can alert you if you are going into an unknown or suspicious site. They can also scan your computer to check for malware, an umbrella term for various malicious forms of software such as viruses, trojans, worms, and spyware, which can not only affect computer performance, but extract data, such as passwords, user IDs and more.
  • Use two-factor authentication (2FA) or multi-factor IDs. These add a layer of protection beyond your username and password. Usually, they involve a one-time security code sent to your device that you must enter to continue. Unless a hacker or scammer has physical possession of your device, they cannot gain access to the code.
  • Have different and strong passwords on every account you own, and especially on personal email. According to a report by Last Pass, although 91 percent of users know the risk of reusing passwords across sites, 66 percent do it anyway. A number of companies provide “vaults,” where passwords can easily be stored and retrieved.
  • When your device alerts you to an update, by all means install the update.

There are no simple solutions to protecting oneself, but wariness and savvy go a long way.