One of the long-term effects of the recent pandemic is online holiday shopping which increases the likelihood of a cyberattack. With the holiday season quickly approaching, staying safe when shopping online is essential. Reports show that online scamming is at an all-time high and there are no signs of a decline.

Let’s imagine a few scenarios.

1. You get an email from Target saying they are offering gift cards and all you have to do is submit your card information, and boom, a free Target gift card.
2. You receive a text alerting you about Dillard’s online sale that is only available via their link so you can knock out some early Christmas shopping. 
3. You get a pop-up ad from that one website you use to watch free movies offering free Visa cards. 

You might think, “Wow, this is too good to be true!” And that’s our first rule of thumb: if an offer is too good to be true, it’s probably a scam. 

Let’s look at how scammers use the enthusiasm and good feelings of the holidays to deceive online shoppers.

Don’t Open Unfamiliar Links

Phishing is a prevalent social engineering technique used by many malicious actors where they send fraudulent messages to trick victims into sending sensitive information like passwords or credit card information. These messages often come in the form of text messages or emails. 

Here are a few ways to check if you are a victim of a phishing attack:

Check the sender 

Circling back to the scenario used in the beginning, if you get an email from a company like Target, you should first check the email's sender. Being a Target shopper, I get tons of emails about sales and deals. I can tell you, Target’s official email is [email protected].

Malicious actors create emails similar to official business emails to make it seem legitimate. For example, they might use [email protected] or [email protected].

Look for spelling or grammatical errors. If you’re still not sure whether it’s real, do a quick search for it on the web, check the company’s website, or reach out the company directly to verify its authenticity.

You can also verify company phone numbers, which aren’t as easy to identify as emails. Simply type the number into Google to see whether the number is connected to the company.

Check the Link

Most scam sites have spelling errors, and many are ridiculously long. Those are easy giveaways.

Does the Link Text Match the Site?

Some cybercriminals may show a different website than what the link will take you to. Hover over the link or copy and paste it into a browser instead of clicking the link. That way, you can see and review the actual link before being brought to it. 

Is the Site Encrypted?

It’s also wise to note if the site is encrypted. To tell whether the site is encrypted or not, look at the search bar where the URL is written.

Do you notice how the site has the padlock and an “HTTPS” address? That tells you that the site is encrypted. This means that any data you transmit to the site, be it your login information or credit card number, is protected from third parties. It will stay between you and the operators of the website. 

If you encounter a website that isn’t encrypted, the connection is not secure, which means the information you transmit could be intercepted by a third party. Find another site to shop from.

Unfortunately, this doesn’t guarantee that every site with a padlock and HTTPS address is safe. As Kasperksy makes note, “... the green lock and the issued certificate say nothing about the site itself. A phishing page can just as readily get a certificate and encrypt all traffic that flows between you and it.”

So, while it’s important to only shop on encrypted sites, you cannot rely solely on the encryption indicators as a signal of what is safe and what isn’t. 

An Example of How to Dissect a Phishing Text

Let’s dissect this text I received and the steps I used to conclude it was fake:

First: I Googled the number, and no information regarding a company came up. That troubled me.

Second: I noticed that the link looked suspicious. 

When receiving a text or email with a link, whether it be a “package not delivered” or a “black Friday sale” link, if the URL looks suspicious, it probably is. The URL in the text message above shows no indication of what company I could be receiving a package from. 

Third: The text has awful grammar. Think about it, businesses invest heavily in marketing. Are they likely to overlook glaring grammatical errors? Probably not.

Four: Contextualize the message you are receiving. I wasn’t expecting a package, so the message was out of place. 

Five: Off to the junk folder it went!

Don’t Purchase from Suspicious Sites

What if you find yourself on a website you’ve never heard of before? Maybe they’re offering the best deal, or you believe you're supporting a local business. Hold on! You’ll want to check a few things before trusting them with your address and credit card. 

Check the Reviews

Checking reviews is a crucial part of identifying scam websites. Many scam websites will have fake reviews. Often, there will be multiple reviews posted simultaneously with the same keywords. 

On the contrary, a legitimate company will have a variety of reviews. FakeSpot is a great tool that uses AI to calculate whether or not a product has fake or legit reviews. 

Another trick is to search Reddit for the website to see if anyone has reported a bad experience. Treat these with a grain of salt, however, as a malicious website creator could use various accounts to respond to a Reddit question, making their website seem legit.

Check Copyright Information 

A legitimate site will have updated copyright and contact information. This is crucial because if the company has no contact details, what do you do if you have an issue with the product? Copyright helps identify the owner of a company or product. Most websites host their copyright information at the bottom of the home page. 

Use A Password Manager

If you have online accounts that require logins, you should use a password manager. 

A password manager prevents your accounts from getting hacked by safely securing your logins. TeamPassword is an easy-to-use password manager for teams. Every user on the account has the option to keep private records, like their personal Amazon account information. Team admins can also create groups to share logins with multiple users, making access to team accounts a breeze.

I've accumulated hundreds of accounts over the years. A password manager allows me to have unique, strong passwords for each account while eliminating the impossible task of remembering those unique passwords that may only get used once or twice a year.

Creating Unique Strong Passwords

Creating a strong password is simple, especially with a password generator. But remembering those passwords is another thing. While using the same password for multiple accounts is tempting, it’s important not to. If a malicious actor were to get access to one account, gaining access to the rest would be much easier. 

If password generators aren’t your thing, try using a passphrase instead. Simply put, a passphrase is similar to a password but uses more characters from memorable items for increased security. Here are a few examples of what passphrases can look like. 

It could be random: A11ig@torsWithRed$weaters

Or it could be of one of your interests: R3*dingCl*ssicLit3r*ture_

They pretty much look like censored curse words. But, since I built these phrases myself, I'll be able to remember them quickly. And just like that, I now have two 25-character passwords!

In Conclusion

The bottom line is that scammers aren’t going anywhere. It’s up to us to follow protocols that will keep us safe online. Take the time to check that those good deals are legit, use a password manager, and only click on links from expected, verified emails and messages.

If we can all follow these simple cybersecurity practices, we can all shop with a little more peace of mind come Cyber Monday.