Online Shopping Safety 101: the Best Tips by Cybersecurity Experts

Roberto Popolizio Roberto Popolizio

Black Friday, Cyber Monday, Christmas, your birthday… All great times to find some cool deals, but also to remember the risks of online shopping and how to buy online safely.

In fact, it’s during this period that we all go on a shopping spree for gadgets we need so badly, while fake goods, scam sites and phishing emails flood the internet and our inbox to induce us into buying fake stuff and giving away our sensitive data. It’s an issue that affects nearly 1 in 3 people according to a survey conducted by Norton.

To help you avoid losing money or – even worse– have your online identity stolen by hackers, we interviewed a pool of cybersecurity experts to help us create the most comprehensive online shopping safety checklist .

Follow all these tips for safe online shopping to avoid scammers and frauds during Black Friday, Cyber Monday, Christmas or any other day of the year.

Let’s start.

Remember: These measures don’t prevent all cyber crimes, but they make you a more difficult target

Start from your default security settings

Cybercriminals can’t always avoid targeting you, but you can keep your personal and financial information secure by taking steps to prevent them, starting from your devices and websites you will buy from.

Many websites’ privacy functions are basic or often turned off. Make sure to review what privacy and security options are available to you and enable them, and also enable alerts and notifications on all your accounts so to ensure you are apprised of any suspicious activity that arises.

You must move from security by design to security by default

Keep your antivirus and every other software up to date, but please do not presume that an antivirus software will shield you from all internet risks and infections. it won’t. It’s a fantastic tool to defend yourself from most dangers, but it’s not impenetrable. You must still exercise caution when searching for and exchanging information online during your shopping.

Start with the right foot by adding an email protection tool to protect your email from viruses, keyloggers, trojans, and other malwareand set up an email address that you will solely to buy online. A dedicated email address for shopping online will reduce the number of spam messages you receive and allow you to filter out the fake promotions in your primary email more easily.

And you Windows 11 user, lucky you, because you can easily and cheaply remove malware in 5 steps:

  1. Open the Windows Security settings
  2. Select Virus & threat protection > Scan options
  3. Go to Windows Defender Offline scan, and select Scan now
  4. Wait about 15 minutes until your PC reboot
  5. Select Virus & threat protection > Protection history, to check the report from your scan

Remember that, and also that regular updates and patches can also fix bugs, improve features, or help the app operate more effectively. Err on the side of security with new account creations by leveraging identity proofing tools, monitor your riskiest API calls and aggressively review your highest trafficked target pages for exploitable weaknesses.

Add an email protection tool to protect your email from viruses, keyloggers, trojans, and other malware

Prepare for the most common cyber threats

The most common methods of attack that you’ve experienced in prior holiday seasons are exactly the ways you’ll be attacked this year too.


Because of the success the bad guys have had in that same time period. This is a point made by Evita Lopez, the Head of Advertising Department at vpnBlade, who reminded us that the best way to avoid scams on Black Friday is to educate yourself on the different scams that you may run into when doing your online shopping as well as scams that are specific to Black Friday itself. When you know what to look out for, you’re going to be a lot less likely to actually fall for scams in the first place.

Scams like identity theft, fake charity scam or fake orders become more relevant at this time of year, but also magecart or e-skimming are some of the cyber threats that get even more problematic during these times of the year. Preventing a Magecart attack starts with understanding your third-party vendors and it is the responsibility of the retailers to vet them thoroughly before introducing them into the system.

Skimming is a type of scam where criminals install devices at gas stations and ATMs that gather credit card numbers when you swipe them. Digitalization has transformed that practice: when you check out at a retailer’s website, cyber thieves can install malicious code that gathers credit card information.

Then here comes the most beloved by hackers…

Before clicking stop and think “PHISH”

The following “PHISH” acronym offers a fun way to remember simple best practices to deter even the most sophisticated cybercriminals:

  • PAUSE: We’re all in a hurry but take a moment to examine every email before clicking on anything.
  • HOVER: Hold your cursor over any link to make sure the destination matches and looks legitimate before clicking on it.
  • INSPECT: Check the email and see if anything looks off, such as easy spelling/grammar errors, fuzzy graphics, etc.
  • SOURCE: Rather than clicking on a suspicious link that requests sensitive information, go directly to the website, and confirm whether the requesting organization is really asking for it.
  • HELP: If you aren’t sure if an email is legitimate or not, ask for help or call the person/organization directly to confirm it’s not a phishing request.  Never be afraid to ask for help.

You should definitely be wary of any email promoting “holiday deals” hitting your inboxes, and if a deal is “tempting,” stop and think before clicking the link – a good practice is not to click the link at all, and instead visit the merchant’s website. Moreover, have you ever been notified by a familiar-looking service that your payment is past due or that your account needs attention? You should be cautious. Phishing scams are on the rise and can cost you dearly.

Pay attention to the details. Do NOT scan when reading. The crooks know this. They’ll use an address that looks correct, but they’ll replace an “I” with the number “1” or an “0” for an “O”. Open your browser and go to the website independently rather than clicking on links in emails or downloading attachments, and verify the email warning by checking your notifications to ensure it is real.

Look at the url of the website or the email address of the emailer. For example, is not a real Amazon email address. 

Bonus email security tips:
  1. A DNS protector. Phishing websites are scam websites that may be difficult for the human eye to detect. A DNS protector is a tool that verifies a website address that you go to is actually a valid DNS record. A DNS protector will spot that “0” instead of “O” that is difficult for a human to catch.
  2. Backup everything, including your Google Suite/Workspace, Microsoft 365, etc. on a regular basis.
  3. Scan incoming emails with a tool like Barracuda, Mimecast, or Proofpoint. These tools that  check for records that confirm that the sender is actually the appropriate sender.
  4. Consider using an alias name and masked email. Vendors share and sell your information. If you use alias information they won’t be sharing the real you.

Beware of fake products, fake stores… Fake people!

– Fraud has become an expected part of everyday life. Consumers hold a grim view of the future, with 56% expecting fraud attempts to rise (up from only 38% in 2021). 19% reported that a new account, such as a bank, credit card or eCommerce account, was opened in their names without authorization in the last 12-18 months. During the same time period, 17% of those surveyed were victims of identity fraud.

While the underlying reasons behind fraudster holiday favorites don’t change, the specific items they target the most shifts year-over-year. Here are the items that are storming the fraudster charts so far this holiday season:

  • Cozy fleeces – A range of brands are popular with fraudsters when it comes to these snuggly items, but they’re especially into the ones that are mid-range when it comes to price; not the cheapest ones available, but not the luxury versions that might get extra scrutiny. Easy to resell as people are shopping for winter weather, these items have great ROI.
  • The latest and greatest fashion sneakers – Sneakers are hot items on the criminal side all year round, and the holidays are no exception. Bots are particularly prevalent in this industry, making attacks en masse especially common.
  • Household necessities – Consumers often buy niche items online to match their specific appliances or household needs. It can be easier to get precisely what you need online. Fraudsters, however, prefer generic items and parts, which are easier to resell, and they’re still going after them during the holidays this year.
  • Cell phones – Everyone needs a good cell phone, and fraudsters seem to agree. Cell phones are both relatively high-ticket items and easy to resell, making them a golden combination for fraudsters.
  • Gaming – Both consoles and digital goods are popular with fraudsters this year. Often the popularity of a particular console or new game with virtual goods will outstrip others, but this year they’re attacking a pretty even spread. That might shift, of course, as the holiday season continues.
  • Gift cards – The season of buying gift cards hasn’t fully kicked off for consumers yet. In previous years, the trends show this generally spikes after Black Friday and Cyber Monday. But fraudsters aren’t waiting. They’re going after fashion store gift cards in particular compared to the rest of the year.

Fake charity scams are unfortunately becoming another common holiday season scam. Always make sure to research any donation-based ads on social media before giving to avoid being phished. Scammers will most often take out ads on social media, impersonating or claiming an association to a major charity, and then steal the information of those who blindly donate. If this scam happens to you, inform the FBI’s Internet Crime Complaint Center right away.

If you intend to order from a website you’ve never used before:
  1. Read a lot of reviews. A good place to find out if they are an upstanding ecommerce store is Reddit. Simply search “ reddit” and you will be able to find some information on them. Keep in mind that any store with ONLY amazing, 5 star reviews, is most likely faking those. Beware. Every business has misunderstandings and missteps. There should be a negative review or two because they are unavoidable. As long as the negative reviews were addressed by the company and made right, they’re good business people. Also keep in mind that some people are impossible to please and only leave negative reviews.
  2. Deal with websites that have HTTPS in the URL, where data transferred between the web browser and the website is encrypted for enhanced protection. However, it is important to know that HTTPS only means the traffic is secure and you want to be 100% sure that the website you are shopping at is also a trusted vendor.
  3. Take the time to confirm the website’s URL (spelling counts!), contact information, and social media pages. Don’t forget to watch for bad grammar, and research the domain.
  4. When making a purchase, consider using a web browser on a desktop computer rather than a mobile device (which can make it harder to inspect the URL).
  5. Watch out for requests for alternate forms of payment, such as gift cards or wire transfers – scammers prefer these payments because they are harder to trace – and remember that legitimate sellers never ask for sensitive information like your date of birth or Social Security Number for any purchase. Criminals can use that information to steal your identity.
  6. Too good to be true is generally a scam. Triple check it and maybe even ask a friend to take a look. Buying things from reputable places is always going to be safe. No one really wants to give you things for free or for significantly less than they are worth.
  7. Always be aware of websites that claim you have won a prize or another reward randomly during your online shopping experience. Businesses never give away things in pop-up ads or by asking for your credit card number, debit card number, or other personal information. These are the top signs you’re being asked for pertinent information from a threat.
  8. Do NOT buy through direct messages on social media platforms, and be extra wary of social media ads promoting deals.

Secure your online payments

Paying with a third party like PayPal, Venmo, or Amazon can protect you from this practice since the retailer does not get your credit card number. In addition, you can keep your information private by creating a virtual credit card.

In the UK alone, authorized payment frauds (scams) are the most common form of fraud in 2022, and consumers should remain vigilant to this tactic as Black Friday nears.

Criminals will use phone calls, text messages, emails, social media posts or fake websites to scam people into handing over personal details. They’ll then use this information to trick people into authorizing a payment, which makes it difficult for banks to trace the masterminds behind the attack.

For those that do fall prey to these scams, innovative behavioral biometric technology can detect and prevent fraud. The tech examines how people interact with devices and apps, providing insights into unusual behavior that deviates from usual patterns of the customer. For example, instead of utilizing the scroll bar, a user now navigates with the mouse wheel which they have never done before.

Use a secure credit card not a debit card when shopping online

Credit card transactions are more easily traced online, and you get more protection. You can dispute fraudulent charges, easily replace any items broken in shipping, and not be liable for them.

When you use a debit card it automatically extracts funds from your account and you lose your cash without recourse. You would be surprised how many people make this mistake.

Any business that is still swiping cards is a huge red flag. Especially after card skimmers were found in self checkout kiosks at Walmart a few months ago. Also, after you put the chip in, run it as a credit card to avoid using your pin with people all around. Also, after you put the chip in, run it as a credit card to avoid using your pin with people all around, and have a better protection against frauds than when using it as a debit card.

Use a masked credit card (many are are free). Each card can only be used with one online store, so if your payment data were to somehow get stolen or leaked it would only work at Etsy or whatever website you were on when you made a purchase with the card.

Best of the best, don’t pay with a card at all. Instead, pay on the package arrival whenever possible

With that being said, debit and credit card issuers will usually cover you against fraud, but keep an eye on your bank accounts throughout the Black Friday weekend to ensure only the amounts you’re anticipating to be debited are going out, and keep the receipt and order confirmation number. These are typically delivered to the email address you provide when placing your order. Receipts are crucial for order tracking as well as for other potential issues like warranty and returns.

Hide your personal information

When it comes to breaches, the responsibility is on the protection layers the company has in place.

What kind of information are they collecting from their customers? Where are they keeping it?

Thankfully, companies have realized this vulnerability and have taken the proactive approach of redacting, removing or replacing Personal Identifiable Information (PII) from their servers wherever possible.

For example, “Roberto Popolizio at @Rob_Popolizio wants to know more about cyber security” would read:  [NAME_1] at @[USERNAME_1] wants to know more about cyber security.

However, that’s far from being enough, so it’s no surprise that 82% of U.S. consumers don’t trust that companies are protecting their private data enough. Hard to blame them after giants like Uber, Samsung and even Neopets were victims of data breaches in the second half of 2022 alone.

Keep your information on websites to a minimum, and be cautious while sharing it. Some websites might ask you for information like your mother’s maiden name or other sensitive data that could be used to steal your identity. Take precautions to protect this information. Moreover, don’t accept to save your credit card information, , as it makes it possible for anyone with access to your account to use your card credentials.

Where possible, it is best to proceed as a ‘guest’ when checking out.  Only if you shop frequently should you consider creating a profile however always remember to use unique passwords.

Always use the private browsing tab when you can. This stops cookies from being downloaded to your computer, which can monitor your online surfing behavior. When you shut down your computer for the day, clear your cookies and history if you can’t browse privately. If you decide against browsing in private, make sure your browser is safe.

The Safari browser tracks what you search online and offers suggestions based on past searches in addition to providing a list of recently visited sites in the Bookmarks folder. However, there are times when you want privacy when going online. Go to the browser, click the click History, and then click Clear. Choose Clear All History to start over and erase all past searches. Clear specific sites by selecting the last hour, today, or today and yesterday.

Scammers also like to use information taken through a data breach (for example, your number or date of birth ends up on the dark web) to find vulnerable targets. They then cross-reference that breach data with what’s available in public records, like former addresses, so they can formulate a convincing text or email.

Keep an eye on where your information is, change your passwords frequently, and protect yourself with comprehensive cyber insurance.

Consider using a PO box or professional mail box to ensure no one takes packages off your doorstep. They are relatively cheap and very effective. They also prevent online merchants from learning and sharing your true address.

Avoid Using Public Wi-Fi

Public WiFis are a haven for cybercriminals. It is a gift that never fails to provide them with immense valuable gifts as people become easy targets through it. Public WiFis make it convenient for smart hackers to access a public network and intercept data transmission from there. By doing this, the hacker will be able to gain access to all the data that you type on your devices particularly when you complete the order purchase.

Again, a reputable antivirus software is needed, and, if you really must use a public connection, do it over a VPN or virtual private network that encrypts your transmissions. This way your data traffic won’t be easily intercepted by hackers who have access to public Wi-Fi. Many VPNs are free, so before selecting one to use whenever you browse the internet in public places, be sure to read up on the reviews for each brand.

You should also be sure to disable “Auto Connect Wi-Fi” or “Enable Ask to Join Networks” settings. Since cybercriminals often use Wi-Fi access points with common names like “Airport” or “café,”your devices could inadvertently  auto connect without user knowledge. However, using your cell network personal hotspot over public Wi-Fi is always preferable.

Enable Multi-factor authentication

It is not uncommon for people to disable 2FA even though it provides an extra layer of security to Phones. Furthermore, other users who know your password could access your account. If your Phone is not protected by two-factor authentication, they may be able to use your information to purchase apps and music without your permission. You will need to enter a verification code every time someone accesses your account.

MFA is an even better tool for everyone in the digital world, from consumers to IT workers. But it is crucial during the holiday season to acknowledge the well known weaknesses of the authentication method. In fact, MFA is a proven target for social engineering, and with the substantial up-tick in online traffic during the holiday season e-commerce organizations must take steps to educate their consumers or provide tool-tips during the customer sign-in transaction to encourage users to be hyper aware of the risks of phishing and social engineering when it comes to their multi-factor authentication actions.

MFA is a must. Use an authenticator like Authy or Google Authenticator. This is significantly more secure than SMS multi-factor authentication.

Replace your password with a passphrase or a Password Manager (even better)

One of the most effective and simple security controls that an individual can implement this holiday season is the creation and use of strong passphrases. Most online retailers do not notify customers when their password is weak or needs to be changed. As a general rule, the same password should NEVER be used twice, and you should never ever use any of these weak passwords. Using a passphrase, a sequence of random words with a few symbols, is an effective approach.

The smart choice is to use a password manager to help create passwords that are unique, long, and complex to protect your digital life and help move passwords into the background. Let a password manager do the hard work for you so you can enjoy safer internet shopping.

One way to create memorable passwords without technological help is to create a passcode by using a phrase and taking the first letters, numbers, and punctuation from each word and turning it into a password.

For example: Julia Childs is the number one cook in the entire Sicilian region of Italy! becomes JCit#1citeSroI!

Beware of the Secondhand Market

Many shoppers this year might be persuaded to save some money and opt to purchase second hand technical goods.  You should always take the same precautions when shopping online, but you must go one step further to stay safe.  If you are selling your older or buying secondhand technical equipment such as phones, smart devices, laptops, computers, games consoles and even cars which today are simply computers with wheels then you should ensure you have taken steps to make them safe to give away or use secondhand.

  1. Unsync your old devices from your accounts
  2. Log out of your accounts
  3. Delete any data or apps from the devices
  4. Erase and format any hard disks (ensure you have copied or backed up any important data you do not want to lose.
  5. Restore to factory settings before using or giving away

All too often it is common to find sensitive data on secondhand devices as users save passwords in the browsers or synced their smartphone with their car leaving all of their apps logged in, contact data and sensitive messages that might contain passwords and usernames.  To ensure sensitive data is not lost or malicious apps are not hidden on devices reset them before use.

A note for online sellers

We’re often very focused on warning shoppers about common threats, but it’s also important to urge all online retailers to help their employees be on high alert. We’ve seen cybercriminals work farther up the supply chain this past year. I think employees at retailers are going to be the main target as criminals look to cause disruption, pilfer data and pad their pockets for their own holiday season. 

With the anticipated number of online shopping transactions during the Black Friday/Cyber Monday holiday weekend, retailers should be mindful of scammers disguised as consumers. To protect against possible fraud, retailers should ensure that their payment processing systems are sophisticated enough to verify payments. Key red flags will be mismatched billing and shipping addresses, or there may be no recorded purchase history.

Limited staffing during the busy online holiday shopping season can create threat detection and response vulnerabilities. Now more than ever, retail cyber teams should be looking for malicious clones or fake websites, as well as monitoring the dark web for stolen information being sold. It is imperative that these teams find and isolate scams associated with their brand before they cause irreparable damage. 
It would be a hacker’s dream to infiltrate a popular retailer’s website during the Black Friday/Cyber Monday holiday weekend. Hackers are aware there could be procedural vulnerabilities due to limited manpower, as some workforce will be enjoying vacation time.

Enterprises should be partnering with their marketing team to distribute specific Black Friday/Cyber Monday cyber awareness messaging. Simple reminders about double-checking links can help save customers money and ensure that retailers receive their intended sales

Special thanks to the experts who contributed to this complete checklist for safe online shopping:

Traceable AI’s Chief Security Officer Richard Bird

Doriel Abrahams, head of U.S. analytics at Forter

Iain Swaine, Director EMEA, Global Advisory at BioCatch

James Wilson, Founder, My Data Removal

Modulus CEO, Richard Gardner

Howard Globus, Cyber Security Evangelist, founder, and CEO of IT On Demand

Eric Florence, Cybersecurity Consultant at Security Tech

Jeff Costlow, CISO at ExtraHop

Kevin Roundy, Senior Technical Director and Researcher at Gen

Matt Kerr, tech expert and CEO/founder of Appliance Geeked

Brian Jones, Tech security Expert, CEO/Founder of Best in Edmonton

Andre Flynn, author and creator of

Patricia Thaine, Co-Founder & CEO of Private AI

Isla Sibanda , Cybersecurity Specialist for Privacyaustralia

Adam Bém, COO & Co-Founder of Victoria VR

Jeroen van Gils, CEO of LiFi

Ashley, founder of Avoidthehack

Phil Vam, Tech expert at Playnoevil

Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea

Jenelle Fulton-Brown, Cybersecurity Advisor at VPN Reactor

George Rosenthal, President of IT and Cybersecurity Firm,ThrottleNet

Amir Tarighat, co-founder and CEO of Agency

About the Author

About the Author

Over a decade spent helping affiliate blogs and cybersecurity companies increase revenue through conversion-focused content marketing and Digital PR linkbuilding.