Cyber Tips for the Holiday Shopping Season

By Krista V. | Cyber Threat Intelligence Analyst

With Black Friday, Cyber Monday, and the rest of the holiday shopping season upon us, the NJCCIC compiled the following tips and best practices to help all of our members stay safe in stores and online. The holiday shopping season is one of the most attractive times of the year for money-hungry criminals and fraudsters to take advantage of eager shoppers and unsuspecting victims.

According to the National Retail Federation, American consumers plan to spend an average of $935 during this year’s holiday shopping season. Holiday sales are expected to increase 3.6 percent during November and December and online sales are expected to increase between seven and 10 percent from last year, to as much as $117 billion. According to the Adobe Digital Index, consumers spent over $5.8 billion over Black Friday weekend and Cyber Monday in 2015.

The NJCCIC encourages our members to take proactive steps to reduce your risk and make it harder for cyber criminals to succeed this holiday season.

Proceed with caution at retail locations that do not accept Chip-card transactions.

  • If you encounter a point-of-sale terminal with a note covering the slot saying “no Chip cards” or “must swipe”, consider using cash instead of a card – or, consider a smartphone payment option such as Apple Pay or Android Pay.

  • If cash or smartphone payment is not an option, use a credit card as opposed to a debit account. If your debit card information is compromised in a data breach, criminals can drain your checking account with no guarantee you will recover all of the funds.

Enable transaction notifications through online banking and smartphone apps.

  • Set up alerts with your bank and credit providers to be notified in the event of unauthorized transactions or certain activities, such as charges over $100.

  • Many financial institutions now offer the option to receive a text message or smartphone app alert every time a transaction is charged to your account.

Take advantage of credit monitoring or identity theft insurance, when offered.

  • If your data was compromised in one of the many breaches that occurred over the last two years, sign up for any free credit monitoring or identity theft insurance services offered by the company. If you are eligible for coverage, you should have received a letter in the mail with information. You can always search for past data breaches by querying a search engine for the company name + “data breach”.

  • For additional information, visit the Identity Theft Resource Center.

Enable two-factor authentication (2FA) on all financial, email, and online shopping accounts.

  • If a website offers 2FA, be sure to enable it as it will prevent criminals from gaining access to your accounts, even if they obtain the password.

  • Check out this site for an extensive list of websites that offer 2FA:

Perform basic “cyber-hygiene” on all devices used for shopping, banking, etc.

  • Keep your operating system and all software applications updated.

  • Download antivirus/antispyware software and set it to update automatically.

  • Confirm that your firewall is enabled and configured to a secure setting.

  • Secure your home Wi-Fi signal with a strong password.

  • Remove any unnecessary software/apps and avoid downloading apps from untrusted sources.

  • Check out “Ten Ways to Improve the Security of a New Computer” from US –CERT.

Look for “HTTPS” and a lock symbol in the URL field of your browser when shopping or banking online.

  • The “s” in “HTTPS” stands for “secure” and indicates that communication with the webpage is encrypted.

  • Do not enter any login credentials or personal/financial information into any website that does not display this security feature.

Never use public computers or public Wi-Fi for online shopping.

  • Public computers may be infected with malicious software designed to steal your payment information and website login credentials.

  • Open and unsecure public Wi-Fi hotspots can allow criminals to intercept network traffic and steal credit card numbers and other confidential information.

  • Ensure your home Wi-Fi is securely configured, tips from the NJCCIC can be found here.

Be vigilant for suspicious-looking ATMs and point-of-sale readers.

  • Keep an eye out for suspicious keypads, loose wires and parts, and cameras pointed towards the keypad. If something doesn’t look right about the machine, don’t use it.

  • Skimming devices pose a significant financial threat. According to the Fair Isaac Corporation, 2015 saw the highest ever number of ATM compromises in the United States, a 546 percent increase from 2014.

  • Check your account balances often and report fraudulent charges immediately.

  • For more information on ATM skimming, please see the FBI’s infographic here.

If possible, opt for using credit cards instead of debit cards for shopping transactions.

  • While both payment methods pose risk if compromised, debit cards do not carry the same consumer protections as credit cards, which limit the victim’s liability in the event of fraudulent charges. Also, it can take longer to recover funds stolen from a debit account, and in some circumstances there is no guarantee that that all funds will be returned to the victim.

  • Choose one credit card to do all or most of your holiday shopping to make reviewing for unauthorized purchases easier.

  • Use the chip-and-PIN option when available or consider using a mobile payment option. More information on these options are detailed in the NJCCIC blog.

Always use complex passwords and challenge questions on accounts.

  • Tips for creating secure passwords can be found on the NJCCIC website, here.

  • Use different passwords for different websites; don’t use the same password across multiple accounts, particularly those that store your financial information.

  • Make sure that your answers to challenge questions cannot be discovered via social media or public records websites (pet’s name, mother’s maiden name, hometown, etc.).

Never click on suspicious links, pop-up advertisements, or open unsolicited attachments.

  • These are often used by attackers as a way to deliver malware onto your computer or mobile device.

  • If you receive an unexpected link or attachment from a known sender, contact the sender to verify.

  • Pop-up advertisements as well as ads on web pages can deliver malware – dubbed malvertising.

Beware of telephone and Internet scams and offers that sound too good to be true.

  • Never click on links or advertisements claiming to give away expensive gifts and prizes. Chances are, these are links to malicious websites.

  • Attackers will take advantage of the holiday season by sending phishing emails with images of seemingly legitimate coupons for popular retail stores that are embedded with or link to malware.

  • Do not forward chain letters or share social media status updates that promise a reward after so many “shares” or “likes.”

  • Avoid shopping on unfamiliar websites that offer luxury goods at unusually low prices.

  • Never provide your personal or financial information over the phone or via text messages.

  • Never reply to any text message requests for validation codes, attackers are using this tactic to gain unauthorized access to personal accounts.

Report any suspicious activity or malicious cyber activity.

  • Businesses: If your business is the victim of a cyberattack or breach, contact the NJCCIC as soon as possible.

  • Citizens: If you are the victim of identity theft, financial fraud, or malicious cyber activity, report it to your local police department immediately and obtain a case number.

  • Consider reporting cyber incidents to the FBI IC3 here.

  • For identity theft, contact the three credit bureaus and file a report with each of them.

  • Consult the New Jersey State Police identity theft reference guide here for more information.

Have a safe and happy holiday!