TL;DR: Holiday shopping fraud caused more than $12.5 billion in consumer losses in 2024, phishing impersonating retailers rose 54% during the season, and AARP found nearly 9 in 10 U.S. adults were targeted by or experienced scams, according to the source article and cited research. The underlying lesson is that urgency, trusted-brand imitation, and account takeover still defeat users faster than controls can react.
NHIMG editorial — based on content published by SecurityScorecard: holiday shopping scams and how to avoid them
By the numbers:
- Consumers lost more than $12.5 billion to fraud in 2024 alone.
- AARP’s 2025 research found that nearly 9 out of 10 U.S. adults report being targeted by or experiencing some type of scam.
- Security researchers documented a 54% surge in phishing attacks impersonating retailers during the holiday period.
Questions worth separating out
Q: How should organisations reduce account takeover risk during seasonal shopping spikes?
A: The most effective controls are phishing-resistant MFA on primary accounts, unique passwords, hardened recovery flows, and user habits that delay clicking until the destination is verified.
Q: Why do holiday scams so often start with email identity compromise?
A: Email is the control plane for password resets, purchase confirmations, delivery notices, and fraud alerts.
Q: What do organisations get wrong about multi-factor authentication?
A: They often assume more factors automatically means better security.
Practitioner guidance
- Harden email as a privileged identity Require phishing-resistant MFA on primary email accounts, because inbox compromise is often the gateway to banking, retail, and payment app resets.
- Separate shopping payment instruments from daily spend Use a dedicated card or virtual card for online shopping so that a compromise can be cancelled without disrupting payroll, recurring bills, or day-to-day purchases.
- Verify destinations before you authenticate or pay Type retailer domains directly into the browser, check the exact domain spelling, and avoid logging in from links in emails or texts.
What's in the full article
SecurityScorecard's full article covers the practical consumer-protection detail this post intentionally leaves for the source:
- Holiday scam indicators for fake retail sites, package texts, and charity solicitations
- Public Scorecards guidance on checking a retailer's security rating before buying
- Step-by-step consumer actions for disputing charges, changing passwords, and placing fraud alerts
- Holiday travel guidance on avoiding public Wi Fi for payment transactions
👉 Read SecurityScorecard's analysis of holiday shopping scams and account takeover →
Holiday shopping scams: what identity teams should watch for?
Explore further
Holiday fraud is an identity problem before it is a consumer problem. The article’s strongest signal is that attackers succeed by capturing trust at the moment of authentication, recovery, or payment. That places the problem squarely in the overlap between identity verification, session control, and user behaviour, not just in fraud operations. For identity teams, this reinforces that account recovery and secondary verification paths are part of the attack surface, not administrative plumbing.
A question worth separating out:
Q: Who is accountable when consumers are tricked by fake retailer sites and smishing?
A: Accountability is shared across the service owner, the identity team, and the fraud or consumer protection function. The organisation that designs authentication, recovery, payment, and notification flows owns the risk that those paths can be impersonated or abused. Stronger controls lower harm, but they also clarify ownership when abuse occurs.
👉 Read our full editorial: Holiday shopping scams expose the identity trust gap online