Online Shopping Security – Common Threats & Safety Tips

“Wait – Online Shopping Isn’t Safe?”

Not exactly. That doesn’t mean you’re likely to become the victim of a cyber attack the moment you buy something on Amazon. But it does mean there’s a risk something like that might happen down the line.

The problem is that cybercriminals are targeting online retailers more and more – not mainly because they have a lot of money (though that is one of the incentives), but because a lot of people use those platforms (currently, around 1.92 billion people shop online). What’s more, even though many online shopping websites have improved their security standards, they still fell victim to hackers.

So, for now, online shopping isn’t 100% safe. It’s likely not even 60-70% safe. And when you see our round-up of the main online shopping security threats, you’ll understand why.

The Most Common 7 Security Risks of Shopping Online

1. Adware

Malicious websites often contain pop-up ads that advertise some incredible promotions (like saying you won a free PS4 or so). If you click on them, you’ll either be asked to share sensitive data (like credit card details and personally identifiable information), or your device will directly get infected with other types of malware (spyware, keyloggers, or ransomware).

Even worse, you might be exposed to such ads on legitimate websites too. While they’re normally pretty secure, some hackers might be able to exploit some vulnerabilities (if the website hasn’t done its latest security update, for example), and inject malicious ads into the platform.

You should also know that the malicious part of the ad can trigger if you click on the “X” to close it as well.

2. Fake Online Stores

Cybercriminals set up fake shopping platforms to trick users into wasting money or revealing sensitive data. They normally try to imitate legitimate online retailers, claim they work with them, or invent their own made-up retail brands. Usually, one of two things will happen if you spend money on a fake online store:

1. The hacker behind the scam will log all the data you type in, stealing your credit card details and personal information (they might even ask you for info like your Social Security Number).
2. The website is only set up to receive payments from users. However, the products that are advertised don’t actually exist. So, if you buy something, you’ll never get it. Or, you might receive the product, but it will be something else entirely or just an empty box.

Of course, there’s no guarantee that both of those things won’t happen on certain fake websites – especially if the scammer is very greedy, and wants both your money and personal/financial data.

Fake online retail websites are usually promoted through phishing messages and emails. The recipients’ contact details will either be acquired through a different phishing scam, or they can be bought off the deep web for a pretty small amount of money.

3. Identity Theft

Not many people know this, but one of the main security risks of shopping online is having your identity stolen. Essentially, cybercriminals aim to steal as much personally identifiable information from you as they can (your full name, mobile number, email address, physical address, etc.). Once they have it, they either auction it off on the deep web, or they use it in other scams or to impersonate you.

According to statistics, most identity thefts occur during holiday shopping, seeing as how around 43% of consumers reported they became the victims of identity theft during such periods.

Identity theft normally occurs on fake websites, but legit online retailers can expose their own users to something like that if they suffer a data breach (which we’ll discuss in a bit), or if their platforms become infected with malware.

4. Unencrypted Data

Websites that don’t use SSL encryption (the ones whose URL address starts with “http” instead of “https”) are a pretty big online shopping security risk. Why? Because the info you share on those platforms isn’t encrypted, meaning it’s very easy for hackers to monitor it if they want.

You can always take a risk if the website has decent offers (unless they are phishing attempts, of course), but keep in mind that even Google is now marking non-HTTPS websites as being unsecure.

5. Fake Apps

Many online retailers have their own dedicated apps, and cybercriminals sometimes try to imitate them by creating fake versions. The main goals are to steal your credit card details, login credentials, and any other personal information they can get their hands on.

Like identity theft, fake apps seem to be used by hackers during holiday shopping seasons – likely because shoppers aren’t paying as much attention then, and are rushed to find promotions and discounts.

You’d think fake apps aren’t such a huge online shopping security concern since they can be easy to spot, but Apple’s App Store alone has been plagued with hundreds of them.

6. Data Breaches

A data breach is when a cybercriminal gets unauthorized access to a website (either through phishing, malware, or by exploiting vulnerabilities). Most data breaches cause the retailers a lot of financial damage, but the real victims are the users who have their financial and personal information stolen.

You’d think data breaches wouldn’t happen too often, but you’d be wrong. Back in 2018, a record number of breaches were reported at big brands like Adidas, Sears, Best Buy, and Ticketmaster (among many others).

7. Unsecured (And Potentially Secured) WiFi

Shopping over unsecured WiFi is never a good idea. Sure, it might be extremely convenient to buy the latest mobile device or clothing item while sipping your coffee at your favorite place downtown, but it’s also very dangerous if the network isn’t secured.

How can you tell if a WiFi network is secured or not? Simple – if it doesn’t require a password to log in, it doesn’t use any encryption. That means your online connection to any retailing platform isn’t encrypted. So, any hacker who might be targeting the WiFi network could easily eavesdrop on your traffic. If they do that, they can see all the info you share with the retailer’s server, such as:

• Credit card details
• Email addresses
• Login credentials
• Any personal information

“Okay, so I’ll just use a WiFi network that’s secured. Problem solved!”

Not exactly. The problem with secured network is that they use WPA2 as an encryption standard. Well, the issue with that is that WPA2 is actually vulnerable to a cyber attack, namely the KRACK attack. WPA3 is supposed to fix that problem, but it’ll take some time until it’s fully deployed on all compatible devices.

The Most Useful Online Shopping Security Tips

Use Powerful Antivirus/Antimalware Software

Even if you take all the precautions you can, there’s always a risk your device might end up being infected with malware or viruses. In that case, it really helps to have reliable antivirus/antimalware programs installed because they’ll protect your data. What’s more, such a program could also prevent you from accidentally accessing malicious websites.
Just make sure you don’t use free solutions. They aren’t very reliable, and might not offer you any protection at all.

There are plenty of antivirus/antimalware software providers to choose from, but our recommendations are Malwarebytes and ESET.

Oh, and don’t be confused about the antimalware/antivirus term – both of them do the same thing. A virus is a type of malware, after all.

Keep Your Security Software, Browser, and Operating System Up-to-Date

You shouldn’t schedule regular updates just to get rid of annoying notifications. They are actually very important if you want to make sure security weaknesses and exploits don’t endanger you when shopping on the Internet.

For example, the latest update for security software (no matter how small it is) could contain vital data that helps the program detect new threats. Operating system and browser updates do something similar, as they often come with changes that boost security.

So, whenever you see an update notification, don’t leave it for later. Install it since it could significantly help with online shopping security.

Use a VPN (Virtual Private Network)

A VPN is an online service you can use to protect your privacy and data on the web. It hides your IP address, and uses encryption to secure your online traffic, protecting it from surveillance.

While a VPN can’t help protect you from all online shopping security threats, it can make sure you’re not exposed on unsecured WiFi. So, you could actually shop online while connected to public WiFi without having to worry about hackers eavesdropping on your communications.

Also, a VPN could prevent shopping websites from sharing your geo-location info with third-party advertisers since it masks your IP address (which contains geo-location data).

Secure Your Online Experience With CactusVPN

If you need a reliable VPN service, we’ve got you covered. Our solution offers high-end encryption (AES, so it’s military-grade), extremely secure VPN protocols (OpenVPN, SoftEther, IKEv2), and a no-log policy that protects all your privacy.

On top of that, we also throw in DNS leak protection and a Kill Switch to make sure you’re never exposed on the Internet even if your VPN connection goes down. Oh, and you also get to enjoy unlimited bandwidth and high speeds, ensuring you get a smooth online shopping experience.

Special Deal! Get CactusVPN for $3.5/mo!

And once you do become a CactusVPN customer, we’ll still have your back with a 30-day money-back guarantee.

Save 64% Now

Always Use Script Blockers

A script blocker is a simple browser extension you can use to prevent harmful scripts (Java, JavaScript, or Flash) from loading on any website you visit. Basically, such a tool is a very smart way of protecting yourself against adware, or any other type of malware or virus that might have infected the online retail website you’re using.

The best script blockers to use right now are uBlock Origin and uMatrix.

Use Multi-factor Authentication

If the online shopping websites you use allow it, turn on multi-factor authentication. Usually, you’ll be able to use two-factor authentication, which involves having to type in a generated code (which is often sent to your mobile device) after you log in with your password.

This way, even if cybercriminals were to somehow obtain your login credentials either through a data breach or phishing messages and fake websites, you’ll at least have an extra layer of security which will protect your account information (like your credit card number, for example).

Don’t Use Debit Cards

Credit cards are simply safer than debit cards. Why? Mainly because debit cards don’t normally give you any leverage when disputing a sale. The seller needs to agree to give you your money back, and good luck with that if you’re dealing with a scammer.

What’s more, if you become the victim of fraudulent credit card activity, you won’t be held liable for it – as long as you report the issue in a timely manner, of course.

For example, if you use your credit card to purchase something on a shady website, and then you start noticing weird transactions that you never approved, you can get your money back if you alert the bank in time. Naturally, you’re going to have to get a new credit card after something like that, but the extra security – compared to a debit card – is worth it.

Use Powerful Passwords

One good way to avoid some of the security risks of shopping online is to come up with strong passwords. That way, it won’t be easy for hackers and scammers to brute-force or guess your passwords, and use your accounts to buy stuff with your money, and steal any private and personal information they can.

We already have an in-depth guide on how to create a secure password, and how to keep it safe too. But if you’re in a rush, here are the highlights:

• Make the password over 15 characters long.
• If possible, use space characters.
• Try using a secure password generator.
• Use multiple words, and reverse them so that they’re not dictionary words.
• Use numbers and special characters, and mix up lowercase and uppercase letters.
• Avoid substitutions like “0” instead of “o” or “$” instead of “s” – they’re too obvious.
• For a really powerful password, make it an acronym for a phrase.

Also, it’s a good idea to use a reliable password manager (like LessPass, Bitwarden, KeePass/KeePassXC, and PSONO) to store all your login credentials. It’s much more convenient, not to mention more secure than typing the password yourself on multiple websites.

Don’t Share More Information Than Necessary

Online shopping websites will normally require some information from you – either to let you set up an account, or just buy without an account. Normally, they’ll ask for payment details (usually your credit card info) and personal information (physical address, for example).

If a website ever asks you for more personal data, like your Social Security Number, date of birth, gender, or various preferences, it’s best to find another platform. We’re not saying that automatically makes a website fake and malicious, but – depending on their Terms of Service – they might share that information with third-party advertisers, endangering your privacy. Plus, if said platform ever suffers a data breach, all that info is likely to end up for sale on the deep web, where scammers might buy and use it.

As for your payment information, the best way to keep it as private as possible is to either use websites that accept cryptocurrencies and PayPal (or another online payment system) as payment options, or just the Cash-On-Delivery option, so you’ll only pay when you receive the physical product from the delivery agent.

Learn to Spot Fake Websites

If you get duped into using a fake shopping website, your credit card details and personal info will be good as gone. So, you need to watch out for the tell-tale signs of fake, malicious websites:

• The website has a strange URL. Instead of seeing something like “ebay.com,” you get “shop-at-ebay.com” or “bestonline-shoppingstore.com.”
• There is no green padlock icon before the URL bar, meaning the website doesn’t use SSL encryption.
• The website’s URL address starts with “http” instead of “https.”
• There are extremely low prices, like seeing an iPhone X for sale for only $100-$200, when it normally costs around $1,000.
• The contact details are very sketchy. For instance, instead of seeing “[email protected],” you’ll see “[email protected].”
• The copywriting on the website is pretty sub-par, and it features multiple grammatical errors and weird phrasing.
• The website has a confusing mix of products. For example, the site claims to only sell clothing, but you notice weird extra items like car parts.
• The website has a really horrible design and layout.

We highly recommend using this list too, which currently contains a large number of fake websites.

Avoid Any Phishing Attempts

In case you’d like to learn more about phishing (what it is, how to spot it, how to protect yourself), here’s an article we wrote about the topic.

The main idea is to not reply to and delete or block any phishing messages you might get, and not reveal sensitive information on phishing websites. Also, if possible, try to get in touch with the authorities in your country to report the phishing attempt. Oh, and don’t click on any button in the email – even the “Unsubscribe” button – since they can infect your device with malware.

As for the signs of a phishing attempt, most of the signs we mentioned in the section above apply in this case. Other things that might point to a website or message being an online shopping phishing scam include:

• The message claiming you’re subscribed to a newsletter you’ve never heard about.
• The email promoting offers that are just too good to be true.
• Tons of shady shortened links and flashy, pushy CTA buttons (“BUY NOW,” “ORDER NOW,” or “GET IT NOW”).
• The website claiming they sell real, branded products without being able to prove they are accredited partners.

Try Buying on Mobile Instead of Desktop

We’re keeping this tip for last because it isn’t the most effective one. Despite that, you should know that doing online shopping on your mobile device might be safer.

Why? Because reputable retailers have their own dedicated apps, which are much harder to exploit than websites. Basically, cybercriminals need to use specific attacks to compromise an app, while they can usually compromise websites with the same tactics.

Still, please keep in mind that retailer apps can be spoofed, and if you use one of them your financial and personal info will be as good as gone. Luckily, there are some ways to spot fake apps:

• Look at the developer’s name. If you it’s not one you recognize, it’s likely fake. Double-check by googling it too.
• Check online articles or the retailer’s website to see if they actually launched a mobile app.
• See if there are any typos in the app presentation.
• Check the reviews. Quite often, a fake app will have multiple people complaining about it being a scam in the review section.
• Look out for any blatant promises of guaranteed discounts in the app description.
• Make sure the app’s name is not intentionally misspelled, or an actual website URL.
• Take a good look at the logo – make sure it’s the same one the retailer uses. If it looks slightly different or low-resolution/low-quality, the app might be fake.
• Lastly, show the app to someone who works as a representative for the main retailer, and ask them if it’s real or not.

Conclusion

Buying things on the Internet is very convenient, and saves you tons of time. However, you need to be aware of online shopping security threats if you don’t want to end up the victim of identity theft – or worse. Things like adware, fake websites and apps, unencrypted platforms, data breaches, and WiFi can always expose you to cybercriminals.

Luckily, there are some things you can do to avoid the security risks of shopping online. If you don’t have the time to read through them all, here’s a summary:

• Use reliable antivirus/antimalware programs.
• Use a VPN (Virtual Private Network).
• Keep your OS, security software, and browser up-to-date.
• Use script blockers.
• Don’t interact with any phishing emails and messages.
• Don’t share too much info with online retail websites.
• Create strong passwords for all accounts.
• Use credit cards instead of debit cards.
• Avoid fake websites and apps like the plague.
• Try shopping online on mobile instead of desktop.
• Enable multi-factor authentication on all accounts.