A growing number of consumers have come to rely on online shopping for their holiday purchases, and it’s not hard to see why. Retailers of every size have started offering great online deals, coupons, and sales specials, and busy people have taken a liking to saving money while shopping in their pajamas, well away from the crowds and on their own terms.

While most savvy shoppers are aware of a few potential pitfalls when it comes to keeping your personal information safe online, there’s a particular scam that gets overlooked but directly relates to your internet buying. There are several variations of this scam, but one form is so prevalent that one company has actually had to post a warning message about it on their corporate website.

Online shoppers, especially those who ramp up their internet purchasing at the holidays, need to be especially watchful of shipping scams that involve major companies like DHL, UPS, FedEx, and even the US Post Office. The scam involves an email or text message that alerts you to a problem with your package delivery—playing off your fear that your child’s brand-new video game console won’t be arriving in time, or another similar gift-giving crisis—and directs you to either click the link or open the attachment to resolve the issue.

By “spoofing” the company with a look-alike email address and digital letterhead, they trick you into thinking this is a legitimate correspondence. Instead, following the instructions in the letter can result in downloading a virus to your computer, handing over money for the “insufficient postage,” or even turning over your identifying information.

There are a few ways you can try to avoid this scam. First, make sure you’ve got an emailed receipt and shipping confirmation from your online purchase, and that you save it until the items arrive safely. Next, if you receive an email alert that there’s a problem with your shipment, go directly to the shipping company’s website yourself (without clicking any links!) and enter your tracking number from that emailed receipt. If you don’t turn up a matching record, this is most likely a scam. If you’re still in doubt, contact the seller through their customer service portal to see if they were alerted to any issues, then contact the shipping company listed in the email if there’s still any uncertainty about your package.

Remember, there’s never a good time for identity theft or malicious software to infect your computer, but the holidays are an especially bad time to become a victim. It’s important that you never click a link or open an attachment in an email from an unverified source, even if it appears to be genuine.

Anyone who believes their identity has been stolen or their personal data has been compromised is invited to connect with the ITRC through our toll-free call center at (888) 400-5530 or on-the-go with the new IDTheftHelp app for iOS and Android.