Last updated: December 2020
With the gift-giving season coming up, many people will be doing their holiday shopping online. In fact, Americans were projected to spend an and on Cyber Monday in 2020. Salesforce estimated that globally consumers spend about the online shopping rush the last week of November.
With all of this online shopping, lots of personal information — phone numbers, home addresses and credit cards — will be flying around the internet. This personal data translates to dollars for cyber criminals who are gearing up for the heavy traffic and increased online sales in the upcoming months.
Ecommerce transactions are at risk for data theft if a website is not secure. In addition, online shoppers are vulnerable to scams like phishing or fraudulent websites, man-in-the-middle attacks, spam/phishing emails, pop-ups, social engineering attacks and fraudulent charities or causes.
Once you give an online retailer your information, it’s their job to protect the data that you gave them, so it’s important that you be careful who you trust with your information online. But how do you know whom to trust? How do you know if a site is legitimate and if you should give them your data?
Before giving any information to a website, you should make sure it is secure. A secure website will encrypt your data in transit so that hackers cannot view or steal it as your information is in transit from your computer to the company’s server. However, note that just because a website is secure does not mean that it is safe.
A safe website is both secure and reasonably verified as the correct company site (i.e., not a fraudulent imposter site). You should check not only for site encryption but also trust indicators that the website is who it says it is.
We’ll first go over some quick tips that you can use to tell if a site is secure and then share ways to tell if a company is real. Checking for both will help you know if a site is safe to buy from.
Look at the URL of the website. If it begins with “https” instead of “http,” it means the site is secured using an TLS/SSL certificate (the s in https stands for secure). TLS certificates secure all of your data as it is passed from your browser to the website’s server. To get a TLS certificate, the company must go through an SSL validation process.
However, there are a few different levels of ssl validation — and some of them are easier to get through than others. The lowest level of TLS/SSL validation, Domain Validation (DV), simply validates ownership of the domain and not the legitimacy of the organization requesting the digital certificate. In other words, if you bought the domain “amaz0n.com” and requested a certificate for it, you would get the certificate because you own the domain. Browsers will also show a little lock in the address bar to show that the site is secured with TLS encryption. See images below of what that looks like in popular browsers. However, note that the lock will just tell you if a site has encryption or not and you have to look beyond the lock for higher indictors of trust.
The highest level of TLS/SSL validation, Extended Validation (EV), is the safest and most extensive. With Extended Validation, the company requesting the certificate has to prove their identity as well as their legitimacy as a business. You can tell if a site has an EV SSL certificate by looking at the address bar. EV TLS/SSL certificate information is generally accessible by clicking on the padlock in the address bar. I walk through how to access the information, like the company name and location, beyond the lock in another blog.
These examples below show what a site looks like with, or without encryption. However, if you click on the lock in your browser you can also see more details. If the site has an EV SSL certificate and you click on the lock then you will see the organization’s name under “Certificate (Valid)”.
Secure Site in Firefox:
Secure Site in Chrome:
Secure Site in Safari:
Cyber attackers will sometimes create websites that mimic existing websites and try to trick people into purchasing something on or logging into their phishing site. These sites often look exactly like the existing website.
Let’s use the same example as before: a cyber attacker purchases the domain “amaz0n.com” and sets up a website at that location that looks exactly like the amazon.com website. They buy a DV SSL certificate for their website and try to trick users (by using phishing emails or other methods) to purchase items or log into their accounts on the phishing site.
To avoid these kinds of attacks, always look at the domain of the site you are on. If you get an email from your bank or other online vendor, don’t click the link in the email. Type the domain into your browser to make sure you are connecting to the website where you intend to be.
There are a few signs that you can look for to help you know if a company is real or not.
Physical address and phone number: If the company lists a physical address and phone number there is a higher chance that they are a real business. Reputable companies will list their information so you can contact them if there is a problem.
Return policy: Reputable sites should list their return policy as well as their shipping policy. If you can’t find these policies on their site, you probably don’t want to purchase from them.
Prices are too low to believe: It’s great when you find a bargain, but you should be wary of sites that offer products for prices that are far lower than they should be. You could end up with knock off merchandise, stolen goods or not get anything at all.
Privacy statement: Reputable sites should tell you how they protect your information and whether they give your information to third parties. You should make sure a site has a privacy statement and read it before you make a purchase.
Shopping online is extremely convenient and can make finishing up your holiday gift list quick and easy. But falling victim to an online scam or data theft would ruin anyone’s holidays. Make sure you stay safe online and protect your information by following these quick tips during the holidays and throughout the year.
Discover how PKI unlocks a connected world of possibilities; read our PKI eBook.