Individuals and retailers aren’t the only ones getting ready for the biggest shopping season of the year. The holiday shopping season is also a big event for cybercriminals. Every holiday season, security researchers document spikes in online criminal activity, ranging from phishing scams, fake shopping sites, and credit card skimming software, to malicious and compromised applications being posted in online app stores. At the same time, because people will be getting out their credit cards to make sometimes large numbers of purchases, attackers assume that a few fraudulent transactions may be easily missed.
Here are a few tips to help you have a happy – and secure – holiday shopping season.
One of the best ways to ensure a safe cybershopping experience is to prepare for it.
- Start by making sure your devices, software, browsers, and applications have all been patched and updated to the latest versions. It is especially important that you are using updated and patched operating systems on all your devices. For example, earlier this year a vulnerability allowed adversaries to potentially attack and control your Android devices. The unfortunate part is this may potentially effect phones that are no longer getting updates, but are still being used. Shopping using a mobile device at a physical retail location is quite common, but may introduce new risks you may not have considered as well.
- Make sure that your devices have security tools installed, such as antivirus and VPN, and that you know how to use them.
- Get your passwords under control.
- Update older passwords with newer ones that are harder to guess but easier to remember. One trick is to use the first letter of every word in a phrase you know. We recommend when possible, using passphrases. A passphrase is a sentence that is easier to remember, but very difficult for password crackers to break. An example of this might be “My voice is my passport.” In this case, the password doesn’t have special characters or numbers, but a sentence with spaces will be especially difficult for password crackers to attack. Of course, not all websites support passphrases, spaces in passwords, or long passwords. For added security add special characters and numbers to your passphrase.
- Don’t use the same password for different accounts. If needed, use a password vault that keeps track of all of your passwords for you.
- Shop with your credit card and not your debit card. Many credit cards include fraud protection. They can also be turned off without freezing your other resources. Also, make sure that your credit card provider will alert you to suspicious card activity. Many banks also offer one time or limited passwords. There are specialty sites such as privacy.com that will let you create a credit card number for each transaction.
Go the Extra Mile
While the tips listed above are an important start, there are a few more things that you should consider if you are adamant about safe cyber shopping.
- Every browser supports secure transactions using SSL encryption. But to be safe, make sure your connection is secure before you push the “purchase” button. You can do this by looking at the URL bar of your browser and making sure that the address starts with https:// rather than http://. You can also look for the little lock icon on your browser. These mean that your transaction is protected. Popular open-source plugins include HTTPS Everywhere and uBlock Origin that can be added to most browsers for free to secure transactions, filter content, and block ads.
- When possible, shop using a VPN (virtual private network) connection. That way, even if your communications are intercepted, they will be useless to cybercriminals because your data is encrypted. If you are going to be online in public places frequently, there are a number of low cost/no cost VPN services that will ensure that your connection is always protected.
- For more technical users, consider setting up a VM on your computer just for shopping. That way, if you happen to get infected it will be isolated to the VM and criminals should not be able to access other sensitive data on your device.
- You can also further secure access to sites by setting multi-factor authentication. Many online sites such as banks support two-factor authentication to doubly secure your financial data. Make sure you have it set up on your device and that you know how to use it. You will also want to backup your one-time access codes or recovery keys when you use this option. Don’t just settle for SMS verification, but use something like Google Authenticator or YubiKey
- Everyone has heard that you shouldn’t click on links in an email or on a web site unless you know they are safe. However, about 1/3 of users do it anyway. One way to conquer your curiosity is to know what that link leads to.
- Hover your mouse over a link and you should be able to see the URL either as a pop-up or at the bottom of your email or browser page.
- Look at it carefully before you click it. Does it look normal? Is the name too long or does it contain lots of hyphens or numbers? Is it the URL going to the site it claims to link to, or to somewhere else? Does it replace letters with numbers, such as amaz0n.com?
- Look up the URL before you click on it. You can do this by copying the URL of the site you are visiting and drop it into a domain search engine like who.is. This will provide a variety of information, such as when the site was first created, where they are physically located, and information about the owner. Be suspicious of anything that has only been online for a very short time or that is registered in another country.
Be aware that cybercriminals will go to great lengths to spoof popular shopping sites. However, there are ways to tell if you have landed on a site you need to worry about.
- Start by look at the website design. Most cybercriminals do not have the time or resources to make an exact duplicate of the site they are spoofing, or to develop their own fake shopping site. A little looking around can go a long way to helping you decide if you should stay or go. For example, does the website look professional? Do the links work, and are they accurate and fast? Are there lots of popup ads? These are all bad signs.
- Next, read the text on the website. Bad grammar, unclear descriptions, and misspelled words are all giveaways that the site may not be legitimate.
- Remember that of it’s too good to be true, it usually is. Of course, there are sometimes really great deals for things on the internet. But in general, unusually low prices and high availability of hard-to-find items are red flags for scams and vendors selling knock-offs.
- Finally, make sure the checkout system accepts major credit cards. Avoid sites that require direct payments from your bank, wire transfers, or untraceable forms of payment. Where possible, use things like PayPal or Verified by Visa payment systems to protect yourself and your assets.
An Ounce of Prevention…
Online shopping and the growing digital marketplace are transforming our world, giving us fast access to a wider variety of things than at any other time in history. However, this expanded landscape comes with real risks that need to be understood.
People looking to take advantage of unsuspecting consumers have been around as long as there have been marketplaces to shop in. Today’s cybercriminals are no different. They are not only technically savvy, they also recognize the latest consumer trends, understand the underlying assumptions shoppers make, and know how to exploit them. However, by taking the time now to educate ourselves and others, we can have a productive – and safe – holiday shopping experience.
Want to learn more about cybersecurity? Educate yourself. Find out more about Fortinet’s NSE Institute programs, including the Network Security Expert program, Network Security Academy program and FortiVets program.