During the chaos of the holidays, it's easy to fall prey to scammers waiting to catch preoccupied residents off their guard. Though scams run all year long, the busiest season — the holidays — are often the most profitable for criminals.

During the chaos of the holidays, it's easy to fall prey to scammers waiting to catch preoccupied residents off their guard. Though scams run all year long, the busiest season — the holidays — are often the most profitable for criminals.

Colleen Tressler, consumer education specialist for the Federal Trade Commission (FTC), said phishing scams and identity theft are things to watch for during these hectic times.

What is phishing?

Tressler said phishing is when someone uses fake emails, copycat websites or texts to get someone to share valuable personal information — like account numbers, Social Security numbers, or login IDs and passwords. Scammers use information to steal money, identity, or both. They also use phishing emails to get access to a computer or network. If someone clicks on a link, they can install ransomware or other programs that can lock that person out of his/her data.

Scammers often use familiar company names or pretend to be someone you know, Tressler said.

Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies. Or they pretend to be a friend or family member.

Phishing scammers make it seem like they need the information quickly or something bad will happen. “They might say the account will be frozen, you’ll fail to get a tax refund, your boss will get mad,” the FTC said, “or even that a family member will be hurt or you could be arrested.”

In a real world example featuring Netflix, Tressler said police in Ohio shared a screenshot of a phishing email designed to steal personal information. The email claims the user’s account is on hold because Netflix is “having some trouble with your current billing information” and invites the user to click on a link to update their payment method.

Tressler said don't take the bait.

Before clicking on a link or sharing any sensitive information:

• Check it out. If there are concerns about the email, contact the company directly.

“But look up their phone number or website yourself,” she said. “That way, you’ll know you’re getting the real company and not about to call a scammer or follow a link that will download malware.”

• Take a closer look. While some phishing emails look completely legit, bad grammar and spelling can be a tip-off to phishing.

She said other clues could be that your name is missing or you don’t even have an account with the company. “In the Netflix example, the scammer used the British spelling of “Center” (Centre) and used the greeting, “Hi Dear,” she said.

Listing only an international phone number for a U.S.-based company is also suspicious, she said.

• Be cautious about opening attachments or clicking on links in emails. Even your friend or family members’ accounts could be hacked. Files and links can contain malware that can weaken your computer's security.

• Make the call if you’re not sure. Do not respond to any emails that request personal or financial information. Phishers use pressure tactics and prey on fear. If you think a company, friend or family member really does need personal information from you, pick up the phone and call them yourself using the number on their website or in your address book, not the one in the email.

• Turn on two-factor authentication. For accounts that support it, two-factor authentication requires both your password and an additional piece of information to log in to your account. The second piece could be a code sent to your phone, or a random number generated by an app or a token. This protects your account even if your password is compromised.

As an extra precaution, you may want to choose more than one type of second authentication (e.g. a PIN) in case your primary method (such as a phone) is unavailable.

• Back up your files to an external hard drive or cloud storage. Back up your files regularly to protect yourself against viruses or a ransomware attack.

• Keep your security up to date. Use security software you trust, and make sure you set it to update automatically.

• Report phishing emails and texts. Forward phishing emails to spam@uce.gov – and to the organization impersonated in the email. Your report is most effective when you include the full email header, but most email programs hide this information. To ensure the header is included, search the name of your email service with “full email header” into your favorite search engine.

• File a report. Notify the Federal Trade Commission at FTC.gov/complaint.

• Visit Identitytheft.gov. Victims of phishing could become victims of identity theft; there are steps you can take to minimize your risk.

• You can also report phishing email to reportphishing@apwg.org. The Anti-Phishing Working Group — which includes ISPs, security vendors, financial institutions and law enforcement agencies — uses these reports to fight phishing.