Shopping for that perfect holiday present is exciting, and many bargains are to be found online. But just because you’re able to shop from the comfort of your own home, it doesn’t mean you can let down your guard.
As the holiday shopping season gets underway, the risk of cyber attacks and cyber scams increase. This year consumers should be particularly wary of social networking-based scams, such as ‘coupon codes’, that provide links for heavy discounts at popular stores, or for popular toys.
With more consumers using social media such as Twitter and Facebook, this type of scam can quickly spread via innocent Tweets and Facebook posts by bargain hunters who believe they're providing friends with legitimate money-saving opportunities. Clicking on the link could send the shopper to a fake (or illegitimate) site that contains drive-by malware or botnet installation before redirecting them to the real online store, which could lead to the theft of all the sensitive data and user activity on the consumer's personal computer.
These types of attacks can easily become viral on social networks and increase the number of people affected. Cyber attacks via social networks could happen at any time but, around the holidays, people who are looking for the best deals might be more susceptible to the promise of a good bargain.
Best Practices for Safe and Secure Online Shopping
Follwing are several best practices to follow when shopping online, to help avoid all types of scams:
- Links provided in e-mail, IM, social media and other communication mediums should not be trusted. If contacted via any of these online mediums with live links, do not provide any information. Instead, visit the retailer's website directly, on your own, to find out if they in fact have the ‘special’ or ‘deal’ being advertised.
- During the checkout process, a consumer should never be asked for information other than billing, shipping and credit card information. If asked for a government identification number, driver’s license number, mother's maiden name, debit card PIN, etc., then it is either a scam or the transaction is being tampered with by a possible data harvesting malware on the consumer's computer.
- Do not inherently trust online communication more than a random phone call or random stranger on the street.
- If someone calls and asks for personal information or credit card information, just say ‘no’. Once personal information is provided, it cannot be retracted.
- If any personal information or password has been provided, notify all potentially effected accounts immediately. In the case of online bank accounts and other similar online systems, change passwords and contact the administrator of the system immediately.
Safeguard Your Credit Card: Security Tips to Prevent Theft
After investigating and analyzing more than 1000 cases of stolen credit card information from businesses, including e-commerce sites, Trustwave has developed a list of ‘trust indicators’ that consumers should try to identify on websites before beginning their shopping experience (and before they enter any personally identifiable information on the site). Identifying the presence of these trust indicators will help shoppers protect their identity and ensure their credit card information is secure throughout the transaction process.
- SSL certificates: Encrypts personal information from a web browser to the site's server. The presence of an SSL certificate can be identified by a lock in the web address bar and an ‘s’ after the ‘http’ in the web address bar. An EV SSL certificate, an enhanced SSL certificate that includes a rigorous process to validate the organization's identity, can be identified by the web browser address bar turning green.
- Privacy policy: A page on the website should disclose some or all the ways the e-commerce site retains, processes, discloses or purges personal customer information.
- Review return policy: A page on the website should provide information on actions to take should a good arrive damaged, defective or not usable.
- Reputation: Consumers should research the e-commerce site to ensure they are shopping with a reputable company with which other shoppers have had good experiences.
- Company information: Confirm the e-commerce site has a physical location and valid phone number should there be a need to make actual contact.
- Website trust indicator: Site seals, when clicked, provide current information about an underlying certification and reassures shoppers that the e-commerce site abides by certain requirements or standards, similar to Trustwave's Trusted Commerce seal. If the site seal is not clickable or does not render, Trustwave recommends that consumers avoid shopping at these sites.
Should a consumer experience a fraudulent charge on their credit card, they should call their card issuer immediately and tell them about the charge. More often than not, consumers are not held liable for those charges.
‘Tis the season for cyber scamming…and for better security awareness. But since cyber attacks can happen at any time, now is also the season to get a head start on New Year’s resolutions by following these best practices today and continuing to do so throughout the year to help ensure personal information and card data remain secure.
Nicholas J. Percoco is senior vice president and the head of SpiderLabs, the advanced security team at Trustwave that has performed more than 1000 cyber forensic investigations globally, thousands of penetration tests and application security tests for Trustwave clients. In addition, his team is responsible for the security research that feeds directly into Trustwave's products through real-time intelligence gathering. He has more than 15 years of information security experience. Percoco acts as the lead security advisor to many of Trustwave's premier clients by assisting them in making strategic decisions around various security and compliance regimes. As a speaker, he has provided unique insight around security breaches and trends to public and private audiences throughout North America, South America, Europe, and Asia, including security conferences such as Black Hat, DEFCON, SecTor and You Sh0t the Sheriff. Percoco holds a BS in computer science from Illinois State University.