By Andrew Ramspacher, fpa5up@virginia.edu
Aside from gathering with family and exchanging gifts, millions took part in another modern holiday tradition: entering first and last names, home addresses, email addresses, phone numbers, and credit card information on websites.
Online shopping again proved a highly popular way to purchase presents this holiday season. Adobe Analytics, which tracks more than 85% of the top 100 online retailers in the United States, reported that consumers spent a record $9.12 billion online on Black Friday alone.
And while there’s instant reward associated with finding that perfect gift after scouring the internet, there’s also long-term risk.
University of Virginia Professor Chris Maurer is a cybersecurity expert at the McIntire School of Commerce. We caught up with him to review safe online shopping habits, ways to protect against identity theft, and steps to take if your identity’s been compromised.
Consider this as a way for holiday shoppers to back-check themselves or to make better digital hygiene part of their New Year’s resolutions.
When shopping online, you’re providing a lot of personal information. Does that increase the risk of vulnerability to identity theft?
At most major reputable retailers, it shouldn’t significantly increase the risk. They have adequate controls in place to encrypt that information. But that’s all assuming you’re not communicating this over unencrypted public Wi-Fi channels. That can increase the risk of bad actors intercepting some of that information wirelessly.
But a lot of the major retailers really do a pretty good job of processing those transactions. The one thing that does occasionally add to your risk profile is when you save and store your credit card information with major retailers. The reason that would potentially increase the risk profile is not that someone could be intercepting that transaction and stealing your identity and credit card information, but if there’s a breach at that company. So, Walmart or Amazon, if they suffer a data breach in some other capacity, then having your credit card information on file obviously increases the risk that a malicious actor could gain access to that information.
One thing you can do to better your digital hygiene practices is just to not save credit card information with retailers. It’s a bit of a pain to type it in every time, but that certainly can be one way of reducing your risk overall.
You mention the major retailers being secure with customer information, but what about the startup companies selling specialty products? These companies seem to pop up often on social media, especially during the holidays, presenting gift ideas.
Yeah, I see them on Instagram. With those, there’s always risk of them having that startup mentality: “Hey, we have an idea; let’s get a product out there; let’s start promoting it; let’s try to drive a whole bunch of traffic.” And for those types of companies, security’s not always their first thought. Growth is their first thought. They want attention, they want people there, so a lot of times they’re going to use off-the-shelf software to process those credit card transactions.
And there’s reasonably free or cheap software to process online transactions, and it’s generally pretty good. There’s not any major risk or vulnerabilities with using those types of platforms, such as Shopify. So your credit card information may be safe, but really, it’s a matter of what other data they are collecting about the transaction. What might they be doing in addition to just processing that credit card number? So, there’s definitely some additional risks with those types of companies with someone gaining access to a credit card number that shouldn’t have it.
What are the best ways to check the legitimacy of those startup retail companies?
There are websites that will aggregate reviews. Obviously, through Google, you can search for the company name and look for reviews that way, but there’s also sites like Trustpilot.com and ResellerRatings.com that report aggregated customer experiences with various e-commerce sites. Consumers will report things like, “Hey, I ordered this item and I never received it,” or “I did receive it, but the shipping was slow.” So you can kind of get a sense of the reputation if it’s an unknown company to you.
A big red flag can come through looking at information about the company. So, you scroll the company’s website and click on the “About us” or “Contact us” page, and if they don’t have any information about where they’re located or who they are or anything else, then that’s highly suspicious.
There have been some of these scammer-related sites that sometimes get promoted on Instagram and social media. They put an address on there just so that it looks like they’re real, but if you look that address up, it’s an apartment in Milwaukee, WI. And it’s like, “Is someone really running a wholesale distribution out of an apartment in Milwaukee?”
So, you can look to see if there are ways of getting in touch with this company if something goes wrong. Do they have a physical address that seems to be a legitimate business? Look at Google review or other review sites to see the legitimacy of it. Doing that goes beyond cybersecurity, too, because we all have to deal with returns and other things, so it gives you some comfort in just dealing with this company, just from a safety perspective and assurance that you actually get what you’re wanting.
What’s another threat when shopping online?
There’re the fake companies out there. With the advent of Google Shopping, a lot of these aggregators will find you the lowest price on a product. In almost every case, if the price is too good to be true, it’s fake. It’s a scam. You’re not going to get the product; they’re going to harvest your credit card number and that’s it.
Google does a decent job of filtering some of that out, but they don’t filter everything out. There are some companies that do slip through the algorithms and advertise that they have these products at a cheaper price than anyone else on the internet to lure you in to divulge that sensitive information. And in almost every case, that is a scam. They’re just trying to get that data from you.
What’s the best way to protect yourself from a breach of personal information online?
The #1 thing is just to enable two-factor authentication. Any time you are creating an account and logging into your bank or retailer, if it gives you an option to enable two-factor authentication, that’s going to be the #1 way of protecting your account and your personal information. In most cases, the two-factor authentication is extremely difficult for the casual scammer to overcome.
What are some good ways to monitor potential identity theft?
In terms of online monitoring, all the typical things like running regular credit reports just to check on open accounts and available credit and things like that. Nowadays, there are plenty of free options to do that.
Other simple things are looking at your credit card statement and making sure all transactions are legitimate. The credit card companies are pretty good at fraud protection, so when they see something that looks a little bit out of the ordinary, they typically flag it. But it’s good to keep an eye on those things. When credit card fraud detection is enacted, they will send you a text message or an email saying, “Hey, there’s this potentially suspicious activity on your account.” And a lot of times, those are legitimate. But unfortunately, scammers can also send those types of messages as a phishing attempt to try to trick you into divulging that information.
As you are reviewing things or as you receive alerts or notifications about things, it’s always good to pause before taking action. When you receive a notification, there’s no reason to panic. You don’t have to act in this very second. Just take a minute and pause and think about if this is a legitimate request and if it’s actually coming from the bank. If there are links or buttons in the email, check to make sure it’s taking you to that company’s website. It might look like it, but if you actually hover over it, you’ll see the actual link address and it might be pointing somewhere different. If you do happen to click on it, before you enter any passwords or anything else, just double-check to make sure you’re going to a site with the little lock icon saying it’s a secure connection and that the web address is actually for the company you believe you are interacting with.
Is freezing credit a good practice that everyone should think about doing?
My personal stance on this – and this might not be shared by everyone out there – is that if you know there are no reasons for you to be opening any new credit, it is not a bad thing to call the three major credit bureaus (Equifax, Experian, and TransUnion) and freeze your credit and basically publish to the world that under my information, there is absolutely no need for anyone to consider a credit application.
The challenge with that is you may forget that you’ve frozen your credit and then you total your car and you’re needing to go get a car and then you have a lot of issues with actually processing the paperwork to get the car. So, it can create some issues down the road, but if you are extra sensitive with the risks associated with these things, then that absolutely is a good way of ensuring that no new accounts can be opened in your name and no credit can be extended.
If you have evidence of your identity being stolen, what should you do next?
Your first step would be to contact all three of the major credit bureaus to freeze everything across all of them. At that point, you can get a credit report showing any new accounts or other things that have been opened in your name and just work to close them down.
The good thing is that we have laws in place that will protect you financially, so in most cases, you should not suffer significantly from a financial perspective for something someone else does in your name. It’s really just a pain and a time-sink and just a challenge and hassle to go through everything. You just kind of need to put your auditor cap on and just carefully review each of the open accounts in your name and work with each individual provider, bank, etc., to shut those accounts down and confirm the accounts that are still valid or that you do need. That would be your logical step.
When’s the biggest threat to your identity while traveling?
Being on public Wi-Fi is a big one. Public Wi-Fi, generally speaking, is not necessarily encrypted to the same strength as we have on Grounds or with the most common home routers and things like that. So, the encryption of what is being sent from your computer to the servers and to the internet can be much more open. There is also an increased risk when you’re in hotels and coffee shops and places like that, that there could be potential bad actors on networks.
When you see the lock icon in your browser, that partly limits the exposure because that information is being communicated in an encrypted manner, so that certainly helps. However, it’s still a good idea to minimize the amount of sensitive information that is being communicated while on public Wi-Fi networks.
You can get around that by using a VPN service, to some extent. So, if you are constantly connected to a VPN service, even on a public Wi-Fi network, that would add a layer of protection beyond what you would typically do. So, again, if you’re ultra-conscious about the information you share online and transmit to websites and you do a lot of traveling, then potentially considering using a VPN for that can be a benefit, for sure.
But for the casual consumer, just minimizing and trying to limit the extent to which you share some of that information on public Wi-Fi is generally acceptable and good enough.
This story was originally published on UVA Today Jan. 6, 2023.
