How to protect yourself from scams when shopping online
On unfamiliar sites, your personal data may be at risk. Here's how to keep it safe.
Recommendations are independently chosen by Reviewed’s editors. Purchases you make through our links may earn us a commission.
Every year, millions of Americans get scammed. In 2019, the Federal Trade Commission (FTC), which monitors consumer fraud and identity theft complaints in the U.S., received approximately 1.7 million fraud reports, with imposter scams—e.g., someone posing as you, usually for their own financial gain—leading the charge as the number one type of fraud in the U.S.
When it comes to getting ripped off, online shopping poses a tremendous risk. As convenient as it is to do—especially right now, as the coronavirus (COVID-19) pandemic forces most of us to embrace social distancing measures and not shop in-stores—it may be just as easy for hackers to use in order to gain access to your personal information. “Some of the most significant cybersecurity threats against online shopping include personal and financial data leakage,” says Dr. Weiqing Sun, cyber-security expert, associate professor of computer science engineering technology and director of Master's Programs in Cyber Security in The University of Toledo College of Engineering
As scams grow more sophisticated, knowing how to protect yourself online is more important than ever. But this doesn't mean you need hacker-level skills to keep your info safe. “You don’t have to be some kind of expert to know if a site is real or not,” says Timothy Summers, Ph.D., CEO of Summers & Co., and executive director of Cloud and Advanced Network Engineering Services for Arizona State University. Instead, you just need to be proactive and know what to look out for as you shop. Just keep these essential online security tips in mind.
1. Stick to trusted sites
Trying to track down some hard-to-snag products but can only find them on a site you’ve never visited before? That’s a sign that you need to be careful, cautions Summers. “If you receive a link to a new site, be very, very skeptical,” he says. “And think before you click—don’t click on every link that someone sends you or you see on Facebook. That’s the easiest way for hackers to get you.”
Instead, using trusted sites like Amazon, Best Buy, or Walmart whenever possible can help you keep your most valuable data secure. In the event that a major data breach does occur—as has happened with all these retailers in the past—well-known companies are publicly accountable in a way that little-known shops might not be.
2. Examine the URL
If you’re shopping from a site that you haven’t vetted before, one of the quickest—and potentially most effective—ways to check its legitimacy is to look at the address bar.
The first thing you should take a closer look at? How the URL begins. Both Summers and Sun point out that a secure website’s URL will begin with “https” rather than “http.” The “s” at the end stands for "secure," which is a giveaway that the site has some security protections set in place for consumers. While a site starting with “http” isn’t necessarily a scam, it is something to be mindful of whenever you’re browsing online.
3. Look for a padlock
Take another glance at that address bar. Do you notice a padlock at the front of it, right before the URL? You might not have thought about it before, but that little icon isn’t just for show—it’s actually one of the most crucial things for determining whether or not a site is genuine.
The padlock indicates that the site is equipped with SSL (Secure Sockets Layer) encryption. In the security world, SSL is a standard tool for establishing an encrypted—e.g., encoded—link between a web server and a browser (or, alternatively, a mail server and a mail client, like for instance, your work email and Outlook). The connection it creates is instant and binding, and it ensures that no one except you and the website can see what you’re typing into your browser.
However, Summers warns that the padlock icon isn’t foolproof. As hackers get savvier, some have figured out how to recreate that padlock icon on fake websites. “There are still ways to manipulate that [padlock icon],” Summers says. “But it’s a simple foundation for e-commerce. It’s a way to establish digital credentials and it gives shoppers online an additional layer of assurance.” In most web browsers, you can click on the padlock icon and learn additional information about your connection, including security verification, saved passwords, and more, which can reassure you that the padlock is real.
4. Check the domain age—and the name
Hackers are hoping that you’ll scan over the address bar and not pay too much attention to what it says. Another thing they’re counting on? That you won’t check for things like when the site was first created (in other words, the age of the domain), which may be an indicator that a site isn’t as established as it’s pretending to be.
Around major shopping events like Mother’s Day or Black Friday, cybercriminals will often create a slew of fake sites—or, “copycat shopping sites,” as Sun refers to them—designed to capture payment information and scam unsuspecting consumers. If you’re feeling unsure about a site’s validity, you can use tools like the Whois Lookup domain tracker to discover the age, owner, and expiration date of a domain, along with other essential details.
In the aftermath of COVID-19, Summers says it’s especially important to be on the lookout for fake sites that could be trying to capitalize on the pandemic and the widespread need it has created for products like hand sanitizer, toilet paper, and other common household goods.
Additionally, it’s smart to pay attention to the domain name, as scammers often like to create websites that replicate the addresses of leading retailers or brands—for example, Amz0n.com—to manipulate visitors into giving up valuable personal data.
5. Watch out for spelling and grammar mistakes
Just as you don’t have to be a cybersecurity expert to avoid getting ripped off online, you don’t need to be an editor to pick up on whether or not a site’s written text seems fishy—all it takes is a little attention to detail.
If you notice significant spelling and grammar mistakes—like hand sanitiser instead of hand sanitizer—that could be a dead giveaway that the site isn’t exactly what it seems. (Or maybe that they need to hire a copy editor.) While even some legitimate companies may have the occasional typo or two on their site, if you’re spotting odd issues like excessive capitalization or formatting errors, it might be a reason to go ahead and skip to another site.
6. Research the company—and when in doubt, reach out
Learning as much as you can about a company and its site before you buy something is never a waste of time. The Better Business Bureau (BBB) has both an online directory and a scam tracker, and the latter of which can give you detailed information about known fraudulent businesses.
Along with the BBB, Yelp and Amazon reviews (filtered through Fakespot, which highlights reviews written by bots) are great ways to see how shoppers really feel about a business or a product and can help empower you as a shopper to potentially avoid their mistakes. Another simple but effective way to confirm a company’s authenticity? Google the name and type in “review” or “scam” after it—if something comes up, take notice.
On the site itself, you can also navigate to the company’s “About Me” page, or do a Google search for information about its employees and history. If you can’t find either one, that’s a bad sign. If you see info but it doesn't satisfy your concers that the company is legitimate, you may be extra-vigilant and search for the LinkedIn and social media profiles of the CEO and other specified employees, or even send an email directly to the company.
7. Protect your passwords—and use a VPN
Shopping on an unknown site doesn’t only present the risk of your credit card number or other identifying information being stolen—it could open your entire computer to malware that transmits other info, such as your passwords to your accounts, back to the hacker.
A great line of defense is to use a virtual private network (VPN). VPNs conceal your IP address, online activity, and communications from unwanted peepers and can be a terrific resource for anyone trying to shop securely online. Many of us only have experience using a VPN at work—i.e., an enterprise VPN—but you can download a VPN for your everyday use to create a critical buffer between you and would-be scammers. Summers recommends popular options like ProtonVPN or NordVPN, as they’re easy to use and can help make your experience more secure.
Another requirement for online safety: having complex unique passwords that are not easily guessable, and include capitalization, numbers, and special characters. A password manager like 1Password or Bitwarden will “remember” those crazy key patterns for you, so you don’t have to keep changing your password every time you forget—a trap we’ve all fallen into at one time or another. Enabling multi-factor authentication, which verifies your identity by requiring multiple credentials—such as supplying answers to security questions—before allowing access to your account, can seem like a pain in the moment, but could be a vital deterrent for anyone trying to crack into your credit card or bank accounts without permission.
8. Pay through secure online methods—and keep track of your credit
Any legitimate e-tailer site should allow you to pay through standard options, including PayPal, debit, or credit cards. (Sun personally prefers using PayPal, but thinks it’s equally as safe as using a card online.) However, if a site requests another form of payment, for example, a wire transfer or money order, you may want to think twice before you buy.
Even more so, if a retailer requests valuable information like your social security number in order to complete a purchase, you could be looking at a major scam, so be on guard.
Sun also suggests designating one or two specific credit cards for online purchases and reviewing account statements frequently, to monitor potentially fraudulent activity. Many credit card providers offer free monthly credit score monitoring and the three leading credit-reporting agencies—Equifax, Experian, and TransUnion—can help you stay on top of your credit activity and catch instances of fraud early, which could be crucial in the event of potential identity theft.
9. Manage your devices—and be careful about WiFi
Whether it’s a personal computer, a tablet, or a smartphone, the type of device that you use for browsing can also play a big role in how susceptible you are to online attacks, so it’s wise to choose one with care.
Sun urges shoppers to keep whichever device they use equipped with the latest security software at all times. Additionally, it’s important to use caution whenever you’re using public Wi-Fi. “Because public WiFi is a highly vulnerable network environment, users should only perform online activities that will not potentially leak their personal information or have their system subverted,” says Sun.
That said, if you have to use public WiFi, Sun recommends using a VPN as well, because it could make your browsing experience safer.
10. Trust your gut
When in doubt, don’t be afraid to walk away from the stuff you've put in your virtual cart. At the end of the day, one of the best ways that you can safeguard your privacy online—and keep yourself from falling prey to dangerous scams—is to simply follow your instincts. That means for you as a shopper, if the site itself just seems funky compared to other sites you regularly visit, that could be a major red flag that you’d be wise not to overlook.
Similarly, if you’re feeling unsure about a site’s veracity, you can always install antivirus software. Our favorite, Bitdefender Antivirus Plus 2017, is affordable and offers everything from enhanced ransomware protection to a secure password manager and more, but you can also find several free tools online that’ll scan for malware, phishing, and other threats. The reason? “Data breaches chip away at the integrity of every consumer’s digital identity,” says Summers.
Once hackers gain access to your personal information, there’s no telling what they might do with it. A big risk, according to Summers, is that they’ll sell it on the dark web, where there are online marketplaces dedicated to buying and selling illicit goods, including personal information like social security numbers and other data that could be used for identity theft. That’s why it’s so important to stay alert and above all else, be cautious whenever you’re online—by using prudence and above all, common sense, you can help thwart so many efforts to compromise your personal security, and have a better online shopping experience in the process.