There is a free iPhone scam going around now. The catch is you must provide your personal information, a credit card number and pay $1 to get the phone shipped. The fine print suggests that you may not win the free phone, but doesn't specify the consequences. No thanks.
I've had my credit card number stolen from an a giant online retailer, legitimate Canadian business and probably several online retailers. The giant retailer caught the phony charges right away and it was only ever used on their site (it was their card.) Another card was only used once and the card company called about some unusual charges two days later so I know exactly who it was stolen from, a popular Canadian TPIA. In both cases, the phony charges were to a travel agency.
Another popular scam is to get hold of someone's card number and use it to purchase a Netflix subscription. I've had that happen with two cards. One card had two charges for two accounts in a single month. Don't know why the card company didn't catch that one.
I always use PayPal for Netflix and online retailers. It probably isn't 100% foolproof but I haven't had a serious problem yet. PayPal makes it easier to deal with retailers that automatically sign you up for subscriptions after a single purchase. That's easy to resolve by checking for subscriptions on the PayPal site and cancelling them.
I've been getting internet related phishing mails and phishing emails for going on 25 years. I've been fooled once but realized it within 5 minutes then called the card company immediately and had it replaced. PayPal scams seem to be the most popular. It's usually something like entering credit card information to verify the account or receive a payment. I get get several a week from the same sources every week. That's been going on for years. They usually end up in the spam folder automatically.
My rules for PayPal and banking sites,
1. Never click on an email link or unexpected browser pop-up link to reach the site.
2. Always open the site using a trusted password manager.
3. Don't type the address into a browser. Common misspellings can end up on a scam site.