For many retailers, the holiday season accounts for more than 30 percent of their yearly earnings. That’s not surprising considering that on average, Americans have been spending more than $700 on gifts every year for the past decade. And 2021 is expected to set a new record of a whopping $886—the biggest budget Santa has had in the last 20 years.
With all that money moving around, bad actors will almost definitely want to get their hands on some. Some are clever, and even the most careful shoppers can fall prey to their tricks. But by following some basic tips and good security practices, you can make yourself a harder target and hopefully avoid giving unintended gifts to online fraudsters.
Thoroughly scan promotional emails
These days, your inbox is probably flooding with promotional messages, newsletters, and sales you “just cannot miss.” Some may offer spectacular deals, but you should be cautious instead of jumping in head-first, says Camille Stewart, global head of product security at Google.
“People should look to see if the message is sent from a public email domain,” she says. “Most of the brands sending promotional emails have a website and will send emails using their domain name. So you should be skeptical of promotional emails from a Yahoo or Hotmail address, for example.”
If the sender’s address or anything else in the email’s body is off—pixelated images, bad grammar or misspellings—report the message as spam and delete it immediately.
As a rule of thumb, don’t click on links within an email. Instead, open another tab on your browser, go directly to the store’s official website, and navigate your way to the deal or sale you’re interested in. Scammers often find legitimate promotional emails, copy them, and replace the links with ones that will steal your data or automatically install malware on your computer.
But we get it—sometimes we’re feeling lazy or retailers make it hard to find sales on their websites to tempt you with non-discounted products instead. If you absolutely need to click that link, try hovering over it with your cursor to ensure it matches where the ad or email claims it’ll take you, Stewart says.
To do this, place your mouse over the link. Some browsers will automatically display a tiny box with the description or the URL for the site the link will take you to. If that doesn’t happen, check the bottom left corner of your browser for the same information. When you see that web address, start by making sure the URL starts with “https”—That final S is important and means the connection is secure.
Then, ensure the site’s domain corresponds to the store that sent you the email. The domain is the main word or phrase in a URL, and you’ll usually find it all the way to the left, right between www. and .com (or .co.uk, .ca, or any other top-level or country domain). It’s the “amazon” on amazon.com, or the “popsci” on popsci.com.
Here it’s also very important to make sure the spelling is correct. Scammers will buy similarly spelled domains to trick and confuse shoppers, and sometimes the differences are so minimal, you won’t notice them unless you look very closely. Keep an eye out for tricks like using a 1 instead of an i, or swapped letters that will easily fool your brain. After all, popcsi looks awfully similar to popsci.
Protect your credentials
One of the most annoying things about online shopping is having to create an account on a seller’s website. It makes sense to do it because it protects your data, but it seems like a lot of effort—especially if you’re not planning on buying there ever again.
Sticking to websites and retailers you already have an account with might be the easiest way to go. But if you shop at a new online store, your best bet is to check out as a guest. This will theoretically ensure the site doesn’t permanently store your information—from your name and address to your credit card number—and will avoid you the trouble of coming up with yet another password.
If you’re shopping from a big retailer and checking out as a guest is not an option, you may be able to sign in using your Google, Apple, or Facebook account. Contrary to what you might think, as long as that account is properly secured (with a strong password and two-factor authentication) this is a safe way to access a site. The retailer never gets your credentials, just a nod of authentication saying you’re actually who you say you are. The best part is that if you decide you don’t want to associate with the shopping site anymore, you can go and easily revoke access to it. (We wrote a whole story about how to do this if you need a bit of guidance.)
But there will be a time when you’ll want to buy from a site where your only option will be to create an account. If that’s the case, take a big breath and arm yourself with patience—and a password manager.
“During the holidays, the volume of sites you’re creating new accounts for and the penchant to create holiday-themed passwords make us susceptible to hacking,” Stewart says. “A good password manager can be a game-changer.”
Whether you get a dedicated app or use the one built into your browser (Chrome and Firefox have them), password managers are great at two things: creating extremely secure credentials and remembering them for you. That way you won’t have to worry about future data leaks that may bring ghosts of Christmas past.
If you have a low-risk disposable email address—one you use only for promotions and things you’re not actually interested in—Stewart says this is the time to use it. If you don’t have one, this may be the perfect time to create it.
Use your credit card
Maybe you apply this tip year-round, but it bears repeating: when it comes to online shopping, leave your debit card in your wallet and use your credit card instead.
Debit cards are a direct link to your checking account, and the cost of your purchase is subtracted from your funds almost immediately. If you’re a victim of phishing, there’s a possibility the scammers may be able to repeat the transaction or use your card details to buy somewhere else, taking money directly out of your account.
If you fall for a scam while using your credit card, you’ll have more time to call your bank and file a claim. Also, most major credit cards have some kind of insurance or protection against online fraud. If that’s the case, you’ll probably get whatever amount the scammers took credited to your statement instantly upon notifying your bank.
A great way to stay on top of all the movements involving your credit card is to check your balance constantly. This means not only waiting for it at the end of your cycle but making it a recurrent habit throughout your week. If possible, you can make your life easier by setting up alerts for every transaction on your credit card.
Most banks will send you an email or text message every time there’s movement over a certain amount that you determine. By setting that threshold as low as $1 or 50 cents, you’ll even be aware of those seemingly harmless in-app purchases you keep making in your favorite virtual farm game.
Use only WiFi connections you know and trust
Listen, we know the holidays are a busy time, and mobile devices make it really easy to shop for presents on the go. But if you’re going through your nice list while commuting or taking a break at your local coffee shop, be mindful of your connection.
[Related: How to secure your apartment-provided WiFi]
In other words, never share sensitive information over public WiFi. This applies to everything you don’t want to fall into nefarious hands: sensitive work documents, sexy photos, and, of course, your financial information. Stewart points out that any form of public WiFi is notoriously insecure and easily hacked, so you don’t know if someone may have access to your device or your data through that connection.
To be on the safe side, do your shopping while using your own mobile data, or at home, while connected to your own WiFi. There are already so many things you’re probably concerned about this holiday season. Don’t let scammers be one of them.