Beware Black Friday and beyond: Tips to stay safe online when festive shopping

Black Friday marks the start of the busy period for online retailers – into Cyber Monday and the holiday shopping spree. But as customers go on the hunt for the best deals...could they come at a cost?

Online shoppers should expect an increase in attempts from cyber criminals to compromise their personal and financial information and commit fraud, these attackers can be especially successful while we’re in the frantic pace of the holiday period. In fact, the UK’s National Cyber Security Centre (NCSC) recently reported that consumers lost £10m to cyber criminals during last year’s festive period.

The main attacks to watch out for are phishing emails, spam SMS messages trying to coerce consumers to follow links to malicious websites controlled by cyber-attackers, or scam phone calls asking for payment information.  Here, we take a look at some of the tips from our experts to help shoppers stay safe online.

Top areas to watch out for ahead of Black Friday

1. Think before buying cheap, white labelled devices

You’ll probably know that any device that connects to Wifi can make it vulnerable to hacks, which in turn risks exposing your own data.

We’ve found that white labelled devices in particular, such as Wifi routers, might be even more susceptible to attacks. For example, Connectize’s G6 WiFi router was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local Wi-Fi network and browser. It’s a general consumer Wi-Fi router that is available for purchase by the public. The nature of the vulnerabilities we discovered could enable a motivated attacker to perform an attack chain that potentially leads to full unauthenticated access to the user’s home network or browser.

And with more tech products purchased, there’s increasing ‘e-waste’: when electronics are discarded. Alongside the clear environmental impact, there’s another pressing danger with e-waste – the leak of personal information. One researcher purchased 85 used devices, in attempt to extract information from them. Only two of the devices had been properly wiped, and he was able to uncover over 366,300 files, from images to personal details such as credit card and passport information.

So, always consider the technology you’re buying carefully. It can be good practice to wipe any devices you are replacing fully, and make sure to read the product literature of new purchases to check the security and privacy protections that are in place.

2. Check QR codes carefully

We’ve seen QR codes rise in popularity over the last few years, driven in large part by the pandemic. Allowing you quick and easy access to websites, we’re unfortunately seeing criminals take advantage of people’s familiarity and readiness to use QR codes. They are increasingly being integrated into scams, which is particularly dangerous as over half of UK consumers struggle to identify malicious QR codes.

Not so long ago the advice was to check links to make sure they’re not dodgy, but what do you do when you can’t actually see the link? Make sure to double-check any QR codes you might be encouraged to use when shopping in-store or online by only using QR codes from locations you trust and looking out for URLs that seem unusual by checking the domain name after you have followed the link.

3. Watch out for phishing emails

As our inboxes fill up with emails containing big discount saving opportunities, we must be mindful that some of those emails will not be genuine. Who among us wouldn’t be tempted to click on a link to get an 80% discount from a store we like to shop at? The problem is that the email may not have come from that store but from a cyber-criminal impersonating that store and attempting to direct you to their malicious web site.

You might be familiar with the obvious signs of a suspicious email, like misspelt words, odd fonts or strange email addresses. However, the rise of generative AI is making it much harder to spot what’s legitimate and what’s a scam. Technologies like ChatGPT are making it easier for scammers to create convincing emails, which sound exactly like the company they’re impersonating.

So, what do you do to avoid falling into this trap? The same advice still stands, and it’s about applying these checks even to emails that seem non-suspicious. Also, as tempting as some of those links might be, you don’t have to click on them! If you receive an email from an online retailer offering discounts that appear too good to be true or which apply pressure to act quickly, close the email and open your web browser to navigate directly to the genuine site. You will be able to find the same sale in most cases without clicking on the link they provided. By doing this you’re avoiding the pitfalls of clicking on a link that may have been sent by an attacker instead of the store you want to buy from. The same is true with links sent to you in a text message.

4. Spam text messages that try to entice consumers to click on a link to an online resource.

It is also now common for us to receive spam or junk text messages to our phones that attempt to seem convincing.

One technique that has been on the rise for some time is bogus text messages that purport to come from popular courier firms claiming that they have been trying to deliver a package but have been unsuccessful.

Again, the scammers are trying to get consumers to click links and visit malicious sites. This type of scam is likely to be especially successful during the holiday period where our spending is elevated compared to other times in the year. To make matters harder, it is trivial to make text messages look like they are coming from a legitimate sender by spoofing the name and number of the real business.

First stop to consider whether you are expecting any deliveries from this courier or firm, and second instead of following any links check the delivery status via a trusted application or the firms website.

5. Social engineering scams via unsolicited phone calls.

Similarly, you might also experience scammers that call and attempt to convince you over the phone to disclose important information.

At this time of year, scam calls purporting to come from credit card companies checking on fraudulent activity can be particularly effective. While our spending is higher and our desire to receive things in time for holiday celebrations may cause anxiety, the scammers pray on the fact that we don’t want our purchases to be delayed and may disclose our credit card details or other sensitive information to make sure the transaction goes through correctly.

A genuine call from your bank will never pressure you to give personal information over outbound calls and will always be understanding of your desire to call them back using widely advertised contact methods.

6. Keep an eye out for bogus websites

Similarly to phishing emails, scammers are also using AI to create fake websites that feel convincing – whether in terms of the images or copy. Sometimes telling the difference between the original website they are attempting to clone, and the bogus version, can be incredibly difficult.

Keep alert to suspicious activity on websites that might suggest it’s a bogus site. While it is easy to create a convincing website, the famous ‘little padlock’ on your web browser is your friend. If your web browser shows you warnings about the trustworthiness of a website, do not ignore them! When this happens, it is likely because the site you think you are going to is not secure or is a different site than you think. Close out your web browser and search for the real site via search engines instead. 

When looking at niche online retailers it may be difficult to determine the professionalism of their site but take your time and read through as many pages as you can. Check out their ‘about us’ and ‘contact us’ information and determine whether it seems genuine. When it comes to payment options, opt for mainstream third party options such as pay with PayPal or Apple Pay. While this is not infallible, it’s a strong indication that the site is legitimate and that your payment information will be handled safely.

7. Be suspicious of ‘too good to be true’ deals

Some final wise advice from NCSC, which warns that if an offer seems urgent or scarce, it’s usually a tell-tale sign that it’s a scam.

These messages want to lure you into purchasing in a panic, which could lead to harmful consequences – inputting your information into bogus websites, risking the loss of financial or personal details.

Always check where deals have come from – whether email, social media or otherwise – and ask yourself if the source seems legitimate. If your gut feels that it’s too good to be true – trust it.

Remember: vigilance is key

If there’s one thing you need to do when searching for the best deals this festive period, it’s to be vigilant. Whilst it may be tempting to go for the cheapest deal or product, ask yourself if this could be costly in the long run to your precious personal information.

Here's some other key tips to adhere to help stay safe:

• Ensure you have different passwords for every online site you use: By having the same password for every site you use, or even ones that are only subtly different, you are making it very easy for an online attacker to run rampant across your digital life. When you use the same password for everything, the attack only needs to guess that password once to then have access to all the sites you use it for.
• Use a password manager to keep your passwords safe: A password manager is a special piece of software that runs on your computer and phone and securely stores your passwords. When you want to use a password with a site, you select it from the password manager and copy it into the site – with many password managers making this very slick and streamlined. This approach is generally the best course of action for dealing with the passwords you use in your daily life online.
• Allow anti-virus software to run on your computer regularly: Antivirus software is freely available for desktop computers, laptops, phones, and tablets. When used they do a good job of scanning your devices to make sure you do not have malware or malicious browser extensions accidentally installed on your equipment.
• Ensure you always install the latest available updates for your devices: It is vital to let your phone, tablet, or computer update automatically to the latest version of the operating software, and to update the apps and software installed. In doing so you are removing security issues that could be exploited by an attacker.
• Do not give out credit information or personal details over the phone to unsolicited callers: If you receive calls from unknown contacts telling you of ‘problems with your account’ or ‘problems with a recent order’ these may not be genuine. A call out of the blue should be treated as suspicious. If the caller is trying to create a sense of urgency with you and asking for payment information it is almost certainly a scam – hang up and contact the company directly via their website, online chat, or documented customer service numbers.
• Use mobile applications that are from reputable sources only: Official mobile applications like the ones from Amazon, Walmart, and other retailers are easy to identify in your Apple or Google app stores. Make sure you check that the name of the app publisher matches the company directly and that you are picking an app that looks professional and has a high user rating. Apps that look they are from third parties offering marketplaces you haven’t heard of, or apps advertising that they are providing big savings should be avoided. Stick to the big names and you’ll be in better shape!
• Keep track of the items you have ordered: It’s easy to get confused during the holiday madness – try to keep track of the items you have ordered, where you ordered them, and what the shipping method is. This will help you to keep your wits about you if you are contacted regarding orders and help you avoid being tricked.
• If online shopping from public Wi-Fi, use a private VPN to keep safe: Public Wi-Fi hotspots like those found in coffeeshops, airports, and hotels carry extra risk. If you are concerned with the security of the Wi-fi connection, you could elect to not use it and instead use the cellular data connection on your phone or tablet instead. Alternatively, installing a private VPN is a way to ensure your traffic is being encrypted and is safe from eavesdroppers. There are many reputable personal VPN products available that for a small fee will give you peace of mind when using public internet connections.

If ever in doubt, just don’t take the risk. Sometimes despite best efforts you just can’t be sure if a site, email, app, or text message is safe. Whenever possible err on the side of caution – if in doubt, find a different source for your goods and services and live to fight another day!

So, stay alert when enjoying the sales so you can keep your details safe and secure.