Avoid Shopping Scams During the Holidays

👁️‍🗨️At a Glance

• This week’s threat landscape highlights critical mobile vulnerabilities (Apple iOS CVE-2025-43442/43455; Android CVE-2025-48593), rising smishing attacks, and sideloaded app risks. U.S. organizations face intensified ransomware campaigns, insider incidents, and nation-state espionage. Holiday scams surge with fake retail sites, gift card fraud, and delivery phishing. AI-driven phishing now powers 82% of campaigns. Families must adopt strong cyber hygiene for safe holiday shopping.
  

📈Current Cyberthreat Trends

AI-driven phishing now powers 82% of campaigns. A majority of today’s phishing now uses AI, often as polymorphic campaigns that constantly mutate wording, links, and sender patterns. Independent telemetry shows triple‑digit growth in multi‑channel phishing since late 2023, seconds‑level time‑to‑click, and the rise of AI‑assisted BEC and deepfake vishing. Pair phishing‑resistant MFA with context‑aware detection (compromised‑account heuristics, relationship graphs), expand controls to SMS/collab, and enforce out‑of‑band approvals for payments to reduce exposure.

Apple patched 50+ flaws (iOS 26.1), including CVE-2025-43442 (permissions) and CVE-2025-43455 (privacy screenshot capture). Android fixed critical RCE (CVE-2025-48593). Smishing up 28%, sideloaded apps on 23% of enterprise devices.

Nation-state actors (PRC, DPRK) targeting telecom, finance, and critical infrastructure. Insider collusion in ransomware cases confirmed. AI-driven attacks now 1 in 6 breaches.

FTC & BBB report spikes in fake retail sites, gift card fraud, delivery phishing, and charity scams. AI-generated fake influencer ads and social media shopping scams trending. Holiday fraud losses projected to exceed $12B in U.S..

🎁Holiday Shopping Safety Tips

🛍️Shopping & Retail Scams

• Shop trusted retailers and secure websites (look for https and padlock icon.)
• Verify URLs before clicking on holiday deals—look for typosquatting (e.g., amaz0n[.]com).
• Enable MFA and use strong, unique passwords.
• Monitor bank statements and enable transaction alerts.
• Avoid gift card payments for purchases or donations—this is a red flag.
• Use credit cards or secure wallets, not debit, for better fraud protection.
• Beware of fake order confirmations or shipping notices—hover over links before clicking.
  

🎣Phishing & Social Engineering

• Watch for urgent emails claiming missed deliveries, invoice errors, or account suspensions.
• Verify delivery notifications via official apps, not links in messages.
• Don’t trust unexpected holiday e-cards or attachments—even from known contacts.
• Verify charity solicitations via official websites—don’t donate through links in emails or texts.

📱Mobile & App-Based Threats

• Download apps only from official stores (Google Play, Apple App Store).
• Avoid QR codes in public flyers or emails unless verified.
• Disable auto-connect for Bluetooth and Wi-Fi in public spaces.

 👔Workplace & Insider Risk

• Remind staff not to use work credentials on personal shopping sites.
• Monitor for unusual data access or off-hours activity—especially in finance, HR, and IT.
• Reinforce MFA and phishing-resistant login policies before holiday travel.