The Cybersecurity and Infrastructure Security Agency (CISA) has urged users to be aware of holiday scams and malware campaigns when shopping online this upcoming holiday season.
There’s every reason in the world to shop online. The bargains are there. The selection is mind-boggling. Shipping is fast. Even returns are easy, with the right e-tailers. Shopping has never been easier or more convenient for consumers. While most transactions will be uneventful, online shopping security is not a given. Here’s the gift you can really use—tips for safer holiday online shopping.
- Use familiar websites
Start with a trusted site. Search results can be rigged to lead you astray, especially when you drift past the first few pages of links. If you know the site, chances are it’s less likely to be a rip-off.
Beware of misspellings or sites using a different top-level domain (.net instead of .com, for example)—those are the oldest tricks in the book. Yes, sales on these sites might look enticing, but that’s how they trick you into giving up your info.
- Look for the lock
Never ever, ever buy anything online using your credit card from a site that doesn’t have secure sockets layer (SSL) encryption installed. You’ll know if the site has SSL because the URL for the site will start with HTTPS—instead of just HTTP. An icon of a locked padlock (🔒) will appear, typically to the left of the URL in the address bar or the status bar down below; it depends on your browser.
HTTPS is pretty standard now even on non-shopping sites, enough that Google Chrome flags any page without the extra S as “not secure.” So, a site without it should stand out even more.
- Don’t overshare
No online shopping e-tailer needs your Social Security number or your birthday to do business. However, if crooks get them and your credit card number, they can do a lot of damage. The more scammers know, the easier it is to steal your identity. When possible, default to giving up as little personal data as possible. Even major sites get breached.
- Check statements regularly
Don’t wait for your bill to come at the end of the month. Go online regularly during the holiday season and look at electronic statements for your credit card, debit card, and checking accounts. Look for any fraudulent charges, even originating from payment sites like PayPal and Venmo. (After all, there’s more than one way to get to your money.)
- Pay with a Credit Card
You’ll usually get the best liability protection—online and offline—when you use a credit card. Here’s why. If someone racks up unauthorized charges on your credit card, federal regulations say you won’t have to pay while the card company investigates. Most major credit cards offer $0 liability for fraudulent purchases.
Keep in mind, your liability for unauthorized charges on your debit card is capped at $50, if you report it within two business days. But if someone uses your account and you don't report the theft, after 60 days you may not be reimbursed at all.
You can also try a virtual credit card. Some banks offer this nifty tool that acts like an online version of your card. With a virtual credit card, the issuer will randomly generate a number that’s linked to your account, and you can use it anywhere online and choose when the number expires. It might be best to generate a new number every time you buy something online, or when you shop with a new retailer. Anyone who tries to use that number will be out of luck.
- Beware of shopping-related phishing schemes
Phishing is an incredibly effective tactic used by cybercriminals that involves sending emails designed to look like they’re from someone else—like a brand you love. Generally speaking, these emails will encourage you to click on a malicious link by enticing you with a deal or exclusive price. If you click on the link, you’re redirected to a spoofed landing page of the brand they’re impersonating. Typically, the cybercriminal will try to collect login credentials or payment information like your credit card number. If something smells phishy, you can check the “from” email address to ensure it’s legitimate, and we also recommend hovering your mouse over the URL before you click to confirm that it leads to a legitimate site and not a fake.
- Avoid public Wi-Fi
You might be tempted to take your shopping spree to a coffee shop for a cup of joe. Keep in mind, Wi-Fi networks use public airwaves. With a little tech know-how and the freely available Wi-Fi password at your favorite cafe, someone can intercept the data you send and receive while on free public Wi-Fi. Shopping online usually means giving out information that an identity thief would love to grab, including your name and credit card information. Bottom line: It’s never a good idea to shop online or log in to any website while you’re connected to public Wi-Fi.
- Use a VPN
Still can’t resist the lure of shopping online while sipping that peppermint latte? If you must shop online on public Wi-Fi, consider installing and using a virtual private network (VPN) — on all mobile devices and computers before connecting to any Wi-Fi network. A VPN creates an encrypted connection between your smartphones and computers and the VPN server. Think of it as a secure tunnel your Internet traffic travels through while you browse the web, making your data safer from interception by nearby hackers.
- Create strong passwords
We will again beat this dead horse about making sure that you utilize uncrackable passwords. It’s never more important than when banking and shopping online. Our tips for creating a unique password can come in handy during a time of year when shopping around probably means creating new accounts on all sorts of e-commerce sites.
But even your perfect password isn’t perfect. The smarter move: use a password manager to create uncrackable passwords for you. It’ll also keep track of them and enter them, so you don’t have to think about it.
- Update your browser
Each new version of your Internet browser, especially if you use one of the more popular browsers, gets a boost in security. Older browsers, besides not working as well with some websites, often have holes in their security that hackers have discovered and can exploit. The same goes for your operating system and anti-virus software. Updates will keep you ahead of would-be identity thieves and keep your credit safe.
- Don’t save sensitive info on sites or in your browser
This is more of a general safety tip, but it’s more common during the holiday season to save personal and payment information on shopping websites so you don’t need to fill it in the next time you buy something there. However, these sites aren’t designed to provide the necessary security for your data—they’re designed for shopping. That’s why we routinely hear about hacks and breaches containing personal information from retailers. If you want to have the convenience of auto-filling your information on different sites without sacrificing the security of your data, you should try a password manager, which gives you automatic logins and secure autofill of personal and payment information.
- Ship to a secure location
This may seem extreme, but package theft has become more prevalent in recent years with the rise of online shopping and the barrage of home deliveries. If no one’s home during the day, consider shipping to your office or somewhere else that keeps your packages off sidewalks or front doorsteps.
- Skip the card, use the phone
Paying for items using your smartphone is pretty standard these days in brick-and-mortar stores, and is actually even more secure than using your credit card. Using a mobile payment app like Apple Pay generates a one-use authentication code for the purchase that no one else could ever steal and use. Plus, you’re avoiding card skimmers—you don’t even need to take your credit card with you if you only go places that accept phone payments. How does that matter if you’re online shopping? Many e-tailers will now accept payment using Apple Pay and Google Pay.
- Count the cards
Gift cards are the most requested holiday gift every year, and this year will be no exception. Stick to the source when you buy one; scammers like to auction off gift cards on sites like eBay with little or no funds on them. Plus, there are many gift card “exchanges” out there that are a great idea—letting you trade away cards you don’t want for the cards that you do—but you can’t trust everyone else using such a service. You might get the card and find it’s already been used. Make sure the site you’re using has a rock-solid and clear-as-crystal guarantee policy in place. Better yet, just go directly to a retail brick-and-mortar store to get the physical card.
- Check the seller
Did you find the perfect gift on an unfamiliar website? Break out your detective skills whenever you want to buy something from a new merchant. The Better Business Bureau has an online directory and a scam tracker. Put companies through the wringer before you plunk down your credit card number. There’s a reason that non-delivery/non-payment is the most common cybercrime complaint these days—it hurts when that happens, financially and emotionally.
That said—online reviews can also be gamed. If you see nothing but positive feedback and can’t tell if the writers are legitimate customers, follow your instincts.
If nothing else, make absolutely sure you’ve got a concrete address and a working phone number for the seller. If things go bad, you have a place to take your complaint. In fact, call them before you order so you can clarify a return policy and where to go with any issues after the purchase.
- Complain loud and proud
Don’t be embarrassed if you get taken for a ride while online shopping. Instead, get very, very proactive. Complain to the seller. If you don’t get satisfaction, report it to the Federal Trade Commission, your state’s attorney general, even the FBI. That’s probably going to work best if you buy in the US, rather than with foreign sites.
A stolen identity is even worse than a lump of coal in your stocking. Make sure you have only nice surprises this holiday season by sticking to these smart online shopping tips to keep you and your information protected.