Nov. 23, 2011 at 12:00 PM ET
Rather than risk life and limb against the crushing masses on Black Friday, millions of us will opt instead to shop online on Cyber Monday from what we think is the relative safety of our homes. But there too, danger lurks. It's not as obvious — but it may be even more bruising, especially to your finances.
By now, consumers should know not to use any of the 25 worst passwords of 2011, nor should they be placing orders on anything but a secure browser connection (look for "https" in the Web address). But security experts have other tips, too, to try to keep you safe and not unnecessarily parted with your money.
"Cyber Monday is not only a big day for retailers, it’s a big day for hackers and criminals taking advantage of consumers by directing them to websites which can drop malware and Trojans onto consumers systems — the result being stolen cardholder data," said Mark Bower, a vice president with Voltage Security. "Similarly, fake merchant sites are often set-up to lure customers to enter card details."
Last year, Cyber Monday sales topped $1 billion for the first time, making it the busiest online shopping day ever. A recent survey from the National Retail Federation shows that 8 in 10 retailers will have some kind of special promotions for that day. NRF also found that more were willing to drop money online than get up early or wait in the cold for hours, with 96.5 million Americans who shopped on Cyber Monday in 2009, vs. 79 million who needed to feel the merchandise in their hands on Black Friday.
Voltage Security's Bower offered some basic steps to help consumers avoid risk:
- Don’t open suspicious emails - Avoid becoming a victim of key loggers and malware from phishing attacks.
- Never send unencrypted credit or debit card data in email - Always encrypt your email if it's necessary to do this.
- Ensure your system is free from malware and viruses by being up-to-date with security scans.
- Become familiar with your online merchant - Make sure they have a valid SSL (secure socket layer) Web server certificate from a reputable supplier. If SSL is not enabled, don't enter card details, as your data can be intercepted by hackers.
- Don't enter card details if you are suspicious of a website or merchant.
Trend Micro, which oversees the Malware Blog, also compiled some tips into an infographic. We already shared one of them in the image above: bookmark reliable sites, since hackers can hijack search engine results and fool you into visiting fake sites.
Other tips include verifying unbelievable offers (if it's too good to be true, it probably is), double checking the URL of the payment page to make sure it's not spoofed, and always using reliable security software.
Web and email threats are so prevalent — see our recent story on the McAfee malware report — that it's not crazy to be a little paranoid about safety. Michael Sutton, VP Security Research at Zscaler ThreatLabZ, the research arm of cloud security company Zscaler even has a four-point strategy in foiling 95 percent of these kinds of threats:
- Beware of everything and everybody! Be cautious, vigilant, and wary about everything — your browser search results, what you click on every step of the way, what information you provide online, who’s trying to communicate with you on social networks, what emails you open or even preview, all manner of forwarded (FW:) emails, or messages and links purportedly coming from friends or trusted websites.
- Update and patch! Make sure your Web browser is the most up-to-date version; run Windows, Mac and software updates religiously. Most threats leverage vulnerabilities that could have been avoided through simple patching, so updating will also protect you from emerging threats.
- Block bad content! Use a URL or Web content filtering service like OpenDNS, which automatically blocks websites known to be bad or malicious.
- Be cautious even when using your mobile device! Consumers will encounter many of the same Web and email threats using their mobile devices as they do using laptops and desktops. Don’t think that just because you’re on an iPad or Android, you’re safe.
Sutton adds, "Online shopping can and should be safe, regardless of the medium. Unfortunately, mobile browsers tend to lag behind their desktop cousins when it comes to integrated security features, such as blacklists, or controls to prevent the execution of malicious content. The best defense for any consumer is diligence. Do not click on a link that has been sent to you online. If you receive an offer of a sale, go directly to the vendor and identify the sale at the vendor's site. Do not trust third party communication that may well have been spoofed."
“You can’t beat shopping online for convenience, comfort and comparing prices,” said Katherine Hutt, a national Better Business Bureau spokesperson. “But don’t let your guard down. Take the necessary precautions to avoid fraudulent websites, scammers and other Grinches who would just love to ruin your holidays.”
In addition to sharing many of the same warnings mentioned above, the BBB had some tips of its own:
- Pay with a credit card – It’s best to use a credit card, because under federal law, you can dispute the charges if you don’t receive the item. Your also have dispute rights if there are unauthorized charges on your credit card, and many card issuers have “zero liability” policies under which the card holder pays nothing if someone steals the credit card number and uses it. If you are going to shop on classifieds web sites like Craigslist, never wire money and only buy locally where you can see the item before you hand over your money.
- Keep documentation of your order - After completing the online order process, there may be a final confirmation page or the shopper might receive confirmation by email – BBB recommends saving a copy of the web page and any emails for future reference and as a record of the purchase.
- Check your credit card statements often – Don’t wait for paper statements; BBB recommends consumers check their credit card statements for suspicious activity by either calling credit card companies or by looking at statements online regularly.
"Let's look at this another way: This last year has seen hacking attempts on direct marketing firms — like the Epsilon breach which puts consumers at increased risk of a Cyber Monday attack," Voltage Security's Bower said. "On top of this, we also had repeated attacks on gaming and media networks. All consumer data is ripe for pickings on days like Cyber Monday."
Good luck with your shopping, all, and please stay safe!