Twenty years ago, getting people to trust online shopping was a huge hurdle for ecommerce. Would-be buyers were afraid to provide credit card and other personal information online. The situation has changed dramatically. Today’s online shoppers think nothing of filling out forms and providing data to ecommerce sites, social media sites, and even in public forums.
This transition from hyper-awareness to bold familiarity, coupled with the ever-increasing ability of thieves and swindlers to take advantage of our lapses, has created a serious situation.
Are you safe when shopping online?
Security breaches and security concerns threaten to change the free-wheeling online environment and are causing many consumers to reconsider the risks.
In this guide, we’ll look at the current situation, describe the types of threats you unavoidably encounter online, and provide solutions to help you protect yourself and your family.
Reading and following these suggestions could save you a considerable amount of money, save you a ton of headaches, and keep you from getting caught in an online trap.
The goal here is to replace fear with caution.
Ready to learn?
Examples of Security Breaches You May Already Have Encountered
From mid-May to mid-July, 2017, Equifax – one of the three major credit reporting agencies in the USA – was ‘hacked.’ Data thieves stole information ranging from social security numbers and birth dates to driver’s license and credit card numbers from upwards of 143 million people via the Equifax database.
That security breach was announced on September 7, 2017… months after Equifax became aware of the problem.
That wasn’t the first time Equifax was hacked, either. A year prior, in May 2016, another attack leaked info from 430,00 Kroeger customers. Other, smaller incidences, litter the company’s data protection record.
Our aim here isn’t to slam Equifax. Rather, it’s to point out that even a credit reporting giant that one would think uses the world’s most advanced methods for preventing theft of information is unable to defend its customers and clients all of the time.
Consequently, consumers can feel vulnerable and at risk. Returning to a pre-credit card, pay-by-cash era is neither desirable nor possible for most of us. We have become accustomed to the convenience extended to us in this Digital Era, and we don’t want to lose it.
Before we move on to solutions, though, let’s consider more examples of the potential danger lurking in cyberspace. They will help us know what to look for, and awareness is a big part of the battle.
Corporate Data Breach Examples
The eBay Attack: Cyberattackers stole names, addresses, even passwords from eBay’s entire database of over 145 million users. The incident was reported in May 2014, but the hackers were active for almost the entire prior year. The breach did nothing to affect eBay’s popularity or income. Many users didn’t open the notification email and are still unaware the event even happened.
Heartland Payment Systems: In this spyware-centered attack, this payment processor was relieved of the data for over 134 million credit cards. The theft was discovered, not by Heartland, but by Visa and MasterCard the following year. The company had to make good on $145 million in fraudulent payments and faced industry sanctions. Even so, many websites handling secure data failed to protect against the tactics used to break into the Heartland system.
The Yahoo Bust: In a huge theft of information, Yahoo lost the personal information of about 1.5 billion user accounts between 2013 and 2016. That information was uncovered during negotiations by Verizon to buy the ailing company. Many Yahoo users still don’t know their personal info is in the hands of thieves.
Those are token examples of the magnitude of the problem. To list all known breaches would require a book, not a guide.
Our aim is not to scare you or to demean the companies involved, rather we hope you can see that chances are really high that components of your personal data have already been stolen. If you have ever used a credit card (online or offline), registered for a social media site, or become a club member at a retail store – you’re at risk.
Enter your email address here to see if your information may have been stolen in one of the major reported leaks: Have I Been Pwned?
Personal Data Breach Examples
We’re not only at risk of our data being stolen from companies we trust, but savvy scammers can get us to willingly supply private information or give them money.
You may read the following examples and think, “How could anyone be that stupid,” but it’s all too easy to get suckered in to a fraudulent scheme or to click a seemingly innocent link, whether online or contained in an email.
These are representative stories collected from trustworthy reporting agencies. We won’t divulge the names of the people affected. They’ve been through enough.
Facebook Fraud: A widowed grandmother was given a computer by her children. They told her it would be an excellent way to video chat and stay in closer touch. She loved being able to see photos of her grandchildren on Facebook.
Presently, she received a friend request from someone who presented himself as a soldier in Afghanistan looking to make pen pals to ease the loneliness of being so far from home. She accepted. Like her, his spouse had recently died from cancer.
Their online relationship flourished, and messages were exchanged daily. The soldier was transferred to Nigeria, where it was easier to use email than Facebook, he said. He would be discharged from the service soon, and he couldn’t wait to meet her in person. He told her of his dream to establish a small jewelry store in civilian life and that he was in the perfect location to buy plenty of stones dirt cheap.
Then, the requests for money started. His credit card wouldn’t work in Nigeria, so he needed $15K (just two percent of the value of the gems he had collected) to pay export taxes. She sent it to him. He made his way to Malaysia, where customs officers took the stones and demanded $20K to return them. She mortgaged her home to get the money.
New difficulties and requests came in daily. She was already invested deeply. She had to help him get those jewels back to the USA. In the end, she ran out of money, and her online romance crumbled. He couldn’t believe she would let him down like that.
The police told her she had been victimized and nothing could be done to get her money back. She still can’t believe it and expects him to show up some day with the jewels to correct the problem.
Credit Card Fraud: A senior citizen received a voicemail from Barclay Bank congratulating him on an increased credit line, but he hadn’t asked for the favor.
Following up, he discovered that a data breach (like the Heartland theft described above) gave thieves access to information they used to open a new card in his name and immediately request an upgrade in the line of credit.
While he was on the phone with the bank, getting that account closed, he received a phone call from a woman posing as a Barclays employee. She needed the password to his main account in order to correct his records.
He switched between the two lines to be sure Barclays wasn’t making the call, then informed the thief he was calling the police.
That didn’t end the nightmare, though. Armed with the same compromised data, cybercrooks soon had him facing another fraudulent credit card scheme.
Victim of a PayPal Scam: A teenager received an email ‘from PayPal.” It said someone had tried to hack into her account and she would have to re-enter her login data in order to gain access to her money.
Fortunately, there wasn’t much cash there to lose.
She soon began seeing charges to her PayPal account from all over the USA. Fortunately, she didn’t have sufficient funds to cover them.
Looking further, she discovered that her social security number had been used to purchase a car and secure a mortgage loan – but not by her.
There are shark-infested waters online. Trustworthy companies are doing what they can to protect you, but they can’t guarantee your safety, and they can’t keep you from ignoring the “No Swimming” signs and wading into a danger zone.
You have to learn to look out for yourself.
Types of Online Threats You May Encounter
Identity theft, romance scams, and fake emails are representative of the threats you can encounter online, but they are only examples.
- Phishing schemes
- Bogus stores
- Bogus goods
- False claims
- Non-secure websites
- Open networks
- And more…
The good news is that the list is long, but the avenues they parade down are limited. Most of the threats you encounter online come at you through just five channels:
- You fail to install an anti-virus program and keep it updated
- You click on links before checking them for legitimacy
- You download files of questionable origin
- You provide your personal information indiscriminately
- You fail to use secure passwords and to change them out regularly
That means you don’t need a separate defense for every potential problem. If you’ll learn and practice defensive tactics for the five primary trouble spots listed above, you can breathe a whole lot easier while shopping online.
Let’s dig in.
Online Shopping Security – How to Stay Safe Online
The only way to make absolutely sure your data is safe online is to stop using the internet. For most of us, though, the benefits of going online far outweigh the risks – if we’re smart about what we do there. It’s like driving a car: you know you could get in an accident, but that doesn’t stop you from driving to the grocery store.
Here’s the root of the issue: When you’re at home using your computer, it feels like you’re safe – like it’s just you and the screen. The truth, though, is that while you’re looking at the internet, it’s looking back at you. You’re connected digitally to the billions of other internet users globally, and there’s a specific identifier – your internet protocol address, or ‘IP’ – that sets your machine apart from the rest. It is the basis of your digital footprint.
Let’s consider each of the five primary areas of attack and the steps you can take to protect yourself from each.
1. Antivirus software isn’t always effective
This is one of the biggest security mistakes online shoppers make. New computers typically come with antivirus software pre-installed. The new owner figures that means the machine is good to go, then proceeds to surf indiscriminately – figuring the software will act as a bodyguard and fight off any attackers.
That’s not always true for several reasons:
- The antivirus software that comes on new computers is a trial version only (unless you specifically purchased it with the machine). Once the trial expires or the subscription period ends, you’ll have to pay to keep the protection in force. Just having the software doesn’t do the job. It must be activated and live.
- There are a number of ways antivirus software can get turned off. Whether you shut it down on purpose to install another program successfully, it gets turned off accidentally, or a cyberattack shuts it down – if it’s not on, it’s not protecting you.
- Antivirus programs are good, but they aren’t perfect. It’s possible a new virus has yet to be identified and added to the library of threats, for instance, or that a software update failed and you didn’t get the most current information.
- Updates are essential. To do the best job, your antivirus software needs the latest data. That only happens via updates.
No tool is perfect, but a robust antivirus program is an essential. You should never go online without that first and persistent line of defense.
Here are the steps to take to make sure you have this base covered:
- Check your machine now to make sure you have an antivirus program installed, and that it is turned on and updated. If you have a Windows 10 machine, you probably have Windows Defender pre-installed. It is sufficient. If you have an Apple machine, you will have XProtect, Gatekeeper, and a malware removal tool. Never make the mistake of thinking Apple products don’t need antivirus. They do. To get the best price on top-rated commercial antivirus software, search Coupon Chief.
- Once you’ve determined you have antivirus and it’s turned on, check to be sure it’s updated. Then check to be sure the options are set to keep the software updated automatically. If you’re unsure how to do any of this, use a search engine to find out, or go to the manufacturer’s website and look for Help.
- Rinse and repeat. Get in the habit of checking your antivirus program often. To strengthen the capabilities, search for and install a reliable anti-malware program alongside your antivirus. It will give you broader protection and find things your antivirus program misses.
Having a virus checker that’s updated and turned on is an excellent starting point – but it’s only a starting point. You need to protect yourself on the other four levels too.
2. Do you really know what you’re clicking on?
Soldiers know one of the favorite tricks of the enemy is to bury explosives along the road or trail. It’s a 24/7 way to catch someone off guard and exploit the situation. Cybercrooks do the same thing. They don’t use artillery shells or high-explosive charges for their landmines, though, they use clicks… YOUR clicks.
Whether on a website or in an email, it’s important to be vigilant at all times. The call to action might be “Get 50% Off” or “Unsubscribe from this mail,” but things aren’t always as they appear. To see where a link actually points, hover your mouse over it and look in the corner of your browser window, usually the lower left. You’ll see the address pop-in there.
For example, scammers often send emails that claim to be from or represent Amazon, PayPal, your bank, or another site you trust. There will be an offer that’s difficult to refuse and one or more links to click on.
Here’s a screenshot of one that was recently delivered to my inbox. To save space, I’m just showing you the main part. The mail sender appears to be Amazon.com. There’s a graphic below the text that shows a present tied with a golden ribbon and urges me to get my “FREE $50 Amazon.com Gift Card.”
Sounds great, right? All it takes is 30 seconds to earn a $50 gift card. If I hover over one of the links, though, I can see it doesn’t point to Amazon at all – or to a research company that would be working for Amazon. Rather, it points to a free .gq domain registered in Equatorial Guinea. Symantec Corporation, a security giant, says 99% of the domains from .gq are ‘shady.’ I think I’ll pass on that 50 bucks. Would you?
Taking the trap further, what would happen if you DID click on that link?
Don’t try this at home, but I used an incognito browsing window with fingers at the ready to close the browser if something went haywire. I expected to see a questionnaire that would mine for as much data as the crooks could pull from me – up to and including a credit card number.
Rather, I got the popup shown below:
Would you click on the “Accept” button? I didn’t. It may be just a scam to get me to buy magazine subscriptions… or it could be a quick route to downloading malicious files that would steal my information or harm my computer. Note the Amazon.com logo is used on the upper right. Just because something LOOKS official, that doesn’t mean it IS official.
Threat levels have escalated with the rapid growth of internet speed capabilities. It may take only a few seconds for the crooks to push their code to your machine. Those few seconds could cause major upheaval to your life. Don’t risk clicking on risky links. Always hover to check that a link is going to a familiar, friendly website you trust.Here are some tips to avoid the traps:
- Hover over the link before you click to see where it will take you if you click. Beware of scammers who use subdomains to fool your eyes. For instance, amazon.sqtzr.com is probably not an Amazon property. Amazon links should go to amazon.com. The part before the dot is the root. Anyone can set a subdomain (the part before the root) to “amazon.”
- Social media posts often contain links that have been changed and shortened to stay within character limits or look better. For instance, the Coupon Chief Guide to Extreme Couponing lives at this address: https://www.couponchief.com/extreme_couponing. We can use a link shortener, though, to make it more concise. Like this: http://bit.ly/couponextreme. Try clicking on both links. Note that they resolve to the same page. You can use a URL expander to find out where shortened links go. If you aren’t sure about the safety of a site, use a tool like Norton Safe Web to investigate it.
- Just as you would be careful about where you go in an unfamiliar city, pay attention to the neighborhood when you’re surfing the web. If you enter a site and get a pop-up wanting you to click a link, stop and close the window, then clear your cache. For maximum safety, follow that by closing the browser, then restarting your computer. Never click a link you’re unsure of, regardless of what the link says.
Common traps include pop-ups saying your computer has been infected with a virus and you must click (or call a phone number) to fix the issue, ‘Unsubscribe’ links in emails that really aren’t unsubscribe links, and pop-ups or emails saying you’ve just won a prize and must click to claim it. As with most things, if it sounds too good (or bad) to be true… it probably is.
3. Every download is a potential landmine
You don’t always have to be tricked into downloading malicious files. Sometimes, you go looking for it. Special dangers are sites offering software, music, or videos for free. ‘Torrent sites’ are especially prone to deliver more than you bargained for in the way of headaches.
Crooks often use greed to catch their victims. They’ll provide a site that will allow you to bypass payment and get a pirated copy of something that would normally cost quite a bit. You may (or may not) get the goods you wanted, and you open yourself up to getting files or code you didn’t want. Do yourself a favor, and don’t take the bait.
Another favorite trick of spammers and scammers is to provide illegitimate links next to good links. That increases the chance you’ll click on something that will either trick you into a download you didn’t want or produce a form to collect information from you.
As mentioned earlier, if you find yourself in a suspicious neighborhood… get out fast. Here’s some tips:
- As with links in general, you can hover over a call-to-action button and look in your browser bar to determine the destination. You can then check Norton Safe Web, or a similar online tool, to get info on that site. Another option for checking sites is Google’s Transparency Report. If the site you’re checking shows as ‘no data’ in those tools, there’s a big chance it’s a throw-away spam site you don’t want to visit.
- If your browser or antivirus software alerts you to danger ahead, take the threat seriously. Don’t let your desire to get what you want out-vote your common sense.
- Watch out for ‘tech support’ calls from people claiming to be from Windows, Google, or another big-name brand. They don’t need your login info, and they sure don’t need you to download a file. Neither Microsoft nor Apple monitor your computer, then call you to recommend a fix. And Google doesn’t use telemarketers promising to get your site on the first page. Whether the threat comes by email, webpage, or telephone… don’t fall for it.
- Use your antivirus software to scan files you’ve downloaded before you install them. To make sure there won’t be any auto-installs, never use an administrator account for daily computing. Create an administrator account (with strong password) to use when you need it, but make a local user account your main way of connecting. You’ll need to switch to admin when you want to install a program, but you’ll be protecting yourself during the rest of the time when you don’t need to download a file.
When you click “Okay” to install a file, you’ve no control over what happens next. With many malicious files, you don’t even need to acknowledge the installation. It happens automatically. It’s also possible you won’t know anything’s going on at all.
Place it safe. Be smart. If you need a program, pay for it… otherwise you may pay a whole lot more than you ever intended.
4. Be careful of where you leave your digital footprints
Remember: it may feel like just you and your computer are there when you’re online, but that’s a false sense of security. Don’t fall for it.
Every post you make on social media, every website you visit, and every form you enter information into can be a collection point for thieves and scoundrels.
If they can collect enough personal data from your posts, they may be able to ask for a password reset and access your secure locations. Identity thieves and neighborhood break-in artists love social media. You tell them everything they want to know there – including when your home is going to be vacant for an extended period, your mother’s maiden name, and the make of your first automobile.
How can you protect yourself? That’s easy: stop doing that. Wait until you’re home from vacation to post those photos, and never respond to those chain letter inquiries that require you to reveal everything down to the color of your underwear.
Your digital footprints are like your tracks in wet sand. They tell everyone exactly where you’ve been. The digital version doesn’t get washed away with the tide, though. They’ll be there for a long, long time.
Not only does that give potential employers a candid window to check up on what you look like apart from a resume, your online tracks give marketers and cybercrooks an excellent means of finding out more about you.
You’ve probably heard about online ‘cookies’ and how they can be both helpful and harmful. If you need a refresher, here’s an excellent resource that explains how cookies work and how you can manage them: What Are Cookies?
- Not all cookies are bad, but some are. You can view them in your browser security settings, then delete the ones that look suspicious. The What Are Cookies? article goes into that process for the most popular browsers.
- Don’t turn cookies off altogether. You’ll need them for online shopping, especially at checkout time.
- It’s wise to ‘clear your cache’ regularly. Learn how here: Clear My Cache. That can not only help your machine run more smoothly, but – depending on your settings and browsing habits – can get rid of personal data that doesn’t need to be stored.
- Never enter data in a form on a suspicious site, and never enter data you don’t need to enter. The fewer pieces of personal info you have scattered around the web, the lesser the chance of it being hacked and exploited.
- When you forward an email to a list of friends, use the bcc (blind carbon copy) function to help protect their email addresses. Here are instructions: BCC Info.
Digital footprints are the reason why you can read about vacationing in Europe, then begin seeing European vacation ads follow you around online. Sometimes, that can be helpful. Other times, it can be downright bothersome.
But advertising targeting won’t hurt you nearly as severely as cyberattack targeting. The more the crooks know about you, the better their chances of tricking you into making a mistake and entering the lair.
Hackers don’t spend much time hacking. Mostly, they collect information to get ready for the hack. Make that difficult for them to do, and they’ll move on to an easier mark.
5. Your passwords say a lot about you
What’s the most common password used? Nope, it’s not “password.” That one now sits at number eight. Last year’s most-often chosen protector of the digital kingdom was “123456.” Running close behind, in second place, was “123456789.”
How hard would that be to break?
Computerized password cracking machines are relatively inexpensive and can allow thieves to access your account in seconds. And if you use the same password for multiple accounts, that means one key fits all.
- Use a different password for each account.
- Change your passwords often.
- Use a secure password generator, like this one from Symantec: Identity Safe.
- Use a password manager to store your passwords. LastPass and Dashlane are two of the most popular tools for helping you protect yourself. You’ll only need to remember one password to access all (but don’t forget the one).
- If you need to give someone access to an account, create a special login with a different password. Then delete the account as soon as the work is finished.
Don’t try to be cute with passwords. Be safe. You wouldn’t hand out keys to your home indiscriminately, and you hopefully won’t put a key under the doormat.
Passwords pay a huge part in online security. Use them well.
Get this cheat sheet to compare the top password managers: [Password Manager Cheat Sheet].
Who Protects You When You’re Shopping Online?
Online shopping isn’t a whole lot different than offline shopping. You can find bargains, and you can get ripped off. You can have a great day browsing through stores, or you can get mugged in an alleyway.
Yes, there are laws and law enforcement officers actively trying to defend you, but that doesn’t mean you’re safe. In the end, your safety is largely up to you.
This guide isn’t meant to scare you. Rather, it’s meant to educate you and help you stay safe online. The internet is amazing. You can select goods from all around the globe and have them delivered to your door the next day. Few people want to return to pre-internet days, but most people do want to get rid of the crooks.
To do that, each of us must learn to fight back.
That’s what this guide is for.