Who wouldn't be excited to find a super-low price on a hot toy such as Hatchimal, an interactive creature that hatches out of an egg, or a bargain on cashmere activewear?

What about downloading an app quickly because it can help you save 25 percent on your purchase?

Before you jump at what look like golden opportunities, take extra care this holiday season. Is the deal legitimate? Are you browsing a website with solid online-security measures? Could you even be looking at a fake app?

"Card fraud is a huge business," said Al Pascual, research director and head of fraud and security for Javelin Strategy & Research in Pleasanton, Calif. "They're going to get the data any way they can get it."

Criminals are going after the databases of online merchants and trying to engineer account takeovers, Pascual said.

The crooks don't need to steal your credit-card or debit-card number, he said. Instead, they use information found elsewhere, maybe through a breach, to gain access to your online account with a given retailer.

Once they're in, they can get access to the credit card you had on record with the online retailer. They might order something online and pick it up in a store.

Criminals know that people reuse passwords, so they can hack into accounts using passwords obtained through other breaches.

"It's just a matter of the odds, at least some of them are going to hit," Pascual said. "They didn't have to go into the dark web and buy the card numbers."

What are some ways to steer clear of the fraudsters this holiday season?

Be alert to fake retail apps. Industry experts are warning of apps that impersonate well-known retailers such as Payless, ShoeSource, and Torrid.

After media reports, some fake apps have been quickly taken down by Apple. But experts say it's sort of like a game of whack-a-mole: One fake app comes down, another pops up, according to experts at Branding Brand, which works with retailers to launch and maintain apps.

Consumers can use a retailer's app to get access to exclusive sales or limited products. Or apps can be helpful in buying online and then picking up the item in the store. But you don't want a fake app.

Chris Mason, president, CEO, and cofounder of Branding Brand in Pittsburgh, said it's difficult to know the intention of those launching the fake apps. But some may use them to install malware or trick you into providing personal information, maybe when you think you're opening up a credit card with that retailer.

Some clues to a fake app: Does it have any reviews? If not, that's a red flag someone just created the app, Mason said.

Are any words misspelled in the description of the app? "They'll misspell words like sneaker, if it's supposed to be the app for the Finish Line," he said.

Watch social-media posts. Hackers can use your Facebook and Twitter profiles to figure out passwords, according to the American Bankers Association. Do you need to post the dog's name with his or her holiday photo? Or post a family portrait outside your house with the address in plain sight?

Watch your statements. Go online and check all your credit-card activity, said Bill Hardekopf, CEO of LowCards.com.

"Don't wait for your statement at the end of the month," Hardekopf said.

Fraudsters can get ahold of credit-card information even if you don't shop online, so keep an eye out for possible problems. Once you report the loss or theft, the Federal Trade Commission notes, the law says you have no additional responsibility for charges you didn't authorize. Your liability for each credit card lost or stolen is limited to $50 in the event of fraud, but a number of card issuers have zero-liability policies.

To avoid possible problems, alert your credit-card company quickly once you spot trouble. If you suspect your card was used fraudulently, you may have to sign a statement under oath that you didn't make the purchases.

Be there for the box. Crooks aren't always high-tech - the holidays are filled with stories of someone snatching packages off porches. So it's good to know whether the recipients of your gifts will be home or away when they arrive. Alert them that a package will be arriving.

Shippers and retailers often allow you to track your packages and notify you of delivery. Once notified, make sure you are home to retrieve the package.

No phishing. Every deal you spot online or through a text or email is not a bargain. Instead, you could be looking at a phishing expedition.

"Stop. Think. Have lunch. Sleep on it," warned Peter Cassidy, general secretary for the Anti-Phishing Working Group. "Slow down in every way."

Fake emails, texts, and websites can lure consumers with outlandishly low prices but then install malware on your computer. Or you might get hooked by a phishing attempt to obtain your ID information, including your credit-card number.

The Better Business Bureau notes that some websites offer suspiciously low prices on popular goods to entice shoppers into turning over their information. Secure sites have addresses that begin with https. Beware of pop-up ads that lead you to another website or ask for your personal information or account numbers.

"Don't wander around dark alleys. It's dangerous, and that's where bad links lurk," Cassidy said. "You just can't keep clicking on stuff until you infect your computer."