You may escape the incessant festive tunes and all that pushing and shoving in the aisles and at the doors, but shopping online presents risks of its own. Indeed, some of that frenzy on Black Friday and Cyber Monday can extend to the internet, especially as all that bargain-hunting can cause you to let down your guard.
In fact, many people openly admit to taking risks at the prospect of a deal, however too-good-to-be-true it may sound. According to a survey by Financial Fraud Action UK, three out of ten shoppers admit that “they are more likely to take a financial risk (for example, shop on an unfamiliar or unsecure website) if an online retailer offers them a bargain”. That is a lot of potential victims, who are apt to expose themselves to a range of threats that typically aim to capture their financial information. Indeed, for phishers and other scammers, this is no more challenging than shooting phish in a barrel.
Let’s look at how they might attempt to trip you up, and what you can do to avoid stumbling.
Safe sites
Most of all, we need to ensure that all our shopping takes place at legitimate and tried-and-tested sites. This involves basic precautions, including being leery of odd URLs and staying away from “merchants” offering suspiciously cheap items such as the latest iPhone for a fraction of its going price, as well as from sites offering “customer support” on free email services such as Gmail.
Additionally, we need to be doubly wary of – and never click on any links or attachments in – out-of-the-blue emails, instant messages or social media postings that invariably offer amaaaaaazing bargains, freebies in exchange for completing “surveys”, and similar unmissable offers playing on our fear of, well, missing out.
Indeed, during the holiday season – even more so than during the rest of the year – it’s important to be cautious and evaluate all the adverts that you encounter. After all, search ads are reported to drive one-third of sales on Cyber Monday. The malicious offshoot of online advertising, malvertising, has for years been a significant vector for attacking masses of users, often rearing the ugliest of its heads during the festive season.
Pop-up and banner ads that parasitize well-known brands, as well as malicious adverts loaded by legitimate websites from third-party services and possibly even targeted at specific demographics (much as genuine ads would be), can all lead us to malware-hosting websites or to bogus sites that are designed to steal our personal details. Instead of rushing to click on whatever “deal” is on offer, you’re better off typing the retailer’s URL into the browser’s address bar and verifying that the bargain is authentic.
Such typing may not be without risks of its own, however. When typing the domain in your browser’s address bar, do your best not to mistype it. Otherwise you may inadvertently end up on a domain with a name that is confusingly similar to that of the legitimate and well-known web destination, but whose only purpose is to inflict harm on unsuspecting visitors. This malicious type of URL hijacking, also known as typosquatting, is commonplace, and even though the owners of the legitimate domains often aim to prevent this practice in general (e.g. by buying up all kinds of variations of their own domain names), the practically endless number of all such variations makes this a constant threat.
Similarly, as we ramp up our search for sale items, compare their prices, look for product reviews, and scout around for deals on price aggregation sites, we can reach unintended destinations when attackers poison search engine results with deceptive links. These may lead to dedicated Black Friday and Cyber Monday sites; dedicated, that is, to scamming you. Try instead to search for deals directly on the websites of reputable retailers, but keep your eyes open even there, too.
Safe transactions and connections
Once on any merchant’s site – and before you input your personal and payment details – ensure that the site uses HTTPS web encryption, so that all the information that passes between your browser and the website is encrypted and prying eyes can’t see and interfere with it. The encryption will be indicated by a padlock icon to the left of the browser’s URL bar that, upon clicking, will also indicate that your connection to the site is secure.
That, in essence, is all it says, however, as the presence of the padlock alone does not mean that the website is safe. As increasing numbers of legitimate sites adopt HTTPS, many rogue sites are almost as quick on the draw, taking advantage of the easy availability of TLS/SSL certificates that enable HTTPS connections.
In addition, it pays to be very picky about the Internet connection that you use for your shopping spree. It’s best to stick to your home or work network, or alternatively to your data plan. Under no circumstances is it a good idea to connect to a public Wi-Fi network for your shopping, as many of them are unsafe.
There are a number of ways in which miscreants can easily record your traffic and steal whatever data you send over a connection that is open and uses older, less effective encryption methods or even none at all. This includes setting up a rogue hotspot with an innocuous name like “McDonalds Wi-Fi” to which McDonald's customers happily connect, or capturing data via a Man-in-the-Middle (MitM) attack. By creating an encrypted “tunnel”, a virtual private network (VPN) is your best bet if you absolutely need to use such a connection and want to thwart the risks; however, be sure to use a reliable VPN provider.
Back to basics
In conclusion, let’s remember to stick to what are, in fact, some of the fundamental cyber-hygiene practices that will help you avoid nasty surprises while you do all that power shopping:
- Keep your operating system and applications updated with the latest security patches, as that will reduce the number of openings through which attackers can compromise your machine.
- Use reputable security software that incorporates multiple layers of protection and that, ideally, also includes protection for online banking and payments. As attackers constantly come up with new malicious tools, it is extremely important to make sure that the software downloads the latest updates.
- Utilize complex and unique passwords or passphrases, especially for your most valuable accounts, such as banking, email and social media accounts, and enable two-factor authentication wherever it is available.
When all is said and done, during the holiday season it may actually pay to think and act like ne’er-do-wells “are all over the shop”, as it were. The seasonal shopping extravaganza provides a kind of cover for them, and blending in with the online crowd is easier now than during the rest of the year.
That gizmo, whatever it might be, may indeed be half its usual price today, but that shouldn’t take away from the need to double up on cybersecurity. Cybercriminals, too, prowl around the internet – except that, in “shopping” for our actual and digital assets, their ideas of deals are wildly different from – and antithetical to – ours.
Bag your bargain safely!