Cyolo Receives Investment from IBM Ventures for Zero Trust Secure Access Platform

Your Quick and Dirty Guide to Staying Cyber-Safe While Holiday Shopping

Jennifer Tullman-Botzer

Jennifer Tullman-Botzer

It’s the most wonderful time of the year — for a scam.

Cyberattacks and identity theft unfortunately run rampant during the holiday season due to the surge in online shopping, traveling, and charitable giving. The costs of getting duped are high, and attackers don’t need to steal your wallet or social security card. All they need is for you to make one wrong click. 

Thankfully, there’s also some good news: You don’t need to become an overnight cybersecurity expert to stay safe while handling your holiday shopping. Instead, just take it slow, consider your online actions deliberately, and follow these important tips:

Watch Out for Phishing Attempts

Phishing is still the most common method of attack from cybercriminals, and it persists because it’s easier to trick a person than a security network. You’ve probably heard of the classic Nigerian Prince scam — that’s phishing.

Phishing is when a cyber attacker poses as a legitimate organization to get you to fork over personal information, like your credit card number or banking information. Most often, phishing takes the form of an email, but in recent years phishing via text message (also called SMShing) has become more common.

A phishing email or text may appear to come from your bank, a postal carrier (like the Postal Service, UPS, or FedEx), or a retailer you recently purchased from, like Amazon or Walmart. But upon closer inspection, there are key signs that can indicate a scam. 

  • The email or text message feels urgent. It wants you to take action immediately. 
  • The message instructs you to click on a link or attachment.
  • The sender is unusual. Even if the message appears to be from someone you know, if it feels off, trust your gut. 
  • They want you to pay in a weird way. If the sender asks you to pay with a personal payment app like Zelle or Venmo, with a gift card, or if they’re somehow asking you to send a payment to yourself — it’s more than likely a scam. 

During the holiday season, your inbox will be flooded with promotions and confirmation emails. Don’t click, download, or send money hastily.

Also, keep in mind that there are many things your bank will never ask you for. If the scammer is posing as your bank or credit card company, don’t hesitate to pick up the phone and call to confirm whether the communication is valid or not.

Don’t Send Sensitive Information Over Public Wifi

It can be super convenient to shop in a store or a mall with free Wi-Fi, but public networks are, after all, public. Anything you send over these networks can essentially be eavesdropped upon through a variety of sneaky tactics. 

Ideally, public networks are set up to encrypt messages, information, and credentials. When you enter your credit card number or login info to a website, the network sends that information through a secret code that only the destination website can decode. But there’s no way to know if a public network actually has encrypted your transmissions or not. 

If the network isn’t using encryption, a scammer can intercept information sent over the network quite easily. Advanced attackers can track your online activity and see which pages you’ve visited and what information you entered. 

Hackers may also set up a malicious hotspot that has a name similar to the public network, a tactic known as a “Honey Pot.” For instance, if a network is named “Northwood Mall Guest Wi-Fi,” a malicious hotspot might be given the almost but not quite identical name “North Wood Mall Guest Wi-Fi” to trick you. As a result, any information you send over this malicious network can be easily captured by criminals.

There are a few key things you can do to protect yourself against this type of scam:

  • Don’t send sensitive information in the first place. A hacker’s ideal target is someone doing their holiday shopping on their personal laptop over a public network in a high-traffic public place, say, a coffee shop.
  • Look for “https” in the address bar of the website you’re shopping on. Websites that begin “https” are secure, while those that start with “http” are not. 
  • Use multi-factor authentication (MFA). When MFA is enabled, you receive a text or automated call to verify your identity whenever you (or someone else) try to log into your accounts. True, it adds an extra step to the login process, but MFA is an immensely effective way to protect your information. Additionally, try to buy from online shopping sites that validate your identity with a form of MFA.
  • Adjust your device’s connection settings. In your settings, disable your device from connecting automatically to public networks, and disable file sharing. And stop postponing your phone’s updates. These updates provide the latest security protections to keep you and your personal data safe. 


Shop Smart, Using Retailers You Trust

Seller marketplaces like Amazon, Etsy, and eBay provide an outlet for many small businesses to get their names and products out there. But they also provide the perfect camouflage for scammers, who will impersonate legitimate websites to trick people as they are rushing to find the perfect gift, or just a great bargain.

Before you make your purchase, do some poking around on the seller’s profile to confirm that they are who they’re claiming to be.

  • Is the profile fully fleshed out? That is, does the seller give information about who they are and outline return and cancellation policies? If their profile seems sparse, it’s probably best to move on.
  • Are there reviews? Are they recent? Do they seem real? It is extremely suspicious for a seller to have no reviews or feedback. If they do, it’s a bonus if reviewers include photos of the product they received.
  • Does the seller have a social media presence? Someone running a small business will likely have social media accounts. Can you validate your seller’s marketplace account with their social media presence? If so, that’s a good sign. 
  • Is the item available elsewhere? Did you know you can search for an image on Google to see if that image is present elsewhere on the web? If you perform a search on the seller’s image of the item, and that exact image pops up, that’s suspicious, especially if the seller’s price is too good to be true compared to other places the item is sold online.


Don’t Use Your Work Device or Credentials to Shop

Let’s be real, there’s no divide between work and not-work anymore. This December you’ll likely watch a Christmas special on Netflix or order a Hannukah gift from your work laptop (or maybe both!). 

When it comes to work devices (or personal devices you use to access corporate resources), it’s even more important to be cautious – because it’s not just you that could suffer from an attack. A breach on your company device can expose sensitive corporate data, infect your employer’s system with malware, or be used to phish or otherwise attack your coworkers. 

If you must use your company device for personal purposes, differentiate your personal activities from your business activities as much as possible.

  • Use different browser profiles for work and personal purposes.
  • Use strong passwords, and don’t use the same passwords across both personal and business accounts. Password managers are easy to find and can help you up your password game. 
  • Download sparingly. Loading your device up with personal apps just introduces more access points for a potential attacker.
  • Store sensitive information in as few places as possible. Often, retail websites will offer to “remember” your credit card info so you won’t have to enter it every time you log in. The less you opt into this kind of thing, the better.
  • Embrace multi-factor authentication for the same reasons we mentioned above. 
  • Scrub your social media accounts of sensitive information like your birth year, address, phone number, and email. These personal tidbits may seem innocuous, but they are commonly used to conduct social engineering attacks


No one wants a suspicious visitor hauling packages of malware down your digital chimney, stealing your personal info rather than the cookies you left for Santa Claus. 

Implementing the practices we’ve outlined here takes a conscious effort, but doing so will become second nature with a bit of practice. Most cybercriminals go after the easiest targets, and simple precautions like enabling multi-factor authentication, choosing strong passwords, and smart clicking are usually enough to deter them – enabling you to shop with peace of mind during the holiday season and all year long.


Subscribe to our Blog

Get the latest posts in your email
OT/ICS Security: People and Challenges

The State of ICS/OT Cybersecurity in 2022 and Beyond, Part 1: People and Challenges

More Articles

Subscribe to our Blog

Subscribe to our Blog

Get the latest posts in your email