The internet giveth, and it taketh away.

As the 2018 holiday shopping season heads toward its late-December climax, this saying offers an appropriate reminder to us all. Online shopping plays a key role in consumer spending, and frankly, many of us now prefer it to the traditional brick-and-mortar experience. After all, selection is vast, ordering is easy, returns aren’t difficult—and, there’s no fighting over parking spaces.

Yet, with the added convenience of online shopping (and all the products we can buy with just a click) comes the omnipresent threat of online scams that can cause real harm. Huge discounts may grab the attention of our web-surfing eyeballs, but all too often, these prove to be utter scams perpetrated by fake online merchants who capitalize on endorphin-fueled shopping bliss – and last-minute shopping stress in particular – to make out like bandits.

To keep everyone safe over these next few weeks (and hopefully beyond that), consider some safe shopping tips that security and risk advisory professionals like us practice.

  • Beware of the lowest advertised price. If you base your buying decision solely on the lowest price you see, you’re taking a big risk that likely outweighs any savings many times over. The reason: Gobs of fake e-commerce sites exist—including many that pop up during the holidays and disappear soon after. These may sell used, damaged or unboxed goods; or, they may sell nothing at all, and grab your credit or debit card info. Even legit Amazon sellers get hacked by bad guys around the holidays, and those accounts are used for illegitimate dealings. Be wary and tread carefully. Things that are too-good-to-be-true usually are just that.
  • Avoid debit cards—use credit cards instead if possible. Whether you use a debit card or credit card for online purchases, you won’t be liable for fraudulent charges that you report in a timely fashion. That said, if your debit card was compromised by thieves during an online transaction, your checking account could already be cleared out by the time you realize the site was fraudulent. With a credit card, your risk of exposure is limited, and other assets (like checking accounts) remain far removed from evil hands.
  • Research retailers you haven’t heard of. Thinking of buying that cool gadget your kid’s been wanting all year from an unfamiliar online retailer? Step back from your laptop, phone or tablet, take a deep breath, then do some research and try to uncover whether they’re really legit. Security pros in your position would run a quick WHOIS search on the domain name. Online stores that are new, or relatively new, can in fact be fraudulent. Your search will reveal the site’s “created” date; the newer the date, the more you should be skeptical of its validity.

We’re all for shopping local and helping out the little guys, but really, you’re much safer – at least in the online realm – shopping at familiar websites. And while you’re at it, make sure you’re actually on the real site—fake sites purporting to be legitimate retailers often are marred by misspellings, while graphics, logos and such just seem a bit off. Double-check the URL in the location bar to make sure you are browsing the correct website. Be skeptical of extremely long or obfuscated URLs for initial pages.

  • Buy only from sites with HTTPS encryption enabled—but even then, beware. How do you know if a site has HTTPS? Easy—the URL will start with HTTPS, rather than HTTP. Also, a locked padlock icon appears, although where it’s positioned on the page depends on the browser you’re using.

HTTPS encryption enabled for Amazon

Even with HTTPS, you may not be safe. Savvy criminals utilize homographs that utilize foreign characters that look the same as regular ones to “spoof” legitimate websites. Anyone these days can get free HTTPS certificates, so fake websites with legit HTTPS certificates steal people’s identities and money every day.

  • Keep sensitive information private. Online retailers don’t need your Social Security number or date of birth to sell you stuff, so don’t give these to them. In fact, provide the least amount of personal data you can during an online transaction; even big companies get hacked.
  • Think twice before clicking on seemingly legitimate email links. Our inboxes are flooded this time of year with emails from retailers with very enticing offers. Fight the urge, friends. It’s a sad fact that while lots of holiday emails look legit – with convincing corporate graphics and logos – they’re not. They’re forgeries crafted by bad actors with phishing and malware links embedded in them. If there’s any doubt in your mind (and there should be, pretty much all the time), don’t click any links or open any attachments for starters. Then, visit the merchant’s website directly, or call the store and verify the sale and purchase price of the item in question.

It’s also common this time of year for scammers to send bogus emails from the U.S. Postal Service or popular shipping companies (e.g., UPS, FedEx) with warnings about mislabeled or unsavory packages. If the email requests quick action to avoid costly consequences, there’s a very good chance it’s a scam.

  • Review your statements carefully. This time of the year, credit card statements can be filled with more charges than usual, which makes it easy for crooks to make lots of unauthorized charges on stolen cards and see them buried on lengthy statements. Review statements line by line and report any suspicious activity to your credit card company immediately. Consider freezing your credit so no new accounts can be opened in your name.
  • Update your computer’s anti-virus and anti-malware protection. Many of us who have security software on our computers assume it does its job regularly. So long as you use reputable software, you’ll stand a better chance of ensuring protection if it’s up to date.
  • Use strong passwords and change them frequently. If you’re shopping (or especially banking) online, you’ll want a unique password that makes it very, very difficult for thieves to crack. It’s also a smart move to change them fairly often. Since keeping track of passwords and administering them can be overwhelming, we recommend using a password manager. These solutions create uncrackable passwords and manage them effectively for you.In general, the guidelines drafted by the National Institute of Standards and Technology (NIST) recommend the following:
    • An eight-character minimum and 64-character maximum password length
    • No repeating or sequential characters (e.g., abcde, 11111)
    • Ability to use special characters, but no requirement to use them
    • No usernames, website names or previously breached passwords

Do you have questions about safe online shopping, or other risk advisory issues? Please contact Christopher Denton, CISA, at 813-386-3879 or