Holiday spending in the U.S. will reach trillions of dollars this year, so it’s no surprise that fraud operators, computer hackers, and other criminals will try to divert, finagle, and steal as much of that money as they can from consumers and legitimate businesses.
To avoid falling prey to criminals and their latest tricks on Black Friday, Cyber Monday, or any other shopping day, follow these tips.
1. Don’t place online orders from public computers.
When placing online orders, be careful about using computers you don’t control. Public computers might have been infected with keyloggers or other software that might record some of your login or payment information.
If possible, use your own computer or the computer of a trusted friend.
2. Make sure your online connections are secure.
All ecommerce sites should support HTTPS, the secure protocol for transmitting information over the internet. (HTTPS isn’t perfect, but it’s far more secure that HTTP traffic, which isn’t encrypted.)
When shopping online, look for the lock icon in your browser’s URL window to make sure you have a secure connection to the site you’re ordering from.
For example, the lock icon in the Chrome browser looks like this:
3. Don’t click on links in email messages with coupons or shipping status notices.
You’ll likely be getting mail from fraud operators this season, and it won’t be Christmas cards. Instead, fraud operators will send you believable-looking phishing messages that pretend to be from Amazon, FedEx, UPS, and other companies involved in shipping packages. These messages might tell you that the company tried to deliver a package but couldn’t, or that you can click on a link to check on the status on packages that are en route. Or you might get email purporting to be from major retailers and offering you coupons.
But the email messages might be fake. And the links in these fake messages might take you to a fake site where criminals will collect your login credentials or credit card information.
If you want to check on the status of shipments or the availability of coupons, it’s better to go straight to the website you ordered from rather than clicking on links in email messages.
4. Read door tags carefully, and don’t give out too much information over the phone.
If you find a tag on your door informing you that you missed a delivery, read the tag carefully and be leery of calling local numbers rather than 800 numbers to reschedule deliveries from major companies. (Local companies, of course, might not have 800 numbers.)
Some criminals will leave fake tags to trick you into calling them and telling them valuable information that can be used for identity theft. If you do call about a delivery, you shouldn’t need to verify anything other than your address. If someone on the other end of the call is asking for other information, such as your credit card number or the last 4 numbers of your Social Security number, hang up.
5. If you’re going to buy gift cards, order them from the retailer’s website.
Yes, it’s convenient to pick a gift card off a rack by a cash register, but those cards have traveled far and they’ve been seen by many eyes. Somewhere along the line, someone may have already copied and registered the unique serial number on the card you’ve selected. When you load the card at the cash register, they’ll notice the transaction and quickly trade the card at a discount for cash or make some other kind of purchase. The result? When the person you’re giving the card to tries to use it, they’ll find the card empty.
A better approach is to order gift cards directly from the retailer, so that the cards travel straight from the retailer to you or the person you’re sending them to.
6. Look for tampering on boxes, especially when buying consumer electronics.
When you’re shopping in a store and picking out that perfect gift, look for signs of tampering. Has the package been opened and resealed? If there’s tape on the box, does it look like the tape on the boxes next to it?
Someone have tampered with the box in the store, stealing the contents and replacing them with an object of a similar weight.
Retailers are doing a better job catching this type of “switch fraud,” but it still takes place.
Avoid boxes that look like they’ve been tampered with. If something looks suspicious, let a store employee know.
7. Use a unique password for each retailer.
If you’re like most American consumers, you’re going to do a lot of your shopping online this year, and every retail website you visit is going to ask you to create an account with a username and a password. You’re probably going to use your email address as your username.
Using an email address as a username is fine (it might even be required), but by all means, don’t use the same password for all your accounts. Why? Because if just one of these retailers gets breached, then criminals have the username/password combination for all your accounts.
This is a big deal. Criminals collect these breached username/password combinations and sell them to one another on the Dark Web. Then they run scripts, trying your username/password combination on different retail sites. This type of attack is known as credential stuffing, and, believe it or not, it’s responsible for 90% of login activity on some major retail and banking websites.
The best and easiest way to prevent this kind of attack is to use a unique password for each account. If you think that’s going to be hard to keep track of, use a password manager like 1Password, Dashlane, or LastPass. Any of the applications can store all your passwords and automatically fill in the right one when you visit a website.
To learn more about password managers and other best practices for staying safe online, read Safety Net: How to Protecting Yourself from Phishing, Ransomware, and Other Online Threats.