Holiday Cybersecurity Best Practices

By: Charles Brandt
November 20, 2023

It’s tough to find someone who doesn’t enjoy the holiday season. Unfortunately, cybercriminals love it for many of the same reasons we do. We’re traveling more, we’re busy and distracted, we buy more online from merchants we don’t know well, and we’re especially inclined to give to what looks like a worthy cause. 

To help you stay safe this holiday season, I’ve compiled a list of dos and don’ts, including some examples of common holiday scams.   

Your To-Do List

Santa making list

1. Do Use Secure Networks

It’s tempting to hop on a restaurant’s Wi-Fi when you’re grabbing a quick bite, but don’t make online purchases until you can get to a secure network. You can also use your phone as a hotspot if you really need to shop on the go. In addition, make sure your connection is secure in your browser by quickly checking to see that the lock icon and “https” is at the front of the website URL.

Pro tip: One good way to be mindful of connectivity is to disable auto-connect on your devices. 

2. Do Think Before You Click

Holidays are a busy time. It’s common for people to be especially distracted or rushed. Cybercriminals have figured this out, and it unfortunately plays right into their hands. According to a recent survey, almost half of those who fell for phishing schemes report being distracted as the primary reason. 

Pro tip: Be especially careful not to open emails from people you don’t know or click on any links or attachments. Hover over all email links and carefully review the link to ensure it is going to a reputable website. Oftentimes, simple misspellings go unnoticed. Remember, you can always go directly to the trusted website directly instead of clicking on an unverified link.

3. Do Recognize Phishing Attempts

61% of Americans are highly vulnerable to phishing scams. That number seems high, and while many people assume they are too smart to fall for such a thing, cybercriminals have gotten better at making phishing scams harder to spot. In addition to email, phishing is also conducted over social media, where users are less likely to be on their guard, and cybercriminals are now using more social engineering techniques to fool their victims. 

You can’t just assume that an email that looks like it’s from a company or a person you trust is safe. Not only have cybercriminals gotten better at impersonating legitimate senders, but they’ve also improved their spelling and grammar. In fact, thanks to AI, they can generate a polished, professional-looking email in mere seconds. 

Pro tip: Any time you’re asked to enter login credentials or other sensitive data through a link, it should give you pause. 

4. Do Think Before You Pay

If you didn’t think the IRS ever did anything good for you, here’s a gift from Uncle Sam. They’ve created a handy Tax Exempt Organization Search Tool so you can be sure the dollars you’re giving are actually going to a good cause. 

Do a little due diligence before you give, and be suspicious of emails or phone calls soliciting donations. Never pay through emailed links. Instead, navigate to an organization directly. 

Pro tip: If you do choose to donate online, make sure the website URL is prefaced by https. That https may look like a small detail, but it’s important. It means that at this site, your communication and data will be encrypted in transit from your browser to their server. 

5. Do Shop Securely

That last tip goes for online shopping as well. And while many shoppers are hoping to find interesting products and support smaller shops, it’s safer to shop with retailers you already trust. Hopefully, you can find shops that fit both categories. 

Pro tip: Holiday shopping season leads to lots of returns. Check the company’s return policy before you buy, and beware of offers that are too good to be true, as counterfeit items are commonly sold online. 

6. Do Pay Wisely

Debit cards are convenient, and it’s one way to stop yourself from overspending. But it’s safer to use credit cards instead. You can also use a third-party payment service like Apple Pay.

Pro tip: If someone asks you to pay for something through gift cards, don’t. I’ll get into gift card scams later. 

7. Do Monitor Your Accounts

If you aren’t already in the habit, check your financial accounts for unauthorized purchases. 

Pro tip: Many companies now offer text or email alerts to warn you of any suspicious activity. Check to see if you can get alerts set up on your accounts. 

8. Do Use Multi-Factor Authentication

You’ve heard it before, but while strong, unique passwords are helpful, they don’t do much good if you’ve given your credentials away or answered common account recovery questions (like your first car or the name of a childhood pet) online. 

While highly skilled and highly motivated attackers can sometimes still bypass Multi-Factor Authentication (MFA), it’s difficult and time-consuming, and most hackers don’t bother. MFA successfully blocks 99.9% of attacks.

Pro tip: Many MFA methods are quite quick. For example, an organization might send you a push notification on your phone, and you can authenticate yourself in one easy tap. 

9. Do Update Your Software

All of your online devices are susceptible to malware and viruses. Keeping your software, apps, and browsers updated is an important part of proper cybersecurity hygiene. Yes, it’s annoying, and sometimes updates can cause additional frustrations. But those frustrations are nothing compared to what a cybercriminal can do. 

Pro tip: Choose a time to install updates when you won’t be in a rush. Sometimes they can take additional time. 

Your Don’t List (Check This One Twice!) 

Santa putting coal into a stocking

1. Don't Tell Everyone When Your Home Will Be Empty

It’s nice to be able to share travel photos on social media. You can. Just wait until you get back before you share the details of your trip, especially when you’re leaving and returning. 

2. Don't Reuse Passwords

This bad habit is tough to break. If you’ve been reusing passwords, stop, and immediately update the passwords to your financial accounts. Yes, now. 

Some accounts are more secure than others. If your login credentials are stolen from a less secure account, you definitely don’t want to give hackers instant access to your finances or your email account.

3. Don't Click Suspicious Links

You probably are not, in fact, the instant winner of a $500 gift card. And if you click on a link promising something too good to be true, you’re not a lucky shopper either; you’re likely to become a hacker’s next victim. 

Whether it comes through text or email, be wary of amazing but random offers. 

4. Don't Provide Your Password or Financial Information

It happens so quickly — you get an email or a direct message on social media that includes a link to a fun video you’re in! You click the link, and it tells you to enter your password. You do. But there’s no video. You just gave your password away to a hacker. 

Don’t ever provide your password or any financial information so easily. In fact, if your bank ever calls you and asks for this information, they aren’t your bank.

5. Don’t Put Details in Automated Messages

Automated email responses are helpful and sometimes necessary when you’ll be away from the office for a period of time. Keep your messages short and vague. For example, don’t say you’ll be out of town or indicate how long you’ll be away. 

Common Holiday Scams

The holidays can be a hectic but wonderful time. We have goodwill in our hearts and a to-do list that’s way too long. And that’s the perfect time for scammers to take advantage of us. 

Gift Card Scams 

Scamazon gift card

Did your manager contact you to get gift cards to pay for a holiday party? Double-check before you help them out — this email is probably coming from a hacker. Contact your manager through a number you know, not the one provided in the email. 

Retail Spoofing and Phishing

These common scams happen year-round, but with increased holiday shopping, they turn a tidy profit for thieves this time of year. Cybercriminals are getting better at impersonating retailers. Again, regard email links with suspicion and navigate directly to websites. 

Charitable Giving Scams

Thanks for giving to Uncle Scam

Aside from vetting an organization through the IRS’s Exempt Organization Search tool and giving a donation directly through their website, be especially cautious this time of year. Don’t let someone rush you into making a donation on the phone — that’s a common scammer trick. 

Scammers often start by thanking you for making a donation you never made. They can even make their caller ID look like it’s local or use legitimate-sounding names for their charities. It’s unfortunate, but where there’s a worthy cause or a tragedy, there’s someone who’s figured out a way to exploit it. 

Identify Theft

Earlier, I mentioned not using public Wi-Fi to make online purchases. That’s because, with the right tools, criminals can access the information that’s sent through a public connection. Identity theft is definitely more common around the holidays, but with some basic cybersecurity best practices, you can make yourself a much less tempting target. 


Smishing refers to phishing scams sent by text (SMS messaging). And if you’ve noticed you’re getting more suspicious text messages, you’re not alone. Over 3.5 billion people get spam text messages daily. 

Smishing is just as malicious as phishing, but not as many people are aware that these text messages can be dangerous. Be on the lookout for texts about orders you didn’t make or packages you aren’t expecting. 

Of course, these texts are all that more confusing around the holiday season, when people are sending gifts. Be cautious and wait for something to arrive at your door. When in doubt, contact the shipping company or the alleged sender directly.


Someone just called you saying there’s been suspicious activity in your Amazon account. No worries, though! They can fix it if you verify your credit card information!

Uh oh! If you get a call like this, something “vishy” is probably going on. Vishing scams are still common, and they’re conducted the old-fashioned way, through voice calling. Don’t ever give out sensitive information over the phone if you didn’t originate the call, and the second you start to wonder if a call is suspicious, hang up the phone immediately. If that call is really coming from a reputable source, like your bank, trust me when I say they’ll understand. 

Criminals are even using artificial intelligence now to clone voices and send realistic voicemails that sound like they are from someone you know! If it seems out of the ordinary, make sure you contact the person directly before taking action.

Happy Holidays From Marco…Really!

Marco elves holding gifts

The holidays are such an optimistic time, and while most of this blog consists of warnings, I wrote it because I have a tremendous amount of hope. With a bit more knowledge and cyber smarts, together, we can make cybercrime far less profitable. 

To that end, if you’d like more resources about how businesses and individuals can keep themselves safe during the holidays and beyond, we recently hosted a free online webinar around this topic. Give it a watch! 


Watch Our Holiday Security Webinar Learn More

Topics: Security