You Better Watch Out For These 9 Holiday Scams

'Tis the season. The carolers are caroling. The shoppers are shopping. And the scammers are busily scamming away. While Cyber Monday has come and gone, attackers are still preying on shoppers looking for last-minute gifts and online deals. And in the thick of all this holiday cheer, many good-willed citizens forget that there still are cyber attackers waiting to take advantage of our money, lack of time and abundance of good will.

"During the holidays, a much larger number of people use the Web. It presents more of a target rich environment," said Paul Ferguson, network architect for Trend Micro.

More and more, holiday scammers are perfecting the art of the multifaceted approach in their attack strategy -- you'll increasingly find approaches like broad e-mail blasts working in tandem with well researched and acutely focused attacks. And with more people than ever buying holiday gifts online, attackers are finding even more ways to be at the receiving end of their credit card purchases. So zip up your purses and make sure your passwords are airtight before launching your holiday shopping trek this year. Here's what to watch this season.

Googlers, beware. And everyone else on every other search engine, for that matter. Holiday shoppers, especially those conducting broad searches on the Internet for gift ideas, might be in for a little bit of a surprise when the "holiday gift ideas" Web search leads them instead to a series of cyber traps. Increasingly, cyber attackers are leveraging trusted key words in order to get their malicious sites at the top of the search engine page rankings. When users click on these links, which impersonate legitimate-looking holiday sites, they are brought to malicious sites that install any and all kinds of malware.

"If you do a search, what the bad guys are trying to do is get their bad sites right at the top," said Derek Manky, security research engineer at Fortinet. "It's exploitation of Google's own game. It's basically telling Google if it sees a keyword used on various Web sites, it ranks it higher, which is part of their strategy to get out to as many users as possible."

The cards might be cute but what they're sending out is anything but warm and fuzzy. Security experts say that links to malicious sites will increasingly be in the form of holiday greeting cards this holiday season. However, scammers are also becoming more adept at impersonating legitimate contacts or hacking into a user's contact list to entice them to click on a link or e-mail.

"People love clicking on those electronic greetings," said Chris Harrington, security architect for Greenpages Technology Solutions in Kittery, Maine. "But they link to nasty executables and viruses."

Naturally, users need to make sure that they know the senders before clicking on a link. "That's hard to do," said Harrington. "People are very trusting and naturally curious."

If at no other time of year, people feel charitable around the holidays -- a sentiment that attackers are finding more and more ways to exploit. Without a doubt, experts say, users will see more requests for donations from sites that look like legitimate charitable organizations. But users need to look twice. Organized cyber crime networks are buying authentic-sounding domains, and using names that impersonate established charities -- albeit slightly misspelled -- so potential donors will think their money is really going to support troops or to help orphans in Bangladesh.

"Those are the ones that stand out and take advantage of people's good will," said Harrington, while warning, "Before you give, check the Better Business Bureau."

It's one thing to click on a malicious site that impersonates a legitimate one. It's another thing entirely to click on a legitimate site with malicious codes -- thus inherently making it bad. Many unsuspecting shoppers will get duped when good Web sites are infiltrated by spyware and other forms of malware from an ad server hosted by a third-party site. "There are major efforts afoot this time of year, even for some "reputable" sites that have managed to be compromised by bad guys. Nobody's really immune to that," said Trend Micro's Ferguson.

And many legitimate retailers could be targets due to the high volume of Web traffic during the holiday season.

"A Web site isn't as monolithic as it seems," said Laura Yecies, vice president of Check Point Software Technology. "It's relatively easy to hack these third party Web sites if they're part of the primary site."

The Storm gang is at it again, only they have shifted the focus of their attacks to a holiday theme. (even cyber criminals can get in the holiday spirit). "We already saw this during Halloween," said Manky. "Now as we're entering Christmas, there's a huge potential for them to strike with this as well."

Attackers will lure victims with links and attachments that suggest everything from holiday-focused products to e-vites for parties. And the mere act of online gift browsing can turn your computer to a bot and send personal information to attackers. Links could also come embedded in blogs or other communication channels. While it's easy to get carried away, the adage "think before you link" still applies.

It's phishing with a voice component. A phisher impersonating a major retailer will call or send out an e-mail to a user, saying that an order has been delayed or compromised. The attacker will then ask the victim to call back and "reaffirm" credit card or password information.

"Scammers do a great job of making it look really legitimate," said Troy Edington, chief technology officer for HEIT, providing defense networks for financial institutions. "You have to be diligent. If someone is asking for any type of critical information, you never want to just put that in an e-mail. You always want to go to the main site."

"It's really just letting the consumer know you really have to be on your guard," Edington added.

Everyone is a little more sensitive about money during the holidays. Knowing this, vishers will take advantage of consumer apprehensions about credit and their monthly spending limit. While vishing on the retail end will grow, you'll also likely see a rise in vishing attacks from banks as well.

"Just when people are concerned about their credit, they get an e-mail from a financial institution -- probably their own," said Patrick Gray, senior security strategist at San Jose-based Cisco Systems and former FBI computer crime analyst. "It's going to cause most people to tighten up a bit. They will immediately click on that hyperlink and put in their information."

Experts advise users to contact their financial institution directly if their bank or credit union e-mails them requesting information. "Call the number on the card, because there are fraudulent 1-800 numbers that go along with the scams," warns Gray.

"The correct protocol is to hang up the phone and call them back," said Scot Mitic, CEO of TrustedID based in Redwood City, Calif. "At an extreme level, ignore any e-mail that comes from your bank. Chances are it's not legitimate."

Anywhere there are financial transactions, there are scammers waiting for a quick and easy payday. Holiday shoppers need to be careful of online auction sites -- particularly if they don't have a seller rating system in place. In online auction schemes, scammers will typically "sell" a popular high tech gift on a site like eBay for perhaps just a little less than expected. Then online shoppers find themselves unpleasantly surprised when they receive either fake merchandise or nothing at all. Last year's scams included the Sony Playstation III. This year it could be the Wii, experts say.

"It's actually been quite successful in the past," said Stephan Chenette, manager of security research at Websense Security Labs. "It looks legitimate, and it will be at a reasonable price, and they might just send a box in the mail. Or probably nothing."

With phishing expected to be one of the biggest security threats in the upcoming year, it's not surprising that the scammers will target individuals in an effort to reveal credit card or other personal information. And while phishing is not new the sheer number attacks inherently designed to overwhelm users will be unique to the holiday season.

"Nine times out of 10, it comes out of a yahoo account. It's pretty easy to spot that stuff yet people fall for it," Frank Kondor, managing partner for Omni Data, based in Woodbridge, Conn. "People are under a lot of pressure because of all the hustle and bustle to get things done," said "It's just a quick click and it's done."