If you’re on the prowl for some good Cyber Monday deals, it’s more than likely that hackers will also be hunting for your credit card information.
Once again, Cyber Monday is expected to be the largest online shopping day this year, and the largest in history, with a projected $6.6 billion in sales, up 16.5 percent from last year, according to Adobe Analytics.
The National Retail Federation forecasts that most consumers will turn to online shopping this holiday season, spending an average $967, marking a 3.4 percent increase from last year.
Turning on two-factor authentication for email and other mobile accounts, including social media, can add an extra barrier of protection to prevent password theft, Robb Reck, chief information security officer of the identity security company Ping Identity, told NBC News.
With two-factor authentication, users might be required to receive an SMS text message with a unique code needed to complete their login attempts.
Although this extra step requires more effort, taking a few additional seconds to verify your identity is a small price to pay for information security, Reck said.
“While you may think of your financial accounts as the highest risk, it’s actually your email account that allows hackers to go through and reset all your passwords on those other sites,” he said.
Byers Market Newsletter
Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.
But the impact of many of the largest data breaches, like Yahoo’s in 2016, were made worse by password reuse, Reck said. Once a hacker or robot has your password, it is likely that they will attempt to log into other popular websites using the same login information.
“What criminals do is they go through and try and reuse your same password for all your other accounts,” Reck said. “Reusing passwords is a really good way to have bad things happen on a bunch of different accounts.”
Instead of passwords, Reck encourages consumers to use a "pass-phrase," which is a series of words including a space or hyphen between them that's only meaningful to you.
Hackers can obtain extremely sensitive information, like social security numbers, by accessing documents like old tax returns and bank statements stored in Google Drive and similar cloud storage platforms, Reck said.
“When someone does get access to your online accounts, they have a lot more access than you meant them for them to,” Reck said. “Go back and delete the stuff you don’t need anymore, so if a bad guy does get to you, the impact is much lower.”
Online shoppers should be particularly careful about responding to pop-up ads and emails that look like they’ve been sent by popular retailers, Adam Levin, former director of the New Jersey Division of Consumer Affairs and co-founder of Credit.com, said.
About 40 percent of U.S. consumers have fallen victim to a malicious phishing scam, even though 91 percent are aware that such scams exist, according to cybersecurity company DomainTools’ 2017 Cyber Monday Phishing Survey.
As of Nov. 13, the social media security company ZeroFOX had already identified 1,379 fraudulent accounts on the “big six” social networks associated with Black Friday and Cyber Monday.
“Unless you’re using a verified app that either comes from a respected app store like Apple or Google, they should go directly to the website of the retailer,” Levin said. “Any bargain offered to you by a retailer over email or text will be offered by the retailer’s website.”
Consumers can also take extra caution by signing up for transaction monitoring alerts from their banks and credit unions to immediately notify them when their credit or debit cards have been used, Levin said.
In some cases, consumers' banking information had been stolen and sold on the black market, where other scammers can purchase it according to zip-code in order to evade bank and credit card tracking systems that look for "out-of-pattern" charges, Levin said.
But with transaction alerts, consumers can immediately dispute charges they didn't make, he said.
“You can immediately tell if it was you,” he said. “The bank might not be able to tell.”