christmas shopping

Don’t Let ‘Christmas Phishing’ Ruin Your Holiday Season

As shoppers try to find deals in time to put presents under the tree, phishing campaigns are making it more difficult for consumers to tell if a website is naughty or nice.

  • By Tyler Reguly
  • Dec 18, 2019

It’s that time of year again. Chestnuts are roasting on an open fire, Jack Frost is nipping at your nose. Rudolph and Frosty are on the TV and Michael Bublé’s Christmas album is on repeat. More importantly than all of that, Santa is making his list and checking it twice. But, did you ever wonder why he’s checking it twice? A magical elf who can make it around the world in a single night is unlikely to need to double check his work like an elementary school math student. Sure, it may be to add rhyme to the song, but something about that theory feels very wrong.

So, what’s left? Could it be children’s wishing? I suspect that the answer is evil Christmas phishing.

I think that Santa realized before any of us that phishing was a real risk. Typos present a serious threat and you need to make sure that everything is as it should be – how else will he know if Jace, Mason, Lily, and Julia are who they say they are. If you think that you are above typos, remember that this year, a town in Canada announced that Satan was attending their annual Christmas parade. It’s all too easy for mistakes to be made and Santa simply wants to ensure that he’s not the one making the mistakes.

l recently learned that someone I play video games with spells their in-game name with an upper-case “I” instead of a lower-case “L.” I bet you didn’t even notice that this paragraph started with a lower-case “L.” Visual inspection can fail even the best of us and that’s only part of beating phishing scams. There are plenty of other things you need to watch for, which is why I think St. Nick had the right idea when he started checking his list twice.

You might be thinking that you know what phishing is and you’re confused as to why we’re talking about typos. One of the ways to increase the effectiveness of phishing campaigns is to utilize a technique known as typosquatting, a form of cybersquatting, where attackers register a domain name that mimics a popular website. Whether this is a mistyped domain name (Amaon instead of Amazon) or a letter substitution (PayPai instead of PayPal), this is an important technique to know about. You might think that the ‘PayPai’ example looks obvious, but what about PayPaI, which is using a capital “I.”

We haven’t even gotten into the heart of phishing yet, the emails. Do you think that it’s easy to recognize a phishing email? Try again. I always laugh because enterprise phishing tests, designed to trick their users are incredibly obvious compared to the advanced techniques used by malicious attackers, yet they still manage to catch people. When the complexity of the mail increases, so does the likelihood of a good haul when the net is cast wide. Thinking you won’t get caught is hubris that you likely won’t be able to afford once you are. Just look at all the people falling for telephone scams on a regular basis and those are often much more obvious than phishing emails.

If you still aren’t convinced, let’s look at this from another angle. If you take a child to the mall around the Christmas season, they think they’re sitting on Santa’s lap. It doesn’t matter that Santa is tucked safely away in the North Pole preparing for Christmas day and they’re meeting one of Santa’s helpers. To that child, at that moment, the wonder and amazement they feel means that Santa is actually in front of them. They’re telling a magical elf exactly what they want for Christmas, pony and all.

The feeling they experience when they see Santa’s cousin, Ralph the Elf, at the mall instead of Santa Claus himself is no different than the feeling you see when you get a coupon that says save 90 percent at Sephora online when you click right now. You want it to be real, so it is and by the time you realize it isn’t, you’ve already paid the price. Still not convinced? Spend an hour browsing Facebook. In the past week, I’ve seen more than a dozen links shared that offer unreal coupons or fake shopping experiences. Even after pointing out they are fake, people still leave them up. We want a good deal, we want to believe that if we share a Facebook post, Bill Gates will give us a million dollars or that if we click this link, Walmart will pay us to shop at their store for one day only.

When you think about a phisher, they aren’t that unlike the elves at the North Pole. They need to manufacture a perfect email, just like when Santa’s elves make a branded product in their workshop. It wasn’t made at the Nintendo factory, but that Switch that Santa leaves is just as good as the ones the factory ships. The emails that these phishers send look just like emails from the actual stores. So, whether you’re a child looking at the tree on Christmas morning, or an adult reading your email over your morning coffee, it’s easy to see just how convincing these knockoffs can be.

Phishers are also like street magicians, making you see what they want you to see. Season 2 of Magic for Humans with Justin Willman dropped on Netflix recently. He goes to great lengths to create an illusion, to show his audience exactly what they want to see. In one segment called Sleight of Ham, he has a child bite a piece out of a slice of ham and after “shuffling” the ham, tosses the pieces against a car window. The piece with the bite is inside the car stuck to the window. I’m no master illusionist, but I dabble in sleight of hand and it doesn’t matter what the audience sees, it’s what they believe they see. I can take a deck of cards and cut it to the same card a dozen times, I can even make it appear real. That’s what happens with those phishing emails, they appear to be real and just like I’m not Justin Willman, they don’t have to be great, just good enough.

Finally, phishers have to be a little like a psychologist. They need to know what makes people tick. What drives people to click on links. Whether it’s a telephone scammer or a phisher, one of those big motivators is always fear. Around the holidays, however, greed or the desire for a good deal can drive people toward clicking on a malicious email. These days, everyone feels stretched thin and while it is popular to point out that you should never go into debt for Christmas, many people are going to overspend, so they’re also going to look to save. A good deal in your email, might just entice you to click that link and make a purchase.

We live in an era where brick-and-mortar stores are dying, where kids ask a jolly fat man for thousands of dollars in high-end electronics, and where a story of a reindeer with a red nose that perseveres bulling to become a hero is sadly still needed. All of this might explain why we see an email for a good deal just for us and we jump on it without a second thought.

Then again, it might just be a good reminder to visit your local businesses and value kindness this holiday season. Either way, take a page from Kris Kringle’s book and check twice, because there’s no guarantee that an email is naughty or nice.

Featured

  • 2025 Gun Violence Statistics Show Signs of Progress

    Omnilert, a national leader in AI-powered safety and emergency communications, has released its 2025 Gun Violence Statistics, along with a new interactive infographic examining national and school-related gun violence trends. In 2025, the U.S. recorded 38,762 gun-violence deaths, highlighting the continued importance of prevention, early detection, and coordinated response. Read Now

  • Big Brand Tire & Service Rolls Out Interface Virtual Perimeter Guard

    Interface Systems, a managed service provider delivering remote video monitoring, commercial security systems, business intelligence, and network services for multi-location enterprises, today announced that Big Brand Tire & Service, one of the nation’s fastest-growing independent tire and automotive service providers, has eliminated costly overnight break-ins and significantly reduced trespassing and vandalism at a high-risk location. The company achieved these results by deploying Interface Virtual Perimeter Guard, an AI-powered perimeter security solution designed to deter incidents before they occur. Read Now

  • The Evolution of ID Card Printing: Customer Challenges and Solutions

    The landscape of ID card printing is evolving to meet changing customer needs, transitioning from slow, manual processes to smart, on-demand printing solutions that address increasingly complex enrollment workflows. Read Now

  • TSA Awards Rohde & Schwarz Contract for Advanced Airport Screening Ahead of Soccer World Cup 2026

    Rohde & Schwarz, a provider of AI-based millimeter wave screening technology, announced today it has won a multi-million dollar award from TSA to supply its QPS201 AIT security scanners to passenger security screening checkpoints at selected Soccer World Cup 2026 host city airports. Read Now

  • Brivo, Eagle Eye Networks Merge

    Dean Drako, Chairman of Brivo, the leading global provider of cloud-native access control and smart space technologies, and Founder of Eagle Eye Networks, the global leader in cloud AI video surveillance, today announced the two companies will merge, creating the world’s largest AI cloud-native physical security company. The merged company will operate under the Brivo name and deliver a truly unified cloud-native security platform. Read Now

Most   Popular

New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities