9 tips for safe Cyber Monday shopping

Shopping online

One of the biggest shopping periods of the year has already begun. Black Friday deals are already here, and Cyber Monday deals will soon begin to surface. Demand for holiday gifts may break all sorts of records this year, despite the ongoing COVID-19 pandemic and supply-chain issues with goods coming from Asia. 

Cyber Monday began "officially" in 2005 (it was made up by a marketer), but the phenomenon goes back to the beginning of online shopping, before home broadband connections were commonplace. People would return to work on the Monday after Thanksgiving and shop from their office computers. 

With the increase in fast home internet connections, not to mention the millions of people now working from home, the distinctions between Black Friday and Cyber Monday are blurrier. But retailers are still marking them both with plenty of sales.

Of course, as the popularity of Cyber Monday has grown and the deals have become bigger and better, the risks of shopping online have also increased. Cybercriminals love Cyber Monday, and they work hard to get rich off the huge number of people engaging in online commerce around the holidays.

"Our inboxes are filling up with offers, and it's easy to slip something malicious into the volume of unsolicited emails during this time of year," said Don DeBolt, director of operations at the ThreatSpace division of Milpitas, California-based security company FireEye.

"Due to the sheer volume of people shopping on Monday, [it also] makes for a great time to insert a malicious advertisement into an established ad network," DeBolt said. "This type of attack is known as 'malvertising' and results in the attacker taking you to a website of their choosing when your browser loads the malicious advertisement.

"Computer users have little control over this attack if they are not using an ad-blocking application, so it is highly recommended that an anti-malware product is used to best protect against this kind of attack."

In 2019, cybercriminals created up to 100,000 fake online-shopping websites, made up to look like well-known websites and with similar web addresses, to lure in shoppers and hit them with scams. And Macy's, one of America's biggest retailers, disclosed that its website had been infected with credit-card-stealing malware.

To help shoppers stay safe and secure on Cyber Monday, here are some tips.

Shop from a secure computer

A computer or Android phone that isn't protected by the best antivirus software is more likely to be infected with malware. All data entered into or transmitted from that phone or computer is at risk, including all forms of personally identifiable information, credit-card numbers and bank accounts. Be sure to keep the operating system and all internet-facing apps updated to the latest software versions.

Shop using a secure connection

Data can be at risk during transit if an attacker controls the network or uses packet-sniffing software. Web protocols such as HTTPS encrypt communications, but in some advanced attacks even those could fall to a "man-in-the-middle" attack

You should always look for the HTTPS lock symbol in your browser address window when performing an online purchase. But it's not a guarantee that the site is genuine — many malicious sites now use encrypted connections too.

Search for deals on retailer sites, not on search engines

Scammers "poison" Google and Bing search results with malicious or deceptive links. Searching for the best iPad deals? Go to the Best Buy, Amazon or GameStop sites and use their in-house search engines instead of Google.

Use trusted vendors

Any website can be attacked by hackers, but limiting your shopping to established and trusted vendors limits your exposure. Bookmark the most trusted online retail sites to make sure you don't get redirected to fakes.

Check each website's URL

This may seem obvious, but you'll want to check each retail website's address, aka URL, in your browser's address bar. 

Scammers who want to steal your credit-card number or personal information will "clone" well-known shopping sites and park them at web addresses that are often just one mistyped letter away from the real thing which is also known as typosquatting.

Don't fall for 'too-good-to-be-true' deals

Cyber Monday features a lot of incredible, legitimate deals offered by trusted mainstream retailers. But cybercriminals will prey on shoppers' desire for the lowest prices and will try to slip in a lot of fake deals. 

Watch out especially for emails, text messages, pop-up browser windows and Facebook and Twitter posts promising fantastic savings, especially if the link is a shortened URL — you really don't know where those will lead you.

Clicking on links in the messages or posts could lead to scams, phishing sites or sites distributing malware. And don't open attachments in emails promising fantastic deals.

Plan ahead and don't be rushed

Cyberattacks take but a split second to occur. Sometimes all that's required is clicking on a link in an email. Look for clues to malicious links, such as an extra ".cc" at the end of what would otherwise be a trusted domain name. Take the time to make sure you're on the correct website.

Review credit-card and bank statements regularly during the shopping season

Malware can infect credit-card readers in stores as well as online retail websites, and unscrupulous cashiers often steal card numbers as well. If you find a transaction that doesn't match your purchases, your account may have been compromised. If so, contact your bank or card issuer.

Use only credit cards online

You've got far less protection against fraud on a debit card than you do with a credit card. Stick to credit cards (including American Express) when shopping online. If you absolutely must use a debit card, use the prepaid kind with a set spending limit.

When the site asks if it can save your credit-card number for next time, decline the offer. You'll have to type the number in again next time you visit (unless you use one of the best password managers), but you'll have one less thing to worry about when the site gets hit by a data breach.

If a website wants you to pay with a gift card instead of a credit or debit card, that's a huge red flag. Don't shop there. And if a site wants you to pay with a direct transfer from your bank account, that's even worse. Run away.

Use unique passwords and logon information for every site you visit, or don't create an account at all

Yes, it's a pain to remember all those passwords. But if one of them is stolen, a cybercrook will try using it on other websites. Passwords should be as long as possible and contain a mix of upper- and lower-case characters, numbers, punctuation and symbols. 

And passwords shouldn't be reused, especially for any website that handles your money. If you have trouble handling them all, use one of the best password managers.

However, if you're just making one or two purchases on a retail website — one you trust, of course — there may not be a need to create an account. Most websites let you shop without one, and one less online account is one less to worry about.

If you're shopping from a tablet or smartphone on Cyber Monday, use a trusted vendor's app, not a web browser

Vendors have more control over their own apps than they do over mobile browsers, which often don't display the web addresses of the sites to which you're giving your credit-card information.

Software from locations other than the device's official "store," such as Apple's iTunes App Store or the Google Play Store, has a greater chance of being malicious. Even then, check to make sure that the app developer is the official retailer — a lot of Amazon-related apps in Google Play have no connection to Amazon.

Sue Marquette Poremba is a security and technology writer based in Central Pennsylvania.