Tips for Safer Online Shopping

We all know that Cybercrime is an epidemic. In the U.S. alone, nearly half a million complaints are filed about it each year, according to the FBI—and that’s just what’s reported. Here’s how you can stay safe and avoid becoming a statistic. You may not have to worry about pickpockets in cyberspace, but there are still plenty of reasons to safeguard your personal and financial information. Here are 18 savvy online shopping tips to help you keep your information out of the hands of people who are most definitely on the naughty list to rob you. Tips for Safer Online Shopping

Even though apps loom larger in most people’s daily online interactions than traditional websites do, that does not mean that the basic Internet safety rules have changed. Hackers are still on the lookout for personal information they can use to access your credit card and bank information.

Unsafe surfing can also lead to other threats—from embarrassing personal comments or images that, once online, are nearly impossible to erase, to getting mixed up with people you’d rather have had nothing to do with.

Here are the Top 10 Internet safety rules to follow to help you avoid getting into trouble online (and offline).

Be Careful Who You Shop with (Safer Online Shopping)

Although cybercriminals are becoming more sophisticated, you can generally spot a fraudulent site fairly easily. Here are some of the telltale signs to look for:

• Poor Site Design: The first thing you’re likely to notice when you go to a site is its design. Ecommerce sites, in particular, dedicate a lot of resources to creating a beautiful site with great usability on both desktop and mobile. If a site looks like it was thrown together in a couple of hours, it’s probably not a good idea to trust it with your credit card details.
• Poor Spelling/Grammar: As with site design, reputable sites put a great amount of effort and resources into the content of the site. Typos occasionally happen, but if there is an obvious deficit in high-quality content, there’s a good chance that the site is malicious. That isn’t to say that sites that do look legit can’t also be malicious—just that sites with glaring issues obviously present more of a risk.
• Weird Business Names, URLs, or Emails: It’s generally pretty easy to spot these, but some can be sneaky. If the website address (URL) looks something like “best-gifts-at-super-low-prices.com”, then it’s probably a scam. Also, be mindful of emails or URLs that have almost unnoticeable tweaks in their names compared to the actual company they are pretending to be. It’s all about being able to spot the difference between rnicrosoft, micorsoft, and microsoft.
• No (or Sketchy) Contact Details: Ecommerce sites always provide a way to get in touch. If the website doesn’t provide a way to talk to support, that probably means it’s illegitimate—and even if it is legitimate, you don’t want to deal with a company that doesn’t provide decent support.
• Unsecure Site: As mentioned above, if a site is missing the “S” in HTTPS, don’t trust it with your credit card details. Sending your information over HTTP puts it at risk.

In general, shop with who you know. And if you don’t know them, read what others are saying about them before you consider shopping with them.

Be Careful What You Post (Safer Online Shopping)

The Internet does not have a delete key, as that young candidate in New Hampshire found out. Any comment or image you post online may stay online forever because removing the original (say, from Twitter) does not remove any copies that other people made. There is no way for you to “take back” a remark you wish you hadn’t made, or get rid of that embarrassing selfie you took at a party. Don’t put anything online that you wouldn’t want your mom or a prospective employer to see.

Use Different Email Addresses for Different Kinds of Accounts (Safer Online Shopping)

People who are both highly organized and methodical about their security often use different email addresses for different purposes, to keep the online identities associated with them separate. If a phishing email claiming to be from your bank comes to the account you use only for social media, you know it’s fake.

Consider maintaining one email address dedicated to signing up for apps that you want to try, but which might have questionable security, or which might spam you with promotional messages. After you’ve vetted a service or app, sign up using one of your permanent email accounts. If the dedicated account starts to get spam, close it, and create a new one. This is a do-it-yourself version of the masked emails you get from Abine Blur and other disposable email account services.

Many sites equate your email address with your username, but some let you select your own username. Consider using a different username every time—hey, your password manager remembers it! Now anyone trying to get into your account must guess both the username and the password.

Shop Online with Credit Cards If Possible (Safer Online Shopping)

If you have a credit card, it’s generally a good idea to use it instead of your debit card when making online purchases.

The main reason is that when using a credit card, if your payment details are stolen via formjacking (a method of stealing your credit card details from online forms), your bank account usually won’t be immediately affected. In most cases, your bank account is debited at the time of purchase when you use your debit card, whereas your credit card is only paid once per month. This means that you have a much larger window to fix any issues before your money disappears.

Also, as highlighted by the Federal Trade Commission, your liability for fraudulent charges is drastically different between a credit card and a debit card.

Don’t have a credit card? You can link your bank account to an online payment platform (such as Google Pay or Apple Pay) so that the retailer never even sees your payment information.

Frequently Check Your Credit Card Statements (Safer Online Shopping)

As a matter of good practice, check your credit card statements as often as possible. Most credit card companies have an app or will let you sign up to receive texts when a charge has been added to your account. Do an inventory. If something doesn’t look right, give your credit card company or bank a call and try to sort it out. If you have any concerns, put a hold on your cards. You can even cancel them and have new ones sent to you. It’s better to be without a credit or debit card for a few weeks than to be without money you didn’t spend.

Use Strong Passwords (Safer Online Shopping)

This goes without saying, but use a strong password consisting of letters (both uppercase and lowercase), numbers, and special characters. Not only does that make it more difficult for would-be fraudsters to guess, but it also makes it extremely hard for anyone to access your account via a brute-force attack.

Don’t think you have anything to worry about? At the time of writing, there are 10,599,375,985 hacked accounts, according to the Have I Been Pwned database. Out of those 10.6 billion accounts hacked, at least one of those accounts was using a password more secure than yours.

If you can memorize your password, it’s not secure enough. There are plenty of password managers to help you keep up with everything.

Use Passcodes Even When They Are Optional (Safer Online Shopping)

Apply a passcode lock wherever available, even if it’s optional. Think of all the personal data and connections on your smartphone. Going without a passcode lock is unthinkable.

Many smartphones offer a four-digit PIN by default. Don’t settle for that. Use biometric authentication when available, and set a strong passcode, not a stupid four-digit PIN. Remember, even when you use Touch ID or equivalent, you can still authenticate with the passcode, so it needs to be strong.

Modern iOS devices offer a six-digit option; ignore it. Go to Settings > Touch ID & Passcode and select Change Passcode (or Add Passcode if you don’t have one). Enter your old passcode, if needed. On the screen to enter the new code, choose Custom Alphanumeric Code. Enter a strong password, then record it as a secure note in your password manager.

Different Android devices offer different paths to setting a strong passcode. Find the Screen Lock settings on your device, enter your old PIN, and choose Password (if available). As with the iOS device, add a strong password and record it as a secure note.

Use a VPN If Shopping in Public (Safer Online Shopping)

When you’re browsing the internet on public Wi-Fi, anyone can see what you’re doing. Threat actors see this for what it is—a chance to monitor your activity and capture your personal information, such as passwords or banking details.

When you use a Virtual Private Network (VPN), all your traffic goes through an encrypted tunnel—protecting your information from interception. This allows you to safely shop from anywhere—even from a café or airport. Keep in mind, though, that a VPN doesn’t protect you from snoopers looking over your shoulder. When you do anything online that requires you to enter your credit card or bank details, it’s probably a good idea to do it at home.

Turn Off the ‘Save Password’ Feature in Browsers

Speaking of what your browser may know about you, most browsers include a built-in password management solution. We at PCMag don’t recommend them, however. We feel it’s best to leave password protection to the experts who make password managers.

Think about this. When you install a third-party password manager, it typically offers to import your password from the browser’s storage. If the password manager can do that, you can be sure some malicious software can do the same. In addition, keeping your passwords in a single, central password manager lets you use them across all browsers and devices.

Install an Antivirus and Keep It Updated (Safer Online Shopping)

We call this type of software antivirus, but it actually protects against all kinds of malicious software. Ransomware encrypts your files and demands payment to restore them. Trojan horse programs seem like valid programs, but behind the scenes they steal your private information. Bots turn your computer into a soldier in a zombie army, ready to engage in a denial of service attack, or spew spam, or whatever the bot herder commands. An effective antivirus protects against these and many other kinds of malware.

In theory, you can set and forget your antivirus protection, letting it hum along in the background, download updates, and so on. In practice, you should take a look at it every now and then. Most antivirus utilities display a green banner or icon when everything is hunky-dory. If you open the utility and see yellow or red, follow the instructions to get things back on track.

You may be thinking, wait, isn’t antivirus built into Windows? Not only is Microsoft Windows Defender Security Center baked into the operating system, it automatically takes over protection when it detects no other antivirus, and just as automatically steps aside when you install third-party protection. The thing is, this built-in antivirus just doesn’t compare with the best third-party solutions. Even the best free ones are way better than Windows Defender. Don’t rely on it; you can do better.

Whether you’ve chosen a simple antivirus or a full security suite, you’ll need to renew it every year. Your best bet is to enroll in automatic renewal. With some security products, doing so enables a malware-free guarantee. You can always opt out later, if you get the urge to switch to a different product.

One more thing. If your antivirus or security suite doesn’t have ransomware protection, consider adding a separate layer of protection. Many ransomware-specific utilities are entirely free, so there’s no reason not to try a few of them and select the one that suits you best.

Watch out for “Too Good to Be True” Deals

Phishing attacks are by no means new, but they are still prevalent in the world of cybercrime. Why? Because even the most novice threat actor can pull it off.

All throughout the year, but especially during holiday seasons, you will be spammed with phishing attempts via email, social media, and even SMS texts. If something seems like it’s too good to be true, it probably is. Don’t click that link.

If you’re unsure how to tell whether a marketing message is legit, here are a few signs to look for:

• Poorly written content: Most respectable retailers care about their content. If the content is sloppy, contains several typos, reads poorly, etc., be cautious.
• Sender email address: If Walmart is claiming to have a special going on, they won’t ask Steve to send out a newsletter with his personal Gmail account. Make sure that the email is a corporate email.
• Unencrypted email: In Gmail, for example, if the lock next to the “to” field is red and crossed out in Gmail, the email is unencrypted. This doesn’t necessarily mean that the email is a phishing attempt, but it’s best not to communicate with the sender, and it’s especially important not to share any sensitive information. Anything you send over an unencrypted connection will be sent in plain text for anyone to see.

Verify that everything is real before moving forward. Don’t click any links in the email and, instead, visit the official, legitimate site if you have any suspicion about the email or sender. This could save you a world of headache, as even just clicking the link can install malicious software on your local machine.

Explore the Security Tools You Install (Safer Online Shopping)

Many excellent apps and settings help protect your devices and your identity, but they’re only valuable if you know how to use them properly. Understanding the tools that you assume will protect you will go a long way toward them actually protecting you. For example, your smartphone almost certainly includes an option to find it if lost, and you may have even turned it on. But did you actively try it out, so you’ll know how to use it if needed?

Your antivirus probably has the ability to fend off Potentially Unwanted Applications (PUAs), troublesome apps that aren’t exactly malware but don’t do anything beneficial. Check the detection settings and make sure it’s configured to block these annoyances. Likewise, your security suite may have components that aren’t active until you turn them on. When you install a new security product, flip through all the pages of the main window, and at least take a glance at the settings.

To be totally sure your antivirus is configured and working correctly, you can turn to the security features check page on the website of the AMTSO (Anti-Malware Testing Standards Organization). Each feature-check page lists the antivirus tools that should pass. If yours shows up in the list but doesn’t pass, it’s time to contact tech support and find out why.

Put devices on lockdown

One of the perks of online shopping is that you can do it from anywhere and use any device. Make sure every device that you shop from has security software in place. Always use a passcode to access your tablet or smartphone, and log off your computer or lock the screen when you walk away from it. After accessing a shopping or banking site, be sure to completely log out of the site before exiting, and don’t let your computer or device remember your usernames, passwords, or credit card information.

A stolen identity is even worse than a lump of coal in your stocking. Make sure you have only nice surprises this holiday season by sticking to these smart online shopping tips to keep you and your information protected.

Know Your Rights and the Return Policies of the Site

On any reputable eCommerce website, you’ll be able to find the company’s return policy. Amazon is a great example of this, and clearly details the return and refund policies for the various arms of their business. It’s always wise to read up on this before you make a purchase, just so you know what you’re dealing with.

If you can’t easily locate the company’s return policy on their website, you can try doing a site search on Google (or on any search engine, really). Just head to the Google search bar and type site: plus the domain name, followed by the search query. For example, if I wanted to search for Amazon’s return policy page on Google, I’d type: site:amazon.com return policy.

If you can’t easily locate the site’s return policy, you should consider that a red flag. And if they don’t have one, it’s best to avoid them completely. However, even if a site doesn’t state its return policy, that doesn’t mean that you aren’t protected. In the case of fraud or misrepresentation of the product or service, you can even take the retailer to court.

Use Unique Passwords for Every Login

One of the easiest ways hackers steal information is by getting a batch of username and password combinations from one source and trying those same combinations elsewhere. For example, let’s say hackers got your username and password by hacking an email provider. They might try to log into banking sites or major online stores using the same username and password combination. The single best way to prevent one data breach from having a domino effect is to use a strong, unique password for every single online account you have.

Creating a unique and strong password for every account is not a job for a human. That why you use a password manager. Several very good password managers are free, and it takes little time to start using one. For-pay password managers generally offer more features, however.

When you use a password manager, the only password you need to remember is the master password that locks the password manager itself. When unlocked, the password manager logs you into your online accounts automatically. That not only helps keep you safer, but also increases your efficiency and productivity. You no longer spend time typing your logins, or dealing with the time-consuming frustration of resetting a forgotten password.

Don’t Fall Prey to Click Bait

Part of securing your online life is being smart about what you click. Click bait doesn’t just refer to cat compilation videos and catchy headlines. It can also comprise links in email, messaging apps, and on Facebook. Phishing links masquerade as secure websites, hoping to trick you into giving them your credentials. Drive-by download pages can cause malware to automatically download and infect your device.

Don’t click links in emails or text messages, unless they come from a source you’re sure of. Even then, be cautious; your trusted source might have been compromised, or the message might be a fake. The same goes for links on social media sites, even in posts that seem to be from your friends. If a post seems unlike the style of your social media buddy, it could be a hack.

I’ve Been Hit by Cybercrime, Now What?

If your information has been stolen, there are a few actions you can take to protect yourself and help prevent others from becoming a victim.

If your bank details or personal information was stolen, call your bank and let them know that your information has been compromised. They’ll cancel the old card details and issue you a new card. This may be inconvenient, but it’s the safest way to prevent more money from leaking out of your accounts.

If a fraudster is taking out loans or new credit cards in your name, report the incident to credit agencies and request what’s known as a “credit freeze.” According to the FTC, this makes it more difficult for identity thieves to open new accounts in your name.

Use Two-Factor Authentication

Two-factor authentication can be a pain, but it absolutely makes your accounts more secure. Two-factor authentication means you need to pass another layer of authentication, not just a username and password, to get into your accounts. If the data or personal information in an account is sensitive or valuable, and the account offers two-factor authentication, you should enable it. Gmail, Evernote, and Dropbox are a few examples of online services that offer two-factor authentication.

Two-factor authentication verifies your identity using at least two different forms of authentication: something you are, something you have, or something you know. Something you know is the password, naturally. Something you are could mean authentication using a fingerprint, or facial recognition. Something you have could be your mobile phone. You might be asked to enter a code sent via text, or tap a confirmation button on a mobile app. Something you have could also be a physical Security Key; Google and Microsoft have announced a push toward this kind of authentication.

If you just use a password for authentication, anyone who learns that password owns your account. With two-factor authentication enabled, the password alone is useless. Most password managers support two-factor, though some only require it when they detect a connection from a new device. Enabling two-factor authentication for your password manager is a must.

Never give more info than needed

Most websites you visit or shop on will ask you for information to complete your purchase or start a wish list. Give them only the information they require you to provide. If a complete address or phone number is optional, then skip those fields. The more info you put out there, the more accessible you are to a bad guy. And before committing your information to a site, take the time to read their privacy policy and find out exactly where and how your information will be shared.