By Laura H., Krista V., and Krista M. | Cyber Threat Intelligence Analysts
To help combat the threats posed by cyber criminals this year, the NJCCIC has compiled the following list of tips and best practices to assist all of our members in staying safe this holiday season, both in stores and online.
According to the National Retail Federation (NRF), American consumers are expected to spend an average of $967 during the 2017 holiday shopping season. This is an approximate 3 ½ percent increase from last year’s projections, and a majority of these purchases are expected to take place online. The NRF Consumer Survey found that online shopping is the preferred method of purchase this year for the first time in the survey’s history. Last year, Adobe reported that approximately $5.27 billion was spent in online sales between Thanksgiving Day and Black Friday, with $1.2 billion spent in purchases made through the use of mobile devices.
As the popularity of online shopping continues to increase, so does the number of potential unsuspecting victims for cyber criminals to exploit. The NJCCIC recommends that all shoppers follow the below listed safety suggestions designed to reduce risk and keep personal information secure this holiday season.
Check to see if that website is secure.
Before making any online purchases, make sure there’s a little green padlock in front of the URL field in your browser and double-check that the web address starts with HTTPS and not just HTTP. The “S” in “HTTPS” stands for “secure,” telling you that any information transmitted to the website from your browser will be encrypted, preventing hackers from being able to intercept it. Never enter any sensitive information or login credentials into websites that do not display this security feature.
Also, make sure that the websites you visit are reputable and well-established. Many fly-by-night scam operations seem to pop up this time of year offering unrealistic, steep discounts on popular high-end items such as electronics and designer clothing and accessories. The scammers behind these websites either take shoppers’ money without delivering the orders, send knock-off items or products that fall short of the item description, or they rope unsuspecting customers into expensive recurring subscription fees.
Using mobile apps to shop this year? Make sure they’re safe and don’t contain malware.
Using applications on mobile devices can be an easy and convenient way to shop and many online retailers even have their own apps for you to download and use. However, proceed with caution as mobile apps can lead to security woes if users are not careful. Only download apps from a trusted source such as an official app marketplace and refrain from downloading apps from third-party app stores as they often contain malware and adware. Even when downloading an app from an official marketplace, be sure to review the app’s ratings and reviews to see if there are any complaints of unusual behavior from other users. Before installing any new app, verify that the permissions requested match the app’s advertised functions. Be especially wary of apps that request access to your device’s contacts, your location information, or camera and microphone functions if there is no legitimate need. App developers will likely extract that data and use it for either marketing or surveillance purposes. And never install apps that require root access as it can give that app full control of your device.
Avoid acting on suspicious email links, pop-up advertisements, or unsolicited attachments.
Cyber criminals know just how busy you are this time of year and hope that you’ll be less likely to scrutinize what’s in your inbox. Emails that seem to originate from legitimate retailers may actually be spoofed and contain links to malicious websites. Also, be on the lookout for emails that try to create a sense of urgency as scammers use this tactic to trick victims into acting quickly without thinking. Emails with subject lines such as “Account Suspended” or “Limited Time Offer” may be a ruse designed to get you to click on a malicious link or open a malware-laden attachment. If you ever have any questions or concerns regarding any of your online accounts, visit the website directly by typing the web address into the URL field of your browser and log in from there. Never enter your login credentials through a site you visited by way of a link in an email. If you receive an unexpected link or attachment from a known sender, contact them directly to verify its legitimacy. Additionally, avoid clicking on links in pop-up advertisements and hidden URL shorteners such as Bitly and TinyURL. These links can redirect you to phishing sites or websites designed to deliver malware to your machine.
Think twice before downloading browser extensions, especially those for Google Chrome.
There are a number of web browser extensions that promote the ability to save you money by searching for the best deals and coupons every time you shop. Although many are legitimate and don’t put the security of your system or data at risk, there have been several malicious browser extensions discovered in the Chrome Web Store recently. Research browser extensions prior to installation, read user reviews, and pay close attention to what permissions are requested.
Strengthen passwords and consider using a complex passphrase that is easy to remember and difficult for criminals to guess.
Tips for creating secure passwords can be found here on the NJCCIC website. Use different login credentials for different websites; never use the same password for more than one account. Make sure that your answers to challenge questions cannot be discovered via social media or public record databases (pet’s name, mother’s maiden name, hometown, etc.)
Enable two-factor authentication (2FA) on all financial, email, and online shopping accounts.
Be sure to enable 2FA on every account that offers it as this will prevent cyber criminals from gaining access, even if your username and password have been compromised. The website TwoFactorAuth.org maintains a comprehensive list of websites that offer 2FA.
Do your online shopping at home.
Never use public computers, such as at a library or hotel, or public WiFi connections to log into personal accounts or conduct online shopping. Public computers could be infected with malware designed to steal your information and hackers can intercept network traffic traveling over unencrypted Wi-Fi signals.
Use credit cards instead of debit cards for shopping transactions, if possible.
While both payment methods pose a risk if compromised, debit cards do not carry the same consumer protections as credit cards, which limit the victim’s liability in the event of fraudulent charges. Also, it can take longer to recover funds stolen from a debit account and, in some circumstances, there is no guarantee that all funds will be returned to the victim. Use one credit card to do all or most of your holiday shopping to more easily identify unauthorized purchases. Use the chip-and-PIN option when available or consider using a mobile wallet app.
Be vigilant for suspicious-looking ATMs.
If you’ve chosen to shop using cash this season, be careful when using ATMs. The use of ATM skimmers by profit-motivated criminals has been on the rise. Keep an eye out for suspicious keypads, loose wires and parts, and cameras pointed towards the keypad. Only use ATMs that are in well-lit, high-trafficked areas, and avoid ATMs that have no distinct bank affiliation. In addition to avoiding high fees that are often charged by third-party ATMs, you will be less likely to encounter security issues with ATMs of well-known financial institutions, as they often have security features in place to prevent tampering and monitor activity taking place near the ATM. With the availability of ATM malware for sale on the dark web, it is crucial that any suspicious ATM activity be reported to law enforcement as soon as possible. Check your account balances often and report fraudulent charges immediately. For more information on ATM skimming, please see the FBI’s infographic here.
Enable transaction notifications through online banking and smartphone apps.
Consider setting up alerts with your bank and credit providers to be notified in the event of unauthorized transactions or certain activities, such as charges over $100. Many financial institutions now offer the option to receive a text message or smartphone app alert every time a transaction is charged to your account.
Keep all software and applications up-to-date with the latest security patches.
Vulnerabilities in unpatched software can be exploited by hackers who want to gain access to your system, device, or data. Keep apps and computer software updated, keep your firewall on and configured properly, and use reputable up-to-date antivirus software.
We hope you've found these tips helpful and we here at the NJCCIC wish all of you a cyber-safe and happy holiday season!