Individuals and retailers aren't the only ones getting ready for the biggest shopping season of the year. The holiday shopping season is also a big event for cybercriminals. Every holiday season, security researchers document spikes in online criminal activity, ranging from phishing scams, fake shopping sites, and credit card skimming software, to malicious and compromised applications being posted in online app stores. At the same time, because people will be getting out their credit cards to, most likely, make several purchases, attackers assume that a few fraudulent transactions may be easily missed.

Here are a few tips to help you have a happy and secure holiday shopping season.

Getting Ready for Holiday Shopping

One of the best ways to ensure a safe cyber shopping experience is to prepare for it.

• Patching and Updating:
  • Start by making sure your devices, software, browsers, and applications have all been patched and updated to the latest versions. It is especially important that you are using updated and patched operating systems on all your devices. Shopping using a mobile device at a physical retail location is quite common but may introduce new risks you may not have considered as many IoT devices are not as frequently updated.
    
    
• Security Tools:
  • Make sure that your devices have security tools installed, such as antivirus and VPN, and that you know how to use them.
    
    
• Update Passwords and Avoid Replication:
  • Update older passwords with newer ones that are harder to guess but easier to remember. One trick is to use the first letter of every word in a phrase you know. We recommend when possible, using passphrases. A passphrase is a sentence that is easier to remember, but very difficult for password crackers to break. An example of this might be "My voice is my passport." In this case, the password doesn't have special characters or numbers, but a sentence with spaces will be especially difficult for password crackers to attack. Of course, not all websites support passphrases, spaces in passwords, or long passwords. For added security add special characters and numbers to your passphrase.
  • Don't use the same password for different accounts. If needed, use a password vault that keeps track of all of your passwords for you.
     
• Credit vs. Debit Card
  • Shop with your credit card and not your debit card. Many credit cards include fraud protection. They can also be turned off without freezing your other resources. Also, make sure that your credit card provider will alert you to suspicious card activity. Many banks also offer one-time or limited passwords. There are specialty sites such as privacy.com that will let you create a credit card number for each transaction.

Go the Extra Mile to Ensure Cyber Safety This Holiday Season

While the tips listed above are an important start, there are a few more things that you should consider if you are adamant about safe cyber shopping.

• Secure Browsing
  • Every browser supports secure transactions using SSL encryption. But to be safe, make sure your connection is secure before you push the "purchase" button. You can do this by looking at the URL bar of your browser and making sure that the address starts with https:// rather than http://. You can also look for the little lock icon on your browser. These tips combined will ensure that your transaction is protected. Popular open-source plugins include HTTPS Everywhere and uBlock Origin which can be added to most browsers for free to secure transactions, filter content, and block ads.
    
    
• Verified Private Network (VPN)
  • When possible, shop using a VPN (virtual private network) connection. That way, even if your communications are intercepted, they will be useless to cybercriminals because your data is encrypted. If you are going to be online in public places frequently, there are a number of low-cost/no-cost VPN services that will ensure that your connection is always protected.
    
    
• Virtual Machine (VM)
  • For more technical users, consider setting up a VM on your computer just for shopping. That way, if you happen to get infected it will be isolated to the VM and criminals should not be able to access other sensitive data on your device.
    
    
• Multi-Factor Authentication (MFA)
  • You can also further secure access to sites by setting up multi-factor authentication. Many online sites such as banks support two-factor authentication to doubly secure your financial data. Make sure you have it set up on your device and that you know how to use it. You will also want to back up your one-time access codes or recovery keys when you use this option. Don't just settle for SMS verification, but use something like Google Authenticator or YubiKey.

• Be Vigilant
  • Even if you do most shopping online but do go to a store for some purchases, be careful choosing machines or merchants that want to slide a physical card and not use a chip. Use contactless solutions if possible such as tap and go.

Determining Safe vs. Unsafe URLs

• Everyone has heard that you shouldn't click on links in an email or on a website unless you know they are safe. However, about one-third of users do it anyway. One way to conquer your curiosity is to know what the link leads to. Try these the next time you get sent a link you're unsure about:
  • Hover your mouse over a link and you should be able to see the URL either as a pop-up or at the bottom of your email or browser page.
  • Look at it carefully before you click it. Does it look normal? Is the name too long or does it contain lots of hyphens or numbers? Is it the URL going to the site it claims to link to, or to somewhere else? Does it replace letters with numbers, such as amaz0n.com?
     
• Look up the URL before you click on it. You can do this by copying the URL of the site you are visiting and dropping it into a domain search engine like who.is. This will provide a variety of information, such as when the site was first created, where they are physically located, and information about the owner. Be suspicious of anything that has only been online for a very short time or that is registered in another country. Fortinet's FortiGuard Labs can also help.

Pay Attention to the Website

Be aware that cybercriminals will go to great lengths to spoof popular shopping sites. However, there are ways to tell if you have landed on a site you need to worry about.

• Start by looking at the website design.Most cybercriminals do not have the time or resources to make an exact duplicate of the site they are spoofing or to develop their own fake shopping site. A little looking around can go a long way to helping you decide if you should stay or go. For example, does the website look off? Are the links broken, or are they misconfigured or slow? Are there lots of popup ads? If the answer is yes, these are all bad signs.
  
  
• Next, read the text on the website.Bad grammar, unclear descriptions, and misspelled words are all giveaways that the site may not be legitimate.
  
  
• Remember that if it's too good to be true, it usually is.Of course, there are sometimes really great deals for things on the internet. But in general, unusually low prices and high availability of hard-to-find items are red flags for scams and vendors selling knock-offs.
  
  
• Finally, make sure the checkout system accepts major credit cards. Avoid sites that require direct payments from your bank, wire transfers, or untraceable forms of payment. Where possible, use things like PayPal or Verified by Visa payment systems to protect yourself and your assets.

An Ounce of Prevention...

Online shopping and the growing digital marketplace are transforming our world, giving us fast access to a wider variety of things than at any other time in history. However, this expanded landscape comes with real risks that need to be understood.

People looking to take advantage of unsuspecting consumers have been around as long as there have been marketplaces to shop in. Today's cybercriminals are no different. They are not only technically savvy they also recognize the latest consumer trends, understand the underlying assumptions shoppers make, and know how to exploit them. However, by taking the time now to educate ourselves and others, we can have a productive and safe holiday shopping experience.

Find out more about how Fortinet's Training Advancement Agenda (TAA) and Training Institute programs-including the NSE Certification program, Academic Partner program, and Education Outreach program-are helping to solve the cyber skills gap and prepare the cybersecurity workforce of tomorrow.