Shopping securely: How to take the ‘Black Hat’ out of Black Friday and Cyber Monday
We’re indebted to Corey Nachreiner, CTO at Watchguard, for this timely article on secure use of the web.
Perhaps you’ve had your eye on that new 4K, HDR, 80-inch TV or you’ve been looking for a deal on that expensive LEGO set your child wants for Christmas. In either case, you’re probably eagerly anticipating the sales that return each year during the Black Friday and Cyber Monday shopping rush. However, you should also remember that cyber criminals and “Black Hat” hackers get just as excited about the holiday season, as it offers a perfect opportunity to target unsuspecting online shoppers. The good news is that with a few basic tips, you can still enjoy the upcoming sales without allowing these thieves to force their fingers into your digital pocketbook.
Here are four security tips every online shopper should keep in mind this holiday season:
Shun suspicious sham emails
Let’s start with the basics. The most obvious way we see attackers exploit Black Friday and Cyber Monday is with an increase in targeted social engineering and phishing emails. Criminals know we’re on the lookout for new deals and that we’re likely to be making more online purchases during this time of year. As a result, they know specifically how to craft their scam messages to more easily trick us into doing things we shouldn’t. For example, some of these malicious emails might pretend to offer crazy deals that seem too good to be true. Other emails might warn you about issues with your credit card, which you may be more sensitive to since you’ve been using it more than normal. Finally, if you are buying gifts online, hackers know you probably have some shipments on the way, which is why we also tend to see an increase in fake FedEx and UPS emails during big holiday seasons.
Whatever the case, you should always remain suspicious of any email you get from external sources, but turn that skepticism up to 11 during the coming shopping season. Avoid clicking links in any external emails, especially ones saying they are from your bank or credit card provider. If you think the email might be legit, just visit the site manually by typing the domain into your browser. Furthermore, avoid attachments in emails, especially ones that look like shipping company tracking notices. In many cases, that attachment is malicious and hopes to install malware on your system. Lastly, make sure to install a security suite on the computer you use for your online shopping activities. These suites tend to have a number of security services that might still protect you from yourself in the few cases you accidentally click that malicious link or file. With a little vigilance, it should be pretty easy to avoid most shopping-based email scams.
Don’t swipe without protection
If you’re like me, you spend the majority of the shopping season online to avoid fighting through lengthy lines and crowds of people at brick and mortar stores. However, using your credit card online can be dangerous. In the worst case, the site that’s offering those crazy deals is all a façade, and entering your credit card information will result in thieves draining your account. Best case scenario, you use your credit card on a totally legitimate site, but even then you might not be entirely safe. In some cases, these normal sites store your credit card information on file, only to get hacked themselves, thus leaking that sensitive data to the attackers. Just recently, we saw the Magecart attack, where hackers injected malicious code into legitimate ecommerce sites that could intercept credit card data during legitimate online transactions. In short, there is always a risk when using your credit card online, even when you’re shopping on a real site.
That’s why I don’t swipe my card online without an extra layer of protection, such as third-party payment systems like PayPal. Many of today’s top ecommerce sites offer alternative payment solutions. PayPal is the most common, but there are others like Google Wallet, Apple Pay, WePay and more. Some sites even take Bitcoin and other cryptocurrencies. Most of these alternate payment systems are already connected to the credit card you might use to shop online, the only different is now there’s another layer of separation between your credit card information and that site you are doing business with. For example, if you use your PayPal account for online purchases, the ecommerce sites never get the details of the credit card you’ve attached to it.
Now you do need to realize PayPal and the other third-party payment providers do have your credit card details on hand. If they get hacked, that data will be compromised. However, as a mature payment processer, PayPal is much less likely to sustain a breach than the average website. In short, avoid using your credit cards directly when shopping online.
Don’t shop online at just any site
If you do most of your online shopping at well-known retailers, like Amazon, Best Buy, or New Egg, you already know they are legitimate, and for the most part you can trust them. That said, sometimes it’s nice to get away from monopolies and give smaller startup sites a chance, especially when they sell something unique. There’s nothing wrong with trying a new ecommerce site that you haven’t used before, but if you do, treat it with a little skepticism at first. Do some Google research on the domain to see if anyone has reported it as a scam site. Check the Better Business Bureau’s resources to see if anyone has reported it in the past. With just a few minutes of due diligence, you should be able to tell if a shopping site is safe or not.
Look for the lock (but know that it will be gone next year)
Finally, if you do shop online, at some point you’ll have to share some of your personally identifying information (PII) with the site in question—even if you are using a third-party payment system. Whenever you do enter your information on a website, look for the green lock icon in your browser, or the letters “HTTPS://” in the site’s URL. This ensures you’re passing encrypted communications to that site.
However, you should also know that green lock won’t be around for much longer. Google, and other browser providers have been pushing for all sites to use HTTPS or encrypted traffic. In the near future, they plan on depreciating the lock, as they expect all sites to have it. Instead, your browser bar will simply display an “insecure” label for sites that don’t use HTTPS. This year, the advice stands—look for that green lock, but remember this may be different next year.
Personally, I love Black Friday and Cyber Monday and often take advantage of the special seasonal deals to purchase holiday gifts. There’s nothing wrong with enjoying these shopping days as long as you remain vigilant to potential security threats you’re likely to encounter along the way. If you follow these basic information security tips while shopping online for the holidays, you should be able avoid those risks and keep your data safe and secure.
Read more on Turnkey’s IT support services here Support