Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Holiday shopping scams: what identity teams should watch for


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Holiday shopping fraud caused more than $12.5 billion in consumer losses in 2024, phishing impersonating retailers rose 54% during the season, and AARP found nearly 9 in 10 U.S. adults were targeted by or experienced scams, according to the source article and cited research. The underlying lesson is that urgency, trusted-brand imitation, and account takeover still defeat users faster than controls can react.

NHIMG editorial — based on content published by SecurityScorecard: holiday shopping scams and how to avoid them

By the numbers:

Questions worth separating out

Q: How should organisations reduce account takeover risk during seasonal shopping spikes?

A: The most effective controls are phishing-resistant MFA on primary accounts, unique passwords, hardened recovery flows, and user habits that delay clicking until the destination is verified.

Q: Why do holiday scams so often start with email identity compromise?

A: Email is the control plane for password resets, purchase confirmations, delivery notices, and fraud alerts.

Q: What do organisations get wrong about multi-factor authentication?

A: They often assume more factors automatically means better security.

Practitioner guidance

  • Harden email as a privileged identity Require phishing-resistant MFA on primary email accounts, because inbox compromise is often the gateway to banking, retail, and payment app resets.
  • Separate shopping payment instruments from daily spend Use a dedicated card or virtual card for online shopping so that a compromise can be cancelled without disrupting payroll, recurring bills, or day-to-day purchases.
  • Verify destinations before you authenticate or pay Type retailer domains directly into the browser, check the exact domain spelling, and avoid logging in from links in emails or texts.

What's in the full article

SecurityScorecard's full article covers the practical consumer-protection detail this post intentionally leaves for the source:

  • Holiday scam indicators for fake retail sites, package texts, and charity solicitations
  • Public Scorecards guidance on checking a retailer's security rating before buying
  • Step-by-step consumer actions for disputing charges, changing passwords, and placing fraud alerts
  • Holiday travel guidance on avoiding public Wi Fi for payment transactions

👉 Read SecurityScorecard's analysis of holiday shopping scams and account takeover →

Holiday shopping scams: what identity teams should watch for?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Holiday fraud is an identity problem before it is a consumer problem. The article’s strongest signal is that attackers succeed by capturing trust at the moment of authentication, recovery, or payment. That places the problem squarely in the overlap between identity verification, session control, and user behaviour, not just in fraud operations. For identity teams, this reinforces that account recovery and secondary verification paths are part of the attack surface, not administrative plumbing.

A question worth separating out:

Q: Who is accountable when consumers are tricked by fake retailer sites and smishing?

A: Accountability is shared across the service owner, the identity team, and the fraud or consumer protection function. The organisation that designs authentication, recovery, payment, and notification flows owns the risk that those paths can be impersonated or abused. Stronger controls lower harm, but they also clarify ownership when abuse occurs.

👉 Read our full editorial: Holiday shopping scams expose the identity trust gap online



   
ReplyQuote
Share: