Cybercriminals love the holiday shopping season. Their potential victims are all caught up in the frenzy of shopping, finding the best deals and acting quickly to take advantage of limited offers. Email and social networks are clogged with sales and offers, both legitimate and fraudulent.
So what's a security-conscious consumer to do?
"Be paranoid ... trust nothing," is a good motto to keep in mind, said Anup Ghosh, chief scientist at Invincea, an enterprise Internet-security provider in Fairfax, Va.
Ghosh recommends looking at every incoming email with "an extremely healthy dose of paranoia and suspicion."
While products exist to scan and block malicious links, consumers must also train themselves to question every email and online-shopping deal they come across.
Scams are especially prolific at this time of the year, with fake deals and offers flooding the email inboxes and social networks that direct customers to counterfeit sites or to survey sites.
Fake websites and ads trick users into visiting sites designed to steal financial data or personally identifiable information.
"You simply will not be able to distinguish a spoofed site from the legitimate site by look and feel," Ghosh warned.
It has long been a good idea to keep banking websites and other financial pages bookmarked as an alternative to clicking on emailed links. Now it's a time to add online retailers to the list, Ghosh said.
When shopping online, access pages directly from the bookmarks, never by clicking on a link or clicking on a banner ad.
In that way, you can avoid being redirected to phishing pages or accidentally mistyping the site name and landing on a spoofed page.
Here's how some security professionals protect themselves while shopping online, especially during the holiday season. You, too, can be safe online.
Don't click on the link. Just don't
When an email arrives bearing news of an amazing deal, ask a few questions.
Have you ever done business with this company before? Have you ever visited its website? Do you have a credit card issued by it? Have you signed up for its email list?
If the answer to each of the preceding questions is "no," then Ghosh has some simple advice.
"Delete the email and don't look back," he said.
It could be part of a phishing scam.
If the offer seems legitimate, don't click on the link within the email. Instead, go directly to the retailer's website and look around for the details.
Become a Linux user, temporarily
Windows users can switch to a Web browser on a Linux system to take care of their online shopping needs, said Roel Schouwenberg, a senior researcher at anti-virus software maker Kaspersky Lab.
Most modern Linux distributions offer a "live" CD, which will boot up a fully functional modern operating system from a CD or DVD — no hard drive required. Windows users can pop the live CD into the computer's optical drive and boot in to Linux instead.
If an installed Windows operating system is infected with a keylogger, banking Trojan or other kind of information-stealing malware, then firing up the live CD means that none of the malware will be loaded. Users can shop online without worrying about malware intercepting sensitive financial information.
Clear out the cookies
Retail websites and banner ads install cookies and other types of tracking data into the consumer's Web browser. Cookies are used to track users across sessions, preserve login details and save preferences — but they can be intercepted for malicious use.
Dumping browser cookies and cookie-like data after every Web-surfing session will increase privacy, said Jeremiah Grossman, chief technology officer of White Hat Security in Santa Clara, Calif. Deleting cookies may also result in better online deals, since you'll always look like a "new" to an online retailer.
For Windows-based browsers, clicking the "control," "shift" and "forward delete" keys on the keyboard at the same time will bring up a dialogue box that will let you delete your cookies.
Check and verify the Web address or URL
When it's checkout time on a retail website, take a step back before you type in any credit-card numbers. Check the Web address, or uniform resource locator (URL), of the payment page and make sure it's using a secure connection.
You should be seeing either the character string "https://" before the website URL, or a small icon of a green padlock, said Catalin Cosoi, chief security strategist of Bucharest, Romania anti-virus firm Bitdefender.
Check the URL to make sure the address is correct, and not a slight misspelling of the real address or a random URL.
Cosoi said he also checks to see whether the site has a certificate of authority, which establishes a website's identity, from a trusted source such as VeriSign.
For unfamiliar sites, Cosoi checks the publicly available WHOIS information databases, such as http://whois.domaintools.com/, to find details about registration, hosting and online activity.
"If the bank or shop website is registered to a private, or Yahoo/Hotmail/Gmail, address, it’s likely to be fake," Cosoi said.
Use a temporary credit-card number
For one-time purchases, it may be useful to generate a temporary credit-card number. Even if the temporary number is stolen, criminals can't do much with it.
Skyler King, product leader for ZoneAlarm firewall software at CheckPoint Software Technologies in San Carlos, Calif., uses virtual credit cards for online shopping instead of his real credit card.
Some credit-card companies offer a service that allows users to generate a temporary credit-card number. Users request a new 16-digit virtual credit card-number, with a set spending limit and expiration date that fits the upcoming transaction.
The new number is linked to the customer's regular credit card for billing purposes, but the merchant on the other end never knows that the number is temporary.
Not all credit-card issuers offer this service, but it's worth checking for.
Discover calls its service "secure online account numbers," and Bank of America customers have access to "ShopSafe." Citibank offers the service to some of its MasterCard customers.
Designate one shopper and one card
Give one person in the family the responsibility for all online purchases, recommends Gant Redmon, general counsel and business development at Co3 Systems in Cambridge, Mass.
The ideal person is the one who pays the bills, since he or she can regularly check statements for unauthorized charges.
If anyone else in the family receives a fake shipping confirmation email, or any other kind of fraudulent message, it'll obviously be a scam.
Redmon urges parents to never give an Amazon, eBay, PayPal or iTunes password to their kids. The account owner, he said, should be the one making the actual purchases.
White Hat's Grossman recommends designating a credit card with a low credit limit for online purchases only, which will make it easier to weed out scams. Credit cards also have better legal protections than debit cards in case of fraud.
Designate a computer for online shopping
Users who have multiple computers or devices at home should designate one machine for online banking and shopping, suggested Kaspersky Lab's Schouwenberg. The machine shouldn't be used for casual surfing or email.
Schouwenberg also recommended using Google's Chrome Web browser with "forced HTTPS" enabled. This means that only secure websites with valid SSL certificates load; all other sites are not accessible.
Forcing HTTPS connections also means that all Web traffic is encrypted, protecting users from eavesdroppers who "sniff" network activity.
Grossman suggested installing ad-blocking and privacy-protecting extensions on Web browsers. He recommended AdBlock for Chrome, Adblock Plus for Firefox and Disconnect for both browsers.
The extensions will stop a significant number of infections that result from malicious advertisements served up on third-party ad networks, Grossman said.
Who's the email for?
Many bogus shopping emails begin with a general greeting such as "Dear customer," noted Bitdefender's Cosoi.
"If I don’t see my first and last name in the email, I know it’s a scam," he said.
Not all fake emails have poor spelling and grammar, but almost all emails with poor spelling and grammar are fraudulent. The mistakes may be deliberate attempts to evade keyword filters on anti-virus software.
"I’m always on guard when I see shopping websites and email offers with spelling and grammar mistakes," Cosoi said.
Cosoi also ignores emails that demand he respond immediately, such as the ones that threaten to cancel an account if its details are not updated, or if a special deal would expire in 24 hours.
Use a fake identity
Many retail sites require each new user to set up an account linked to an email address in order to make purchases. Security experts often recommend using a set of identity points that aren't real for these accounts — for example, by not entering real answers to security questions such as "What was your mother's maiden name?"
When it comes to holiday shopping, CheckPoint's Skyler King sets up and uses an entirely separate temporary email account.
Not only does the new account draw spam and phishing attacks away from the regular email account, but it also ensures that if an email offer from a new retail account does land in the normal email inbox, it is obviously fake.
Even if personal information is intercepted, all criminals will get are the details to the holiday-shopping email account, which is temporary in the first place.
Use password managers
Kaspersky Lab's Schouwenberg recommends that customers use password-management software to keep track of all their login details for online retail accounts.
It's easy to fall into the habit of selecting a single password, or a group of similar passwords, for all online retailers, because it's nearly impossible to remember unique passwords for every single account.
But such password reuse is dangerous, because if one retailer suffers a data breach, then all your accounts may be compromised. It's even worse if you use common, weak passwords such as "123456" or "qwerty."
Password managers such as LastPass and KeePass do the remembering for you, storing login credentials for various online services and accounts.
Users have to select one master password for the whole thing, but after that, the password manager handles the task of generating unique, strong passwords and logging in users for each site. Password reuse and password weakness will no longer be issues.
Update your anti-virus software
CheckPoint's King had one final tip: Security software on the computer should always be running and up to date.
Some anti-virus applications have a security feature that serves as a vault to lock identity information. The feature allows users to enter personal information, such as account logins and credit-card numbers, and whitelist specific websites which can receive those pieces of data.
If the user is directed to a fake, phishing website spoofing a legitimate one, the software will alert the user and block any personal data from being sent.