Christmas lights are already making the shops twinkle and the busy shopping season is just around the corner, kicking off with Black Friday and Cyber Monday at the end of the month.
Many of us prefer to do our shopping from the comfort of our own homes – but it’s not just consumers who are busy online at this time of year: it’s a peak time for hackers and scammers, too.
Last year, online shoppers were stung to the tune of £58m in almost 43,000 incidents of fraud, according to Action Fraud. So how can you avoid being a victim during the end-of-year shopping season?
Visit our Black Friday hub for more tips when shopping around in the winter sales season.
20 tips for safe shopping online
Know who you’re buying from
Stick to big names when buying online if you possibly can – big, familiar brands, such as Marks & Spencer or John Lewis, are much safer for you to shop from than a vendor you’ve never heard of. If something you want to buy is only available from a business you don’t know, do some research: look for reviews of the seller to see what experience other people have had. See how long the website has been registered by going to whois.icann.org and typing in the website URL: that will tell you who owns the domain name and when it was first registered, as well as give you contact details for the website managers. A domain that was only bought very recently suggests that the business is, at best, very new.
Use established marketplaces
If you do want to use a small seller, stick to buying via established marketplaces. Notonthehighstreet.com showcases small businesses, while Etsy.com is a good place to look for handcrafted gifts or vintage items. Amazon Marketplace hosts thousands of small shops, and, of course, there’s always eBay. Most importantly, they all offer payment services and dispute resolution processes that protect both the retailer and the buyer. If a small seller on a big marketplace wants to bypass the platform’s payment services, that’s a big red flag: don’t use them. If you bypass the marketplace’s process, they can’t help you if there’s a problem with the seller.
Make sure software is up to date
You are much more at risk from hackers if your software isn’t up to date – security updates fix potential loopholes that hackers use to get into your device. Before you embark on your online shopping spree, make sure you’ve updated your operating system (Windows, macOS, Android, iOS), your antivirus software and your browser, or the app you’re planning to use, such as a dedicated store app (John Lewis, Argos etc) or a dedicated marketplace app (Etsy, eBay, Amazon).
Use strong passwords
Have a separate, strong password for every single account you have with a retailer. Don’t reuse passwords, and avoid using a system for your passwords (such as adding a number or a code to a common password for different sites). We have more detailed advice on how to create secure passwords at https://computing.which.co.uk/hc/en-gb/articles/360000818025-How-to-create-secure-passwords This advice is important all year round, but it’s doubly important at this time of year. And the best thing you can do to keep scammers away from your passwords is to start using a password manager.
Separate email address
It’s worth having a separate email address for setting up and managing online accounts. Not only does it keep your personal or work inbox clear of notifications and potential spam, it also means you keep important information, such as work documents and family emails, separate from newsletters and emails telling you that a delivery is on its way. Also, should the email address associated with your online shopping accounts be compromised, then your sensitive data remains safe in your other inbox.
Be careful on a mobile
It’s tempting to use a smartphone to do your online shopping – it’s quicker and more convenient than firing up a laptop or a desktop. But be particularly careful with checking the URL of a website – mobile versions of browsers don’t always display the full web address in the address bar, making it harder to know for sure that you’re at the right website rather than, say, on a phishing site designed to trick you into revealing your passwords. Use a retailer’s app rather than a mobile website where possible to protect yourself from the risk of going to a fake site.
It’s a good idea to use a credit card rather than a debit card when you’re shopping online, and ideally use one with a low credit limit so that if the details of your card do get compromised, the damage that can be done by a high-spending hacker before you can block the card is limited. Also, using a credit card gives you more protection if a retailer goes bust or the goods don’t arrive or are faulty. Keep a sharp eye on your statements and alert your card issuer if you spot anything you don’t recognise. Also considering using PayPal if it’s offered as a means of making a payment: PayPal offers dispute resolution processes, and it also means that the seller won’t see your card details. Never pay by direct bank transfer.
Be careful about wi-fi
Avoid using public wi-fi if you can: you’re at risk from ‘evil twin’ websites set up by hackers to intercept passwords and credit card details, and you’ve got no guarantees that whoever set up the public wi-fi hotspot did so in a way that makes it secure and protects you. If you must use public wi-fi to do online shopping, consider using a VPN (virtual private network). A VPN sets up a private, encrypted and secure link between your device and the website, stopping hackers from intercepting your data and also protecting your privacy. And it’s best to use a paid-for VPN: free ones can be slow or insecure.
Use your mobile phone instead of public wi-fi
If you’re planning to take your laptop to the library or a coffee shop to do your online shopping, use your mobile phone’s data connection to get online rather that the public wi-fi. You might need to check with your mobile provider that you can use your data allowance to tether your laptop to your phone, but once you’ve ascertained that you can, it’s easy to do. In Android, go to Settings, then Network & Internet, then Hotspot & tethering. On the next screen, toggle the button to On, and you’ll also be able to change the hotspot name and also choose a different password if you don’t want to use the one it sets for you.
On iOS, go to Settings and then tap Personal Hotspot and toggle the button on. You’ll then see your phone’s name in your laptop’s wi-fi and you’ll be able to connect to it as if it were an ordinary wi-fi hotspot.
Less is more
Be careful about how much information you give away when you create an account with an online retailer: look out for the asterisk (*) on web forms that tell you when you must fill in the details. Obviously they’ll need your name, your address, an email address and your payment details, but many sites also try and collect additional information, such as perhaps your clothing size or an additional phone number. That helps them understand who their customers are, but there’s no need for you to hand over that information if you don’t want to.
The padlock icon
You’ll see a lot of advice to only use a website that displays a padlock – which can be green– in the address bar, and that remains in force. However, there are two things to be aware of here: first, the padlock only tells you that the website is encrypted, and that it’s sending your details, such as your password and card details, from your device to its servers securely. It doesn’t tell you anything about the authenticity or trustworthiness of the people behind the website: hackers can create secure websites, too. Also, the notification is changing: Google’s Chrome browser is moving towards warning you if a website is not secure rather than telling you that it is secure, and other browsers will soon be doing the same. So look for either the green padlock, or for a warning that the site you’re visiting isn’t secure before you type in your details.
Many websites ask you for personal information so that if you forget your password and need to reset it, giving the right answer to that question can verify that you are who you say you are, and not a scammer trying to break in to your account. However, you don’t need to give the real answer to the question: it can be quite easy to find out someone’s mother’s maiden name, for example, or the name of their first pet or their favourite cricket team, especially as people often unwittingly share that kind of information via quizzes on Facebook. So long as you can remember what information you gave – you could say your mother’s maiden name is ‘GreenOnions’, for example – it doesn’t matter what answer you give. Some password managers will store the information you give each website, too.
If it’s too good to be true …
Be careful of amazing-looking special offers arriving by email or SMS that contain links: these could be phishing attempts, designed to send you to a fake website to steal your log-in details. We all want to save money where possible at this time of year and it’s tempting to click through from a link offering a fantastic price on something, but the old adage ‘if it sounds too good to be true, it probably is too good to be true’ is particularly important to remember at this time of year. There’s lots more advice on how to spot a phishing scam in the August 2018 issue of Which? Computing and on our Computing Helpdesk website https://computing.which.co.uk/hc/en-gb/articles/207101195-How-to-spot-a-phishing-scam.
Sign out of the website
When you’ve finished shopping, sign out of the website and clear your cookies if you’re using a computer that anyone else has access to. This is especially important if you’re using a computer in the library or an internet café. If you leave yourself signed in, you risk someone else stealing your credit card details from your browser.
Check your statements
Once you’ve completed your shopping, make sure you carefully check the statements for any cards you’ve used to do your shopping. If you’ve followed our other tips about making sure you’re only sending card details over secure links and being careful when you’re using public wi-fi, you should be pretty safe, but it’s not unheard of for card details to be compromised: BA customers were warned that their card details could have been stolen in the data breach announced back in September, for example. And it’s always worth making sure that you’ve been charged the right amount, too.
It’s also worth storing emailed receipts for goods you’ve bought online in a separate folder on your computer so that you can quickly find them if you need to. You could either create a separate folder (in Outlook, Mail or Thunderbird) and move emails with receipts into that, or a new Label in Gmail.
Where in the world
Do check where an online store is located: while you might get a good price if you look on websites such as Alibaba.com, the Chinese-owned global marketplace, you will probably have to wait a long time for delivery – a particular concern at this time of year if you’re buying Christmas gifts. Also you may well have to pay additional import duties when the package arrives in the UK. Buying from a shop outside the UK also means it could also be much more difficult to return or exchange any goods that turn out to be faulty or not what you wanted – check carefully for details of a returns and exchanges policy, and if you can’t find one, don’t buy from that site. And finally, if it’s an electrical item, you almost certainly won’t get a UK plug with the purchase, which could cause disappointment on Christmas morning.
Marketers love dynamic pricing – that’s where they adjust the prices of products on the fly to maximise sales and profits. You’ll be familiar with this from buying airline tickets: prices to popular beach destinations are highest during the school summer holidays, while tickets for packed flights at the last minute over the Christmas period are very likely to cost a small fortune.
What’s less well known is that marketers also use dynamic pricing for other goods, too. It’s a dark art, and hard to track down details on, but it’s worth checking the price of something not only on different days – the closer you are to Christmas, for example, the higher the price might be – but also in different browsers.
So before you click Buy, sign out, clear your cookies and look again: the price might be higher (or lower). And try it not only in a different browser, but on a different device: there have been reports for example of Mac users shopping via the Safari browser being shown a higher price than someone on an Android tablet.
Check and check again
Before you click the final ‘Buy’ button, go over each part of the order and make sure you’ve got the right thing. This sounds obvious, but it’s all too easy when you’re rushing through a lot of purchases on different websites to get something wrong. So check that you’ve got the right item, the right size, the right colour and the right quantity.
Check also that you’re paying for it with your preferred method: if you’ve got more than one card’s details stored on a site – such as Amazon or eBay – make sure you’ve selected the right one. Double-check the address you’re sending something to: is it coming to your home address, or are you planning to send it to a far-flung grandchild? If so, make sure that address is entered correctly – and don’t forget to check delivery options and charges, too. Some sites will default to a cheap and cheerful option that could mean you’ll be waiting weeks: at this time of year it pays to make sure the item will arrive in time for the big day.
If things go wrong
We hope that nothing will go wrong and that you’ll receive the right goods in plenty of time. However, if something does go wrong, buying online means that you’ve got more rights than if you’d gone to the high street and bought it in a shop. First, you’ve got 14 days to change your mind if you don’t like it, thanks to the Consumer Contracts Regulations, which allow you a fortnight to cancel an order and another fortnight to return the item. We’ve got all the information you need on the which.co.uk website: https://www.which.co.uk/consumer-rights/advice/what-are-my-statutory-rights-and-when-do-they-apply#how-well-do-you-know-your-online-shopping-rights
And if something does go wrong and you’ve been the victim of a scam, you can report it to Action Fraud via its website: actionfraud.police.uk
When you’re out and about
Not all shopping can be done from the comfort of your sofa, and even the most dedicated of online shoppers are going to have to head for the high street at some point. However, even if you’re going into bricks-and-mortar shops, there are still a couple of steps you can take to make your shopping safer.
If you use your mobile phone to make contactless payments rather than your credit or debit card, make sure you lock your phone as soon as the payment is complete. Using a phone to make contactless payments is very convenient, especially as many banks waive the £30 contactless limit that applies to physical cards, as it means you’ve got an instant record of your spending, but it does mean you’ve got your smartphone out and visible to would-be thieves more than you might otherwise like. If you lock it immediately, a thief snatching your phone won’t be able to access the data you have on it, nor will they be able to use it to pay for items in shops.
Free wi-fi is best avoided if you don’t want to hand over lots of information. A shopping centre or a store will use that wi-fi to track your journey around their buildings, and you will probably also have to supply an email address and other information in return for access to the wi-fi. If you can, use your data connection to get online when you’re out shopping.
Want to know more about online security? We’ve looked in more detail at VPNs, phishing scams and using public wi-fi safely in previous issues of Which? Computing, and there’s more advice on staying safe online in the December 2018 issue of Which? Computing.
Find out more and subscribe at https://try.which.co.uk/tech-