There is no better time than the holidays for scammers to prey on smartphone users.

Consumers on this Cyber Monday will fill their digital shopping carts in record numbers. Online sales today are expected to reach more than $3 billion, and with more than 85 percent of shoppers doing their buying on smartphones, criminals are finding new ways to access people’s information.

And experts say malicious apps may be providing the back door.

Experts warn against counterfeit mobile apps and emoji keyboards, which allow scammers to prey on consumers. CBS News

Nicole Barker likes shopping through her apps; most of her purchases, she told CBS News correspondent Anna Werner, are through her iPhone. But didn’t realize they could put her identity at risk.

“It’s really scary, because you trust those brands when you see them and you just accept or trust that that’s who you’re dealing with,” Barker said.

Chris Mason, from Branding Brand, a company that creates apps for major retailers, found hundreds of shopping apps -- for names like Dillard’s, Payless, Christian Dior and Jimmy Choo -- that were fake.

“If you take those apps down and you get rid of that provider, you’ll find them showing up in a different form with a new name, new credentials,” Mason said. “For every one you take down, there’s two that come up.”

Gary Miliefsky, with cybersecurity firm Snoopwall, says it’s all about criminals getting hold of your private information.

Miliefsky says some of the counterfeit apps are so good, “they give you a complete shopping cart experience. Everything through the ‘Congratulations, here’s your order number, it’s on its way,’ and then you’ll never get the goods.”

But Miliefsky points to something even more disturbing. He says super-popular emoji keyboard apps, which give you an endless supply of emoticons for every occasion, can also gain access to your contacts, text messages, possibly even passwords, and send your private information overseas.

“These are all developed by employees of companies in China,” he said.

“So what do you think that somebody in China is doing with all that information?” asked Werner.

“Some think that the Chinese version of the NSA is using these kinds of tools to collect a lot of information on people overseas,” Miliefsky said. “And time will tell.”

Google Play told CBS News it scans apps “for potentially malicious code as well as spammy developer accounts,” and they have a separate tool for Android devices to “Verify Apps.”

Apple told us they “provide notice on all keyboard apps about the fact that these apps can have access to what you type”… except for passwords, which Apple says can only be typed in using the regular keyboard.

But Miliefsky says, better to avoid emoji keyboards entirely -- especially if they’re free.

News to Nicole Barker: “I do have an emoji keyboard, as do most of my friends,” she said, “so that really gets me scared, and I realize I probably should take that off my phone.”

If you desperately want those cute emoticons, the expert’s advice here is, don’t install one that’s free. Pick one that you pay for, hopefully from a developer based here in the United States.

And if requests pop up on your iPhone where the keyboard wants to use the Internet, access your contacts, or locate you through GPS, just say no.