That inbox full of Black Friday alerts and e-tailer sales pitches are sure signs that the peak holiday shopping season has arrived. But while online shopping from a computer or a smartphone can save you time and money, it can also give online scammers their biggest opportunity of the year. Here’s what security experts say you should do to stay out of harm’s way when shopping online.
1) Double-check the URL If you follow a shopping link from an e-mail or from another Web site (as opposed to typing it in yourself), make sure the URL in the address bar matches the URL at the bottom of the browser window. A mismatch is almost a sure sign that you’ve stumbled into a phishing site.
2) Use secure HTTP Before you fill out an online form with personal information, check the address box in your browser to be sure the URL begins with HTTPS (as opposed to the usual HTTP); you can also scan your browser window for the closed padlock icon. Both indicate that you’re on a secure Web site, and that the information you’re sending will be encrypted.
3) Use credit cards You don’t want to use a debit card for online shopping, because if you did and there was then a security breach at the online merchant, the culprits would then have access to your bank account.
4) Answer the security questions Don’t be put off by security questions a merchant might ask—such as where you lived in the past—especially when ordering big ticket items. Jodi Florence, head of marketing at identity verification service IDology, says these knowledge-based authentication questions “are designed to verify that you are who you claim you are and prevent identity theft for both you and the merchant.”
The same goes for the increasingly common request for the three- or four-digit security code printed (but not embossed) on most credit and debit cards. People who don’t have physical access to your card can’t get these numbers, even if they do have access to your account number. Merchants often request them in conjunction with other account information that isn’t on the card—your ZIP code, for example—because then someone who steals the card (but not other ID) can’t use it to shop online.
5) Be smart about security questions Don’t use the same security question on every e-merchant’s site. “Static, shared secrets are dangerous, because they are easy for someone to guess or to Google the answer,” IDology’s Florence says, “especially because we are sharing more and more personal information on social network sites such as Facebook.” She recommends changing questions and answers from merchant to merchant; in particular, she says you should never use the same question and answers on a shopping site that you use to secure your bank account. And you don’t necessarily have to provide the real answers to your security questions; Florence recommends using fictitious ones you can remember.
6) Know your payment app If you are considering a mobile payments app for your smartphone, make sure it is from a known, reputable source. “Disreputable people are putting apps out there, for the purpose of phishing consumer information,” warns Calvin Grimes of Fiserv, a financial services technology provider. And if you are considering a mobile finances app, Grimes recommends looking for one that lets you remotely wipe data from your smartphone, should you lose it.
7) Be wary of SMS Don’t send personal information via SMS and be suspicious if you get a message purporting to be from your financial institution. “SMS is not encrypted, so banks do not send personal information” that way, Grimes says. “If you send sensitive financial information on your mobile phone, be sure you are using a secure browser or app.”
8) Keep an eye on it Keep an eye on activity in your accounts. You can eyeball transactions on a daily basis, so that if you see something that doesn’t look right you can take immediate action. Or you can have the bank send you an alert if your balance reaches a certain level.
9) Call for help When in doubt, call your bank or merchant. Get a live customer service representative to verify whether or not a communication you’ve received is legitimate.
[Yardena Arar is a freelance writer in San Francisco.]