7 Scam-busting Tips for the Holidays from a Top Retail Cybersecurity Expert at Target

The busy holiday season is in full swing, and with so much to do (finish the gift list! wrap the presents! get the house ready for visitors!), you’re likely running in circles. Unfortunately, fraudsters know it all too well, and ramp up their scams during this time of year — even adding holiday themes specially designed to catch busy shoppers unaware.

That’s one of the big reasons Target has built a multi-layered approach to stopping fraud, including gift card scams, during the holidays season and all year round. Our group of hundreds of cybersecurity experts helps Target identify and stop fraud, proactively monitor trends and create solutions to prevent fraud before it even happens.

Our latest innovation? Redesigning Target GiftCards to stop tampering before it starts. Traditional gift cards have access codes printed on the back, which gives determined fraudsters the chance to steal these codes before they’re sold (then drain the card after they’re purchased).

Now, all Target GiftCards sold in our stores will have a blank space where these codes used to be (take a peek at one of our new cards up above). At checkout, a team member will apply a security access label to the gift card, reducing the potential for fraud and increasing the potential for joyful holiday giving.

So, what are some big watch-outs? Erin Becker, who leads Target’s cyber fraud team, weighed in with her top tips for safe holiday shopping.

1 - Prioritize gift card safety

Target GiftCards that you purchase in our stores now have even more security measures. However, before buying any other gift cards on our shelves, check for signs the card or packaging has been tampered with — if you see any, point it out to a team member, stat.

Gift cards are a form of currency, so you don’t want to leave them lying around and risk losing them. But thanks to their popularity this time of year, it can be tough to keep track of all that you get. My favorite tip? Upload your Target GiftCards to your Wallet in the Target App for ease and safekeeping as soon as possible after receiving them. Once uploaded, you can cut up the physical card so no one else can use the funds before you do.

2 - If someone calls asking for gift cards as payment...

This type of scam can come by phone call, email or text. For a long time, it often involved a scam artist posing as someone official, asking you to buy gift cards and share the numbers as a payment. Now, we’re seeing fraudsters contact people saying one of their loved ones is in trouble, and they ask you to provide gift card numbers to help them. If this ever happens, hang up and contact your loved one directly.

It can seem so real, but anything like this should be an instant red flag. At Target, for example, our GiftCards can only be used at our stores and website and can’t be used to buy other brands’ prepaid or specialty cards. And no legitimate government entity accepts any form of gift card as payment.

Share this knowledge with your family members, friends and neighbors so they have the tools they need to keep themselves safe. The main thing to keep in mind is that you will never be asked to pay any bills or any government agencies via gift card.

3 - Slow down and be on the lookout for red flags in every email and text

Scammers definitely take advantage of the holiday timeframe, when people are more likely to be receiving confirmation and shipping emails, promos for deals and more digital goodies. They create phishing emails or smishing text messages that appear to be from your favorite brand to catch you off guard. But if you look closely, there are features that will tip you off that something isn’t right. For example, emails usually come from a slightly ‘off’ address different from the company’s official handle. Misspelled contacts and brand names, typos and bad grammar are also big red flags.

So, before opening links or providing information, ask yourself: Am I expecting this email or text? Do I recognize the sender's email address and is it spelled correctly? If this email or text references a company I shop with, does it come from the company itself?

If you cannot confidently answer these questions, do not engage or respond. Other signs of a fraudulent message include misspelled words and brand names, typos or poor grammar. Before clicking any links, hover over them to see the full URL so you know where the link will take you. If you're not sure it's safe, don't click on it.

Use a web browser to navigate to the brand's website on your own instead.

4 - Get in the habit of using different, strong usernames or passwords for all accounts …

Here’s a New Year’s Resolution you can kick off early: It’s so important to use a different password for each of your accounts, even though it’s tricky to remember them all. When you use the same password for multiple sites where you shop or log in, one incident at any of those places leaves you at risk everywhere. And make sure to avoid using really obvious or easily guessable passwords. (Looking at you, 123456 and Winter2023.)

Another piece of advice? Keep track of all the sites that require you to use your email address as the User ID at login. And make sure that email account has very strong security and recovery information that’s hard to guess and unique from all your other accounts. Consider using a password manager that will help you create unique and hard-to-guess passwords for all of your accounts.

5 - … Or consider switching from passwords to passphrases and Multi-Factor Authentication

Another favorite way to come up with a memorable, ironclad password is to use a passphrase — a series of numbers, letters and symbols that stand for an easy-to-remember line or phrase. They’re longer and more secure and you’re more likely to remember a sentence than a word. For example: Why go to the beach when it’s raining? = YGo2tBwit$r@ining? (Now, don’t go using this one!)

We also offer guests the option to opt-in and sign up for an added layer of security called Multi-Factor Authentication/One Time Passwords (MFA/OTP), which are used to validate the user who is entering the password. It works by having the provider send a PIN by email or text to the registered user when they are trying to log in. Just remember, Target would never call a guest to ask for their OTP, pin, Target Circle Card or gift card numbers.

Guests can also choose to use a passkey to log in to their Target accounts. A passkey is a password alternative that helps you securely sign in with a key unique to you, like your fingerprint or face.

6 - Don’t just click on a hyperlink — test it first

Another way that scammers try to trip you up is by getting you to click on a hyperlink in an email or online ad that looks like it will take you to your favorite shopping site, but actually leads to an illegitimate one. In fact, scammers will often attempt to imitate Target by creating a fake website that looks like Target.com or fake gift card site under the guise of helping you check your balance. In these instances, we’ve seen them attempt to get guests to log in to their sites to steal people’s info.

Before clicking any links, hover over them to see the full URL and make sure you know where the link is taking you. Not sure it’s legit? Better to be safe than sorry. Don’t click on the hyperlink. Use a web browser to navigate to the brand’s trusted website you’re seeking instead. And you can always use the Target app to shop safely too.

7 - If you think you’ve been scammed, report the incident ASAP

Sometimes victims are hesitant to report scams because they feel silly for falling for them, but it can happen to anyone. So take action. Report the incident to your local law enforcement and the Internet Crime Complaint Center or Federal Trade Commission as soon as you can. By doing this, you’re likely keeping many others from becoming a victim, too.

Head to Target’s Holiday Hub for even more ways Target is making shopping easy, inspiring and affordable this holiday and beyond.