Cybercrime is an epidemic. In the U.S. alone, nearly half a million complaints are filed about it each year, according to the FBI—and that’s just what’s reported. Here’s how you can stay safe and avoid becoming a statistic.
Table of Contents
- Only Shop on Sites Using HTTPS
- Be Careful Who You Shop with
- Shop Online with Credit Cards If Possible
- Use Strong Passwords
- Use a VPN If Shopping in Public
- Watch out for “Too Good to Be True” Deals
- Know Your Rights and the Return Policies of the Site
- I’ve Been Hit by Cybercrime, Now What?
Let’s start with the most obvious advice: Only shop with sites that use HTTPS encryption. If the site is using HTTP, any data transferred over the connection, including payment details and passwords, is unencrypted, meaning that it can be read by anyone with some basic cybercrime know-how.
Connecting to a site that uses HTTPS ensures that all transmitted data is encrypted and that would-be criminals can’t eavesdrop on your data.
Keep in mind that while an encrypted connection (HTTPS) is obviously better than HTTP, that only means that your connection is secure. It doesn’t mean that the website is secure. The website could still be full of vulnerabilities and exposed databases and may have plenty of other weak spots.
HTTPS is good, but it doesn’t mean that you’re completely safe.
Although cybercriminals are becoming more sophisticated, you can generally spot a fraudulent site fairly easily. Here are some of the telltale signs to look for:
- Poor Site Design: The first thing you’re likely to notice when you go to a site is its design. Ecommerce sites, in particular, dedicate a lot of resources to creating a beautiful site with great usability on both desktop and mobile. If a site looks like it was thrown together in a couple of hours, it’s probably not a good idea to trust it with your credit card details.
- Poor Spelling/Grammar: As with site design, reputable sites put a great amount of effort and resources into the content of the site. Typos occasionally happen, but if there is an obvious deficit in high-quality content, there’s a good chance that the site is malicious. That isn’t to say that sites that do look legit can’t also be malicious—just that sites with glaring issues obviously present more of a risk.
- Weird Business Names, URLs, or Emails: It’s generally pretty easy to spot these, but some can be sneaky. If the website address (URL) looks something like “best-gifts-at-super-low-prices.com”, then it’s probably a scam. Also, be mindful of emails or URLs that have almost unnoticeable tweaks in their names compared to the actual company they are pretending to be. It’s all about being able to spot the difference between rnicrosoft, micorsoft, and microsoft.
- No (or Sketchy) Contact Details: Ecommerce sites always provide a way to get in touch. If the website doesn’t provide a way to talk to support, that probably means it’s illegitimate—and even if it is legitimate, you don’t want to deal with a company that doesn’t provide decent support.
- Unsecure Site: As mentioned above, if a site is missing the “S” in HTTPS, don’t trust it with your credit card details. Sending your information over HTTP puts it at risk.
In general, shop with who you know. And if you don’t know them, read what others are saying about them before you consider shopping with them.
If you have a credit card, it’s generally a good idea to use it instead of your debit card when making online purchases.
The main reason is that when using a credit card, if your payment details are stolen via formjacking (a method of stealing your credit card details from online forms), your bank account usually won’t be immediately affected. In most cases, your bank account is debited at the time of purchase when you use your debit card, whereas your credit card is only paid once per month. This means that you have a much larger window to fix any issues before your money disappears.
Also, as highlighted by the Federal Trade Commission, your liability for fraudulent charges is drastically different between a credit card and a debit card.
As a matter of good practice, check your credit card statements as often as possible. Most credit card companies have an app or will let you sign up to receive texts when a charge has been added to your account. Do an inventory. If something doesn’t look right, give your credit card company or bank a call and try to sort it out. If you have any concerns, put a hold on your cards. You can even cancel them and have new ones sent to you. It’s better to be without a credit or debit card for a few weeks than to be without money you didn’t spend.
This goes without saying, but use a strong password consisting of letters (both uppercase and lowercase), numbers, and special characters. Not only does that make it more difficult for would-be fraudsters to guess, but it also makes it extremely hard for anyone to access your account via a brute-force attack.
Don’t think you have anything to worry about? At the time of writing, there are 10,599,375,985 hacked accounts, according to the Have I Been Pwned database. Out of those 10.6 billion accounts hacked, at least one of those accounts was using a password more secure than yours.
If you can memorize your password, it’s not secure enough. There are plenty of password managers to help you keep up with everything.
When you’re browsing the internet on public Wi-Fi, anyone can see what you’re doing. Threat actors see this for what it is—a chance to monitor your activity and capture your personal information, such as passwords or banking details.
When you use a Virtual Private Network (VPN), all your traffic goes through an encrypted tunnel—protecting your information from interception. This allows you to safely shop from anywhere—even from a café or airport. Keep in mind, though, that a VPN doesn’t protect you from snoopers looking over your shoulder. When you do anything online that requires you to enter your credit card or bank details, it’s probably a good idea to do it at home.
Phishing attacks are by no means new, but they are still prevalent in the world of cybercrime. Why? Because even the most novice threat actor can pull it off.
All throughout the year, but especially during holiday seasons, you will be spammed with phishing attempts via email, social media, and even SMS texts. If something seems like it’s too good to be true, it probably is. Don’t click that link.
If you’re unsure how to tell whether a marketing message is legit, here are a few signs to look for:
- Poorly written content: Most respectable retailers care about their content. If the content is sloppy, contains several typos, reads poorly, etc., be cautious.
- Sender email address: If Walmart is claiming to have a special going on, they won’t ask Steve to send out a newsletter with his personal Gmail account. Make sure that the email is a corporate email.
- Unencrypted email: In Gmail, for example, if the lock next to the “to” field is red and crossed out in Gmail, the email is unencrypted. This doesn’t necessarily mean that the email is a phishing attempt, but it’s best not to communicate with the sender, and it’s especially important not to share any sensitive information. Anything you send over an unencrypted connection will be sent in plain text for anyone to see.
Verify that everything is real before moving forward. Don’t click any links in the email and, instead, visit the official, legitimate site if you have any suspicion about the email or sender. This could save you a world of headache, as even just clicking the link can install malicious software on your local machine.
On any reputable eCommerce website, you’ll be able to find the company’s return policy. Amazon is a great example of this, and clearly details the return and refund policies for the various arms of their business. It’s always wise to read up on this before you make a purchase, just so you know what you’re dealing with.
If you can’t easily locate the company’s return policy on their website, you can try doing a site search on Google (or on any search engine, really). Just head to the Google search bar and type
site: plus the domain name, followed by the search query. For example, if I wanted to search for Amazon’s return policy page on Google, I’d type:
site:amazon.com return policy.
If you can’t easily locate the site’s return policy, you should consider that a red flag. And if they don’t have one, it’s best to avoid them completely. However, even if a site doesn’t state its return policy, that doesn’t mean that you aren’t protected. In the case of fraud or misrepresentation of the product or service, you can even take the retailer to court.
If your information has been stolen, there are a few actions you can take to protect yourself and help prevent others from becoming a victim.
If your bank details or personal information was stolen, call your bank and let them know that your information has been compromised. They’ll cancel the old card details and issue you a new card. This may be inconvenient, but it’s the safest way to prevent more money from leaking out of your accounts.
If a fraudster is taking out loans or new credit cards in your name, report the incident to credit agencies and request what’s known as a “credit freeze.” According to the FTC, this makes it more difficult for identity thieves to open new accounts in your name.
Finally, report the incident to the Internet Crime Complaint Center (IC3), which is a partnership between the Federal Bureau of Investigation (FBI), Bureau of Justice Assistance (BJA), and the National White Collar Crime Center (NW3C). If you’re not based in the U.S., your local government likely has a similar system for reporting cybercrime, and a quick Google search (such as “report cybercrime <location>”) will probably return relevant results. Taking this action may prevent other people from becoming victims.