Holiday Countdown 2023: Top Tips for Keeping Safe Online this Holiday Season

Don’t let the attackers fool you the next time you make a purchase online. 

Attackers will create fake websites and fake email addresses that pretend to be from the site you purchase or have purchased something from or your bank and attempt to appear as a legitimate online vendor. They’ll take the trusted brand’s name, logo and website design, then choose a URL as close as possible to the genuine web address. Check that the domain name is correct e.g., amazon.com, not amAz0n.com. Is the URL “http” or “https”? Https does not guarantee security, though, so research online retailers to check they are legitimate first.

If they contact you via email, the scammer will try and replicate the address, formatting and style of the genuine style. This trick gives customers a false sense of security that they are shopping with a trusted brand when they are just giving their sensitive information to cybercriminals. 

This scam preys on customers that may type in the web address wrongly or as a link in a spam email in the hope that one or two people will unwittingly try to buy something on the site. Once you’ve typed in your card details, they’ll store them and sell them on. 

This holiday season, make sure you double check the URL on any website, or address and links within emails before purchasing anything or putting in any important data.

Phishing attacks are on the rise, which means steps need to be taken to ensure you’re not caught out by increasingly sophisticated scams. Through checking emails, texts (this is known as smishing and can include fake delivery alerts!) and calls that you receive and not disclosing any information without verification of the legitimacy of the email/text/call, you will help us all stay secure.

For one off purchases, it is more secure to use the one-time or guest checkout option, where possible. If you’re setting up a new account or must provide personal details to a retailer, confirm the website belongs to the legitimate company and use best practice when creating passwords. Do NOT use the same password for multiple sites or anything like existing passwords. Keep your passwords strong, safe and secure and use a passphrase, if possible, made up of 15+characters, and is made up of three to four random words.

If you do need to create an account on  a website, make sure you use a personal email address and pay using credit card if you can. Always turn on MFA when offered. MFA stands for ‘Multi-factor Authentication’. A traditional password is a ‘single factor’ of authentication. It proves ‘you are really you’ as, theoretically, you should be the only person who ‘knows’ the password. Multi-factor authentication works by seeking additional proof through something that ‘only you have’. This could theoretically be asking you to authenticate by one of the below methods:

• Biometrics (i.e. fingerprint, or faceID)
• An app on your device
• A message/call sent to your phone

If you get a hole in a jumper, a patch can be sewn on to fix it. Like a jumper, if code has a security hole, a developer can “patch” the code, to fix the problem. Patches can only be added to the code on your device if you download and install security updates. Make sure the device you’re using has antivirus and is up to date! Only update or install from official sources (App Store, Google Play etc.).

Never make purchases on public Wi-Fi. Only make purchases on password protected networks. If you can connect to WiFi automatically, don’t use it, they are insecure, and an attacker could be watching your activities.

Think before you click! Web pop-up offers, browser notifications, retailer discounts/offer emails, QR codes and ecards can all be tempting. However, they may contain malware or ransomware which could lead to phishing emails being sent to you or your devices/account – this is the #1 way that cyber-criminals compromise devices. 

Ransomware is a type of malicious software that prevents users from accessing their computer, or the data stored on it. Hackers demand a ransom to release files. If you are sent an email and/or asked to click on a link or attachment to pay a ransom, do not engage. Never pay the ransom. 

Always check the authenticity of the link before you click it.

• National Cyber Security Centre - Shopping Online Safely
• Action Fraud - Online Shopping Fraud
• Open University Information Security -  Password Creation Guidance
• Open Univerisity Information Security - Online Shopping Guidance