Tips to Protect Your Information during the Holiday Online Shopping Season

November/December 2018

Online shopping continues to grow in popularity. Last year’s Cyber Monday was the biggest online shopping day in the history of the US, including record breaking mobile sales. [1]

Unfortunately, the ease and convenience of online shopping makes the holiday season the perfect time for cybercriminals to take advantage of unsuspecting online shoppers. Three common ways that attackers take advantage of online shoppers are:

• Creating fraudulent sites and email messages
• Intercepting insecure transactions
• Targeting vulnerable computers

Fortunately, many cyber-threats are avoidable. When you shop in person, it's habit to bring reusable bags, lock the car, and put away your cash or credit card when you’re done with your purchase. Similar habits can protect you, your purchases, and your identity when you're shopping online during the holiday season and year-round:

1. Shop reliable websites, and get there safely. If an offer sounds too good to be true, it probably is! Don't be fooled by the lure of great discounts by less-than-reputable websites or fake companies. Use the sites of retailers you know and trust, and get to their sites by directly typing a known, trusted URL into the address bar instead of clicking on a link.
2. Beware of seasonal scams. Fake package tracking emails, fake e-cards, fake charity donation scams, and emails requesting that you confirm purchase information are particularly common this time of year. Use known, trusted URLs instead of clicking on links.
3. Conduct research. There are a lot of fake and malicious companies out there this time of year. When considering a new website or online company for your holiday purchases, read reviews and see if other customers have had positive or negative experiences with them. Also verify the website has a legitimate mailing address and a phone number for sales or support-related questions. If the site looks suspicious, call and speak to a human.
4. Always think twice before clicking on links or opening attachments -- even if they appear to be from people you know, legitimate organizations, your favorite retailers, or even your bank. Messages can easily be faked. Use known, trusted URLs instead of clicking on links. And only open known, expected attachments. When in doubt, throw it out!
5. Keep clean machines! Before searching for that perfect gift, make sure your device, apps, browser, and anti-virus/anti-malware software are patched and up to date.
6. Protect your passwords. Make them long and strong, never reveal them to anyone, and use multi-factor authentication (MFA, also called two-factor or 2-step authentication) whenever possible.
7. Look for https:// (not http) in the address bar before using your credit card online.
8. Check your credit card and bank statements regularly. These are often the first indicators that your account information or identity has been stolen. If there is a discrepancy, report it immediately.
   • Stay safe with text alerts. Most banking apps and sites provide the option to set alerts, such as a text message for every transaction over a specified dollar amount or a daily text summary of your current balance. Set these alerts and use them to spot signs of unusual activity.
   • Also check your credit report at least annually. The Federal Trade Commission provides information about getting free credit reports and what to do if you find discrepancies: https://www.consumer.ftc.gov/articles/0155-free-credit-reports
9. Secure your home Wi-Fi. To prevent eavesdroppers and data thieves, enable strong encryption on your home wireless network - WPA2 is recommended. Set a strong passphrase (12 characters or more), change your network’s name (SSID) from the default to something not obviously belonging to you, and limit who has administrative access to your home network. Finally, log into your wireless router periodically to check for software updates (many home routers don’t auto-update).
10. Get savvy about Wi-Fi hotspots and public computers. Treat all Wi-Fi hotspots and public computers as compromised, even if they appear to be safe. Limit the type of business you conduct on them, including logging in to key accounts, such as email and banking, and shopping. And set your devices to “ask” before joining new wireless networks so you don’t unknowingly connect to an insecure or fraudulent hot spot.

ADDITIONAL WAYS TO PROTECT YOURSELF ONLINE:

• Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work/University and personal accounts and make sure that your critical accounts have strong passwords -- and multi-factor authentication if possible.
• Don't ever give your financial information or personal information via email or text.
• Pay by credit card, not debit card. Credit cards offer protections that may reduce your liability if your information is used improperly. Debit cards typically do not have the same level of protection.
  • A related tip is to use a separate credit card only for your digital transactions. While this won’t prevent theft, it will limit your exposure and make online fraud easier to detect.
• Only use apps from known, reputable sources. Less reputable apps can include malicious software ("malware") designed to steal credit card and other sensitive information. And keep your apps up to date.
• Don't respond to pop-ups. Ignore pop-up offers and deals. Just close them. Don’t respond, click on the links or call the phone numbers. Similarly, don’t respond to popups saying that you need to buy anti-virus software or software to “clean your infected computer”. These are all scams.
• Don't auto-save your passwords or credit card numbers. The inconvenience of having to reenter the information is insignificant compared to the amount of time you would spend trying to repair the loss of your stolen information.
• Secure all of your devices with a complex password. Don’t use the password for any other accounts. Set a timeout that locks your devices after a period of inactivity, and be sure they require a password or other authentication to start up or resume activity.
• Disable Bluetooth, wireless, and Near Field Communications (NFC) when not in use to reduce the risk of your data being intercepted by thieves. Some stores and other locations also look for devices with wireless or Bluetooth turned on to track your movements while you are within range.
• Review privacy policies. Review the privacy policy for the website/merchant you are visiting. Know what information the merchant is collecting about you, how it will be stored, how it will be used, and if it will be shared with others.

Reach out to your IT Service Desk for questions about any of these recommendations.

See the full cybersecurity awareness toolkit for the Holiday Online Shopping Season.

---

Sources:

• [1] CNBC - https://www.cnbc.com/2017/11/28/a-record-6-point-59-billion-spent-online-on-cyber-monday-making-us-history.html  
• Educause - https://er.educause.edu/blogs/2017/9/november-2018-shop-safe-online-even-on-black-friday
• Federal Trade Commission - https://www.consumer.ftc.gov/articles/0020-shopping-online
• National Cyber Security Alliance and STOP. THINK. CONNECT. - https://staysafeonline.org/wp-content/uploads/2017/09/Cyber-Safe-Holiday-Shopping-Resource.pdf  and  https://staysafeonline.org/wp-content/uploads/2017/09/STOP.-THINK.-CONNECT.%E2%84%A2-Tips-for-Safe-Online-Shopping.pdf
• Stay Safe Online - https://staysafeonline.org/blog/keep-credit-card-transactions-safe-online-2017/  and  https://staysafeonline.org/stay-safe-online/online-safety-basics/online-shopping/
• US-CERT - https://www.us-cert.gov/ncas/tips/ST07-001  and  https://www.us-cert.gov/ncas/tips/ST05-019
• Based on an article originally adapted from UC Santa Cruz