According to the Adobe Holiday Shopping Forecast [1], a record demand for ecommerce is expected to drive holiday online retail spending to US$207 billion, as well as the adoption of buy now, pay later (BNPL) schemes for increasingly smaller orders. This increased traffic and opportunities to take advantage of holiday discounts, represents several pitfalls for consumers as malicious hackers can access private information - but simple measures can be taken to ensure that we shop safely and securely.
Online shopping offers many benefits - no queues, easier to compare prices, quicker (I don’t miss physical shopping!) but as-well as the benefits we need to be cognisant of the pitfalls. It can be a security minefield for the majority of us. There are definitely stats which will show that most, up to 50% of data breaches, happen between November and December.
Below are some general pointers to reduce the possibility of falling prey to cyber scams:
- Don’t click links in emails or open attachments
We have all seen them, emails are a common way for fraudsters to phish people. These emails may appear to be from the store, bank, delivery company or even government body to try to trick you to click links etc. These links will be made to appear like real website addresses and may even be developed to look like the legitimate website.
There are several free website checkers available from a number of providers which allow you to check for content and phishing websites:
- A nice website I like to check for legitimate websites is
- For further information on Phishing websites, a great resource is the Anti Phishing Working Groups website :
- Another interesting and useful resource is staysafeonline.org, here is their article on the 5 ways to spot a phishing email:
When it comes to attachments, attackers use these to hide and spread malware so these should never be opened unless you know it is from a legitimate source (and even then, with caution!). Think about it, why would a retailer send you a special offer in an attachment which is less likely to be viewed anyway? Malicious attachments are also quite often sent pretending to be from courier / delivery companies as tracking reports etc. so beware of these also.
- Avoid pop-ups and ads
Malware can also be spread from websites, some phishing scams have even involved taking out legitimate advertisements so be careful on clicking advertisements and pop-ups, these are generally referred to as malvertising or malicious advertising. Instead of clicking on the deal, do a web search for the company and the deal should also show up on their homepage.
- Beware of e-skimmers
Credit card skimming has been happening for years in the physical world and yes it has moved over to the online shopping world, this can happen when a legitimate website has be hacked and code inserted to gather the credit card details when you check out. One method to protect from this is to use a third-party payment gateway if the website allows it.
- Use a credit card rather than a debit card
Most credit card companies will offer liability protection meaning that if you are the victim of credit card fraud. Check the details with your credit card company for further details.
- Use secure networks
It’s more than likely less of a problem with remote working and the disruptions to travel, but always be careful connecting to public networks and be particularly cautious (ideally don’t) exchange confidential details, passwords, or credit card details unless you know the network to be secure and legitimate. When using websites, also be sure prior to exchanging any details that they are also using encryption (e.g. have ‘https’ and show the lock in the address bar) - see point 1 for details on how to check the legitimacy of that website also.
- Be suspicious
Always be on your guard, be particularly suspicious of that unbelievable special offer or rushing you to complete a purchase prior to a certain date (that day!). These are common tactics used by attackers to prevent you from spending time checking and pondering on what to do.
- Change passwords and use MFA where possible
Statistics tell us that over half of us reuse the same password over and over again. Moreover, we commonly still use dictionary terms and simple passwords. All of these are recipes for disaster.
If we register on a website which is fraudulent or the credentials we enter get captured during transmission, the hacker will then be able to use these credentials to log into our other accounts. A common example of this would be if you used a Gmail email account as a username, the attacker would go to Gmail and enter your email and password to attempt to access your account. After gaining access to this they will / may change your password, have access to your emails have the ability of doing a password reset on other sites and also access passwords you have saved to that account.
Steps to help prevent this include using strong passwords consisting of a combination of characters, letters, and numbers to include special characters and staying away from common character substitution (for example ‘5’ or ‘$’ instead of s, these are well known – it is best to think and use a non-common substitution for example maybe ‘_R’ instead of ‘s’ – but don’t use this version as now well known)
It is even better to use Multifactor Authentication (MFA) to secure those accounts if possible – this is where you would use either something like a mobile number of email address which is emailed with a code which then needs to also be entered to gain access to the site
- Monitor your accounts
Throughout the year and especially the holiday season, keep a close eye on your accounts especially bank and credit card statements to identify any suspicious transactions and contact the institution as soon as you notice something for guidance.
- Beware of gift card scams
Gift cards can be used like a credit card, but they generally lack the protections similar to credit cards. Hackers and fraudulent websites sometime try to force the user to purchase the items using a gift card rather than a credit card, this also happens via some auction sites
An interesting read on some of these types of scams is available from Norton here:
- Avoid the ‘Secret Sister’ gift exchange
A popular scam originating from Facebook is a gift exchange among internet strangers, playing off the workplace ‘Secret Santa’. According to BBB[2], the Secret Sister is a pyramid scheme where you are promised about $360 of gifts after purchasing $10 for someone else! There are other variations of this for buying and swapping bottles of wine and other ‘fancy’ presents. The best thing to do is to ignore it.
1.
)