Florida Center for Cybersecurity

While no system or website is hack-proof, there are steps you can take to avoid some common pitfalls of online shopping. Here are a few tips to help you enjoy a more secure online shopping experience.

Beware of unsolicited or unexpected e-mails and text messages. 

An e-mail/text-message scam known as "phishing" is one of the most common, widespread methods cybercriminals use to steal personal information. In a phishing scam, a cybercriminal sends an e-mail or text that appears to be a legitimate communication from a business or person you know. Criminals go to great lengths to make these communications appear authentic, including corporate logos and look-alike links (links that closely resemble a company's actual URL). The e-mail/text will try to entice you to click on a link by saying you need to reset your password or update your settings or by promising something beneficial, such as a coupon to redeem or a free gift. The link may take you to a phony website where you are prompted to enter personal information, such as your username and password, thereby inadvertently handing your login credentials to the criminal; or clicking the link may infect your device with malicious software. The image to the right is an example of an actual phishing e-mail designed to steal PayPal login credentials. Looks pretty convincing, doesn't it? If you get an e-mail like that, don't click the link. Instead, open your browser and navigate to the website independently from the e-mail. For more examples and detailed information on phishing scams, visit www.phishing.org.

Use credit cards rather than debit cards, and don't save your payment information.

Keep your personal bank account information out of the hands of cybercriminals by using credit cards when possible for online shopping. There is also the added bonus that many credit cards offer consumer fraud protection so, if there is a breach, you are not accountable for fraudulent charges. And, though many websites offer the convenience of saving your payment information for future purchasing, it's best not to. If that retailer is breached, the criminals may gain access to your payment information. 

Be wary of unfamiliar online retailers.

In 2016, the cybercrime most reported to the FBI's Internet Crime Complaint Center nationwide and for Florida were non-payment/non-delivery crimes, where individuals either paid for goods that they never received or shipped goods that were never paid for. It's easy for criminals to create websites that are false fronts for stealing information and money. In fact, it was recently reported that about 1.5 million new phishing websites are created each month. How can you tell if you're on a fake site? This article by CNBC details some general warning signs, such as:

  • Discounts too good to be true. If a website advertises suspiciously steep discounts, do some comparison shopping. Competition typically keeps product pricing pretty even from one site to another. If the site is markedly below the standard price for the product, it's likely fake.
  • The site has spelling mistakes, doesn't run well, or is poorly designed. Legitimate retailers invest time and resources to have a website that functions well and is appealing to consumers. An outdated look, poor spelling, and broken links are red flags that the retailer is not for real.
  • Off-brand domain names. Most legitimate retailers have secured a URL that matches their company name, such as michaelkors.com. If you encounter a site that has added words such as "deals," "savings," or "discounts" to the URL, like michaelskorsdeals.com, it is likely fake.

You can also check for known malicious websites using Google's Transparency Report, checking with the Better Business Bureau, or performing a Google search to see if the retailer or website has any complaints.

Use a different password for each website.

Okay, we know that sounds like a lot of work, but criminals count on people using the same or similar password for a variety of websites. All they need to do is compromise one website or company, and they can access all of your accounts. It sounds daunting, but there are a number of free and low-cost apps that will help you generate strong passwords and store them for you. This article by PCMag lists the top password managers of 2017 with comprehensive reviews of each.

Get personal with password reset questions.

People can find out a lot about you from simple online searches. The town where you were born, the street you grew up on, details like those often turn up in public searches. For password reset and authenticity questions, use more personal, subjective questions such as Who was your favorite teacher? or What was your favorite car?

Use caution with coupon and promo codes.

Grouped with phishing scams and fraudulent online retailers is the phony coupon code. Criminals must entice you to click their link, and the promise of savings is a good way to do it. It may come through e-mail or text, or it may be a post on social media or an online ad (criminals will invest some money for paid advertising if they know there is a bigger payoff coming). When in doubt, navigate to the company's website separately from the ad and enter the coupon code manually to see if it's legitimate. If asked to click a link or share personal information in exchange for the promotional code, it is likely fraudulent. Legitimate companies are aware of these scams and do not make such requests of their customers. Legitimate companies share promotional codes freely in the body of the e-mail or ad.

For more online safety tips, visit staysafeonline.org

This is an example of a fraudulent PayPal notification used in a phishing scam. When in doubt, don't click any links in a suspicious e-mail. Open your browser and navigate to the site independently of the e-mail. If the notification is legitimate, it will appear when you log into your account.