Top security tips for online shoppers
Article by Radware regional director for A/NZ Mathew Gomziel.
With the year’s biggest shopping season just around the corner, consumers are preparing to take advantage of enticing discounts and offers from a range of e-commerce websites and applications.
Naturally, this is also the peak time for fraudsters and cyber-criminals — who try to trick shoppers with fake deals, hack into their accounts to steal gift cards, reward points and discount codes, and extract personally-identifiable information (PII) that they can further abuse.
Shoppers should follow the following tips to guard against being cheated and defrauded when shopping online.
Shop at reputed sites and avoid lookalike sites with similar URLs and appearance
Scammers often develop fly-by-night sites that use names and URLs that are very similar in their spelling to the names of well-known sites to trick shoppers.
Use authorised shopping apps from Apple’s App Store and Google’s Play Store
Fraudsters try to trick unsuspecting users with spoofed shopping apps that imitate the look and feel of popular apps. Fake apps put consumers at risk of account takeover, financial loss, and exposure of personal information. Search for and download apps only from authorised app stores and never click on links offering app downloads from unknown or suspicious sources.
Watch out for deals that look too good to be true
Don’t fall for unrealistically low prices, which are likely to be bait-and-switch offers that provide buyers with a product that is not exactly what was wanted and expected.
Make sure the website’s address starts with ‘https’ and check the lock icon in a browser’s address bar
The lock icon in a browser’s address bar and the ‘https’ before the website address indicate that a connection to the website is encrypted and secure to prevent a shopper’s information from being captured in transit.
Look for websites and apps that have additional security measures
Leading e-commerce websites and apps usually have bot mitigation measures to prevent access by malicious bots. Use portals that have security measures to prevent bots, such as CAPTCHA challenges, which ask visitors to identify objects in images, or decipher short strings of text, or click on a checkbox to confirm that they are human. Most leading portals use a range of specialised bot mitigation measures.
Provide as little personal information as possible
Reputable e-commerce portals generally do not ask for tax numbers or other details that are not necessary to carry out transactions (such as a mother’s maiden name, etc.).
Provide the bare minimum personal data and avoid websites and apps that ask for more information than practically required.
Use strong and unique passwords preferably with multi-factor authentication (MFA)
Use a different password for every website, and if the website or app offers it (most leading sites do), it’s best to turn on its MFA option ─ usually found in its security settings ─ for secure log-in and an additional layer of account protection.
After that, set up an MFA app such as Google Authenticator or Authy to receive the MFA security code required every time someone logs into those sites.
Regularly check bank statements
Watch out for suspicious transactions and charges, and promptly report any unauthorised transactions to the appropriate bank or payment service.
Do not shop via unsecured public Wi-Fi networks, and use a VPN (Virtual Private Network) if possible
Avoid making financial transactions using public Wi-Fi connections, as hackers and fraudsters can easily snoop on private data using a variety of common hacking tools. A VPN provides additional security by encrypting all data being received and transmitted from a phone or PC.
Use credit cards and services like PayPal instead of debit cards
Unlike debit cards, which are directly linked to a bank account, credit cards and payment services usually provide more protection, less personal liability, and quicker resolution of claims.
Use a virtual credit or debit card
Instead of providing an actual credit or debit card number and CVV code, take advantage of services such as Apple Pay, Google Pay, Venmo and others.
These services allow users to make payments without revealing their actual payment card number, or generate virtual card numbers that are valid only for a single transaction, and worthless to cyber-criminals who use bots to try to extract payment card details.
Be wary of very lucrative offers sent via email
Watch out for ‘phishing’ emails that offer lucrative deals, but are meant to trick shoppers in various ways, including revealing their log-in credentials, payment card data, or other personal information that can be further abused by criminals.
Always check to ensure whether such emails are sent from authentic sources, and look out for telltale signs of fraud, such as errors in spelling and grammar.
Look out also for website addresses that have minor variations to make them look like a reputed brand, but may have an ‘i’ instead of an ‘l’ or similar discrepancies.
When in doubt, just go directly to the brand’s website to confirm the authenticity of such offers.
Check to see if a shopping site or app is badged as PCI-DSS compliant
PCI-DSS (Payment Card Industry Data Security Standard) compliance is mandated by leading credit card issuing networks for organisations that accept and process credit card payments and cardholder data. Shop at portals that comply with PCI-DSS for assurance of stringent security and fraud prevention measures.