Incognito — December 2025: Holiday Shopping? Lock Down Your Personal Data Now

Welcome to the December 2025 issue of Incognito, your monthly dive into privacy and security with DeleteMe.

This month: 

• Holiday Data Defense Mode: Activated. The festive season brings out scammers and data-hungry retailers. Stay vigilant to protect your personal information and keep it out of the wrong hands.
• 🎧  The Holiday Fraud Trap: In the latest episode, Beau Friedlander reunites with Adam Levin and Travis Taylor to guide you through the “glittering fraud trap” of the holidays, covering everything from fake shopping sites to persistent gift-card scams. Listen here.
• Essential reading: Android TV boxes sold by major retailers are hijacking home networks; California’s new privacy law will force browsers to adopt a universal data opt-out tool; a major airline data broker is ending a warrantless travel-tracking program; and New York has enacted the first U.S. A.I. pricing disclosure law.
• Q&A: “Is there any way to protect against my voice being made into a deepfake?”

Feeling the Holiday Rush? So Are the Scammers 

If you managed to get through last week without a scam attempt, congratulations! You’ve navigated the first wave of every scammer’s favorite time of year.

• According to one report, there was a 118% increase in phishing scams last Thanksgiving and a 229% spike on Black Friday. 
• But it’s not over yet. Last year also saw a 14% increase in phishing scams around Christmas. 

As you shop this season, we invite you to perform a quick Holiday Privacy Posture Check (HPPC). We’ve compiled a short checklist to ensure you’re protecting your data and not accidentally gifting it to a threat actor.

The Holiday Scam Watchlist 

During a time of heavy shopping, what scams should you be prioritizing?

Delivery Impersonation Scams

“Delivery scams” have long been a favorite target for scammers, and they are more prevalent than ever. Disguised as official delivery attempts (most often USPS, DHS, UPS or FedEx), the goal is to trick you into clicking a link, sharing sensitive information, and/or making additional “necessary” payments. Delivery impersonation attacks are up 105.8% year-on-year.

Your Rule for Unsolicited Delivery Messages:

• NEVER click a link in a text or email notification about a product delivery.
• ALWAYS go directly to your delivery provider’s official app or website. If there is a real issue with your package, you will see it there.

Fake Online Stores

It’s not just text and email scams you need to worry about. Fake online stores are designed to steal your personal and financial information. Research shows a massive spike in phishing sites impersonating major retailers like Amazon around Christmas and the New Year.

As Beau Friedlander noted in the latest What the Hack episode, this threat is compounded by AI:

“A simple search can send you into a labyrinth built by AI-assisted threat actors, conjuring websites that look like where you’re going, but they’re a dead end with crooks hiding in the woods.”

DeleteMe tip: Double-check new apps. During the holiday season, scammers ramp up the creation and distribution of counterfeit mobile apps (over 120,000 were identified so far in 2025, most impersonating retail or financial brands). These often steal your credentials and payment data while looking legitimate. 

Privacy > Discounts (The Hidden Cost of Deals)

Retailers would love to wake up to a big treasure trove of personal data in the new year. And many of us will unwittingly help them make that dream come true. 
Rich personal data is often just one good deal away. During the holidays, 9 in 10 mobile consumers share their data for savings. 

• 79% sign up for promo emails to get offers.
• 66% download apps for coupons, discounts, or free trials.
• 58% share their phone number for texts to get a deal.

This means that you are more likely to a) overshare with legitimate retailers (RIP your manageable inbox come January) and b) potentially give away your data to scammers impersonating retailers in fake promotions and reward campaigns. 

Stop Sharing, But Don’t Give Up the Deals

You can reduce your exposure while still getting the deals by not handing over your real personal data.

If you’re a DeleteMe customer, you can use masked email addresses and phone numbers whenever a site, store, or app asks for your information. 

This means you can get discounts without sharing your real contact details.

Masking your contact details also helps keep your real inbox and phone number out of more data breaches and scam lists. And a lower risk of exposure in a data breach is the best privacy you can give yourself in 2026.

Shop Smart While Navigating the “Giant, Elaborate Scam”

There is no magic bullet for avoiding holiday shopping scams. The best plan is to double down on time-tested privacy practices paired with smart online shopping habits.

Prioritize these steps while you shop:

• Verify Sellers and Products: Always verify the seller before you buy. Cross-reference product images with the official manufacturer’s website to ensure authenticity (I narrowly missed buying a fake Apple product this week!).
• Use Protected Payments: Use payment methods that offer strong dispute protections, and always double-check the retailer’s return policies before completing a purchase.
• Slow Your Roll with Social Ads: Be skeptical of social media ads. That Instagram ad for 50% off designer goods might send you to a scam website, not a legitimate deal.

Beau Friedlander put it best in last week’s What the Hack episode on fraud when he warned:

“Treat the entire digital world – from your phone’s notifications to your home’s front door – like it’s a giant, elaborate scam.” 

We’d Love to Hear from You!

Have a story for our podcast? Any privacy stories you’d like to share, or topics you’d like to see in Incognito? We’d love to hear from you!

Drop a line to Laura Martisiute at laura.martisiute@joindeleteme.com. She’s keen to hear any feedback you have about this newsletter.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape.

Android TV Boxes Sold by Major Retailers Are Hijacking Home Networks

Some Android-based TV streaming boxes sold through major US retailers are drawing warnings from security researchers for secretly enrolling users into residential proxy networks tied to cybercrime. Experts say the devices replace Google’s app store with an unofficial marketplace that installs apps enabling free streaming while hijacking home networks to relay traffic used for ad fraud, credential stuffing, and other malicious activity. 

California Privacy Law Set to Spark Nationwide Data Opt-Out Tool

A new California privacy law, which amends the California Consumer Privacy Act and takes effect on January 1, 2027, will require web browsers to include a simple, built-in tool allowing residents to universally opt out of data sharing, regardless of where they are, which will likely push browsers to offer the feature nationwide. Because identifying California residents is difficult, experts say companies will likely adopt a single national solution. 

Airline Data Broker Ends Travel Tracking Program

ARC, a data broker owned by major airlines, is shutting down its Travel Intelligence Program (TIP) after lawmakers revealed the IRS accessed its massive database of Americans’ travel records without a warrant. The program let government agencies search 722M ticket transactions and even set up alerts for future travel, capabilities lawmakers say bypass legal privacy protections. 

New York Enacts First A.I. Pricing Disclosure Law

New York has enacted the nation’s first law requiring retailers to disclose when they use AI and personal data to set individualized prices, aiming to protect consumers from hidden “surveillance pricing.” The measure has sparked backlash from business groups over its breadth and from consumer advocates who say it doesn’t go far enough. Still, experts say it marks a major step toward broader state and federal regulation of algorithmic pricing. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: Is there any way to protect against my voice being made into a deepfake? 

A: Timely question! And yes, there are steps you can take to reduce the likelihood of your voice being deepfaked. 

As the cybersecurity company Group-IB explains, the first step of a deepfake vishing attack is attackers collecting your voice sample, which is easier than you may think. 

Common sources include social media and voicemail, but criminals can also call you to acquire your voice sample. Answering with a simple “hello, who’s this?” may be enough for the scammer to recreate your voice. Yep: Scary! 

The best thing you can do is limit recordings of your voice, i.e., voice clips on social media, voicemail greeting, and even voice messages in messaging apps. 

If an unknown number calls you, answer, but don’t speak (also a good tip for robocalls in general).  

Next, think of where a deepfake of your voice might be used and put additional safeguards in place for those situations. 

Not worried yet? Researchers from Australia’s Data61 (CSIRO) have found out, it’s possible to generate convincing voice deepfakes from just a single facial image! (That’s not a typo.) 

So, if you authorize payments, transfers, or account changes over the phone, consider switching to verification methods that don’t rely on voice alone.

We also suggest that you choose a private passphrase that only people you trust would know. 

Q: Privacy tips often revolve around digital privacy, but what about offline privacy? 

A: What a great question. Protecting your offline privacy often gets forgotten with so much happening online to take away our privacy. 

There’s a lot you can do (meaning it’s easy to go down a rabbit hole), starting with shredding documents before throwing them out, avoiding loyalty cards, renting a post office box instead of providing your physical address, and even using a masked email when shopping at physical retail stores (e.g., to receive your receipt electronically). 

Also, I would generally avoid discussing anything sensitive or personal in public spaces (or leaving your laptop open on a train with corporate secrets exposed – as I witnessed recently). License plate readers as well as CCTV cameras in stores and on public streets are another thing entirely with no clear solution short of walking around completely covered. 

The Electronic Frontier Foundation has a fantastic guide to street-level surveillance technologies that you might find interesting. 

Q: What privacy advocacy groups are there, and can I join them/support them? 

A: The most well-known is probably the Electronic Frontier Foundation (EFF), which describes itself as “defending digital privacy, free speech, and innovation.” 

You can support it by becoming a member (donating), joining activism campaigns, and using their privacy tools (like their anti-tracker Privacy Badger). 

There’s also:

• Access Now, which “defends and extends the digital rights of people and communities at risk.” You can support it by donating, participating in campaigns, joining RightsCon events, and volunteering digitally.
• ACLU (American Civil Liberties Union), which defends “the rights of all people nationwide.” You can become a member (donate), join advocacy campaigns, and volunteer locally.
• EPIC (Electronic Privacy Information Center), which seeks to “protect privacy, freedom of expression, and democratic values in the information age.” You can support it by donating and following its work. 

Question for our readers: What privacy advocacy groups are we missing/do you support?

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

That’s it for this issue of Incognito. Stay safe, and we’ll see you next month.