We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

20 May 2018

Online shopping scams cost Brits £58m a year

Which? investigates the risks of shopping online and how to avoid scam sites

As armchair shoppers, we're a sitting target for cyber-criminals. Last year, Action Fraud clocked 42,949 incidents of online shopping fraud, with total losses of £58m.So how can you can avoid being scammed?

Experienced online shoppers have learnt to avoid obvious fakes, but scammers can easily clone genuine websites and disguise web addresses - thePolice Intellectual Property Crime Unit (PIPCU) department of the City of London Police told us it suspends an average 1,500 counterfeit websites every month.

According to PIPCU, some counterfeit sites will steal the identity of customers to set up more fake sites in their names.

Another risk of buying from counterfeit sites is that you'll end up with potentially dangerous items, such as electrical goods that don't meet safety standards. Of course, sometimes scammers won't even bother shipping you inferior knock-offs - they could just as easily take the money and run.

Staying safe online

Good online housekeeping will shield you from most scams. For example, rather than clicking links in emails or text messages, find websites 'the long way round' - via Google (though not the sponsored ads) or verified social media accounts (look for the blue tick).

If you're shopping on a computer, hover your mouse over the top of links without clicking to see the genuine address. If it doesn't match the content promised, or contains mis-spellings such as amzaon.com or face-book.com, it's almost certainly malicious.

Creating multiple email addresses for different purposes can also help. You could have a private one that you never divulge online, another for sites you trust and, ideally, one more for sites that you've never used before. You can even set up a disposable email address using 10minutemail.com.

Watch this video for more ways to shop online safely:

Web addresses explained

Beyond the basics, the most obvious way to spot a scam is usually by checking the complete web address, or URL (Universal Resource Locator), every time you browse.

Take time to scan the whole URL, working backwards from the end to identify the unique domain name - if you're struggling to spot it, look between the protocol (https://) and the first single slash (/).

In this example, that would be www.which.co.uk.

Fake domains can look like real sites but have subtle differences.The biggest brands will buy some of the more obvious ones - for example, Amazon owns amaz0n.com and Marks & Spencer owns mands.com (both of which redirect to the genuine sites).

But, there are endless possibilities, from top-level domains (TLDs) suchas .com .org and .net and country codes (.co.uk) to alternatives such as .shop and .fashion.

Subdomains aren't limited to www either, for example computing.which.co.uk and support.google.com are both legitimate. Watch out for subdomains being used toimpersonate genuine sites, as withhttps://login.pay.pal-acc.com/signin where the real domain is pal-acc.com and the subdomain is login.pay.

Absurdly long URLs can also mask the true domain, particularly on smaller devices such as mobiles. Conversely, shortened URLs designed to save limited text space can be used by attackers to hide malicious sites (use checkshorturl.com to safely see what a short URL points to).

False sense of security

The constantly evolving nature of cyber-crime means one-size-fits-all advice can be dangerous.

The most obvious example of this is an SSL certific
ate, indicated by a clickable padlock and https (rather than http) in the address bar,which tells you that the connection is encrypted.

While you should never enter sensitive details on sites without one, its presence alone doesn't tell you anything about the content or intentions of the site.Certificates are issued by certificate authorities (CAs) such as Comodo, Let's Encrypt and Symantec but they don't police the web -criminals might create sites and use certificates to add an air of legitimacy.

A similar false sense of security might come from finding that a business is registered with Companies House.While it does incorporatelimited companies, it doesn't verify the legitimacy of their operations and, even if it did, someone could still use the credentials of a reputable business fraudulently.

Tread carefully when you read customer reviews, too, as there is a black market for fake reviews.

While reading comments from customers on social media and review sites such as Feefo, Site Jabber and Trustpilot can alert you to a problem - such as anonline trader that's gone rogue -positive reviews should only be one of several checks you make.

Stay safe with a seven-step scam check