MANILA, Philippines – With a few days left before Christmas, most shoppers are probably ready for the holiday rush. But fraudsters have been preparing all year too.

Historically, fraud rates jump during the holiday season as scammers exploit the influx of consumer activity. In 2022, digital payments provider Visa found that holiday fraud rates rose by 8% compared to 2021 and also went up 11% compared to non-holiday fraud rates. (READ: Filipinos lose P155 million to scams in 2023 as authorities try to catch up)

In a recent report, Visa warned that from November 2023 to January 2024, fraudsters will take advantage of consumers racing to tick off their shopping list and get “one-of-a-kind gifts.”

“[A]ctors will conduct tried and tested tactics that are often seen across the payments ecosystem to facilitate fraud during the holiday season, but will take advantage of season-specific commerce, such as an increase in travel, and discounted goods and services, to facilitate fraud during the holiday season,” Visa wrote in its fraud disruption report.

So what exactly should you watch out for? Visa identified six tactics that could be the most exploited this holiday season:

1. Digital skimming
2. Phishing and social engineering
3. ATM and POS skimming
4. Physical theft
5. OTP bypass and provisioning fraud
6. Shopping bots

Schemes: From digital to physical

A digital skimming attack is when fraudsters use malicious code on a merchant website that can scan and steal sensitive payment account data entered by customers on the checkout page. Fraudsters can steal a primary account number, card verification value, expiration date, and other personal information. This tactic could be deployed on websites selling “in-demand goods or services” that get high customer traffic, according to Visa.

The second tactic, phishing and social engineering, preys on customers looking for a good deal. Fraudsters using this may impersonate well-known retailers supposedly offering tempting discounts and sales. Once a customer enters and makes a purchase on the fake website, the fraudster will then steal the sensitive payment information that the customer inputted. 

According to Visa, merchants who deal with electronics, airlines, travel booking, hotels, and luxury goods are the most likely to be spoofed and exploited for phishing. With the rise of artificial intelligence tools, fraudsters may now also create “highly customized phishing campaigns” that mimic brands well and don’t have the common red flags, like grammatical errors.

Meanwhile, ATM and POS skimming has been around for decades, with fraudsters taking advantage of the surge in foot traffic in physical stores and automated teller machines during the holiday season. Fraudsters may attach a “skimmer” – a removable device that can steal payment information – on ATMs and store point-of-sale terminals to harvest customer data.

Skimmers have also evolved from the bulky, obvious devices attached onto ATMs. Now, fraudsters are using thin “deep insert” skimmers that are placed inside the ATM or POS card reader. Visa warned that bad actors could use the “cover of a crowded shop” or an “armful of large products” to distract store employees while they install skimmers.

When it comes to shopping in brick-and-mortar stores, customers also have to be wary of criminals physically stealing cards, phones, or other items from them. For instance, unattended bags in shopping carts could be stolen. Another tactic is to pickpocket a payment card from a customer as they leave the store and then return to the store to make a pricey purchase using the card.

Back online, bad actors can make fraudulent purchases by “bypassing” a one-time passcode through a variety of schemes. For instance, a fraudster could pretend to be part of a bank fraud center and then ask for the customer’s OTP.

Finally, bad actors are also using complex bots – capable of beating security measures like IP blockers and CAPTCHAs – to overwhelm online retailers. Visa identified “Grinch bots” that snap up popular toys and gifts this holiday season, only to resell them at a higher price. Some bots are also used to buy limited-edition items in bulk to resell at higher prices as well. There are also “freebie bots” that scan the web for items mismarked at low prices.

EXPLAINER: What is digital fraud and how do you protect yourself from scams?

How to protect yourself

With the rise in scams during the holidays, Visa advised customers to follow some best practices:

• Don’t click on links or hyperlinks in emails and text messages when they come from questionable sources.
• When paying online, check the URL and look for the “s” in “https://” as it indicates a secure connection. 
• Avoid public Wi-Fi networks when shopping online since they’re often unsecured, making it possible for hackers to steal your personal information.
• Be suspicious of deals that seem “too good to be true,” such as websites that offer very low prices for expensive or rare items.
• Use purchase alerts on your card to confirm purchases and be notified of suspicious activity.
• Enable multi-factor authentication on your accounts and use unique, strong passwords.
• Contact your bank using the phone number or email address listed on your card, rather than following information in an email or text message.
• Never give your OTP through a call, email, or text message.
• Keep up-to-date with system and application software updates to prevent exploitable software security loopholes.

“Crooks prepare all year for the holiday shopping season, taking advantage of increased activity and consumers who let their guard down searching for the perfect gift,” said Jeff Navarro, Visa’s country manager for the Philippines. – Rappler.com