How safe is shopping online?
I bet anyone who has clicked through to read this has at some point in their lives shopped online. With so many services now allowing us to shop and book things online we have to question the safety in shopping online. So, let’s answer the question; how safe is shopping online?
Well, depending on how you look at it, it is very safe. Millions of companies have online transactions so it means the whole process has to be refined to be safe and secure. But the issues arise when scammers try to fool these shoppers. If you don’t know the warning signs, online shopping can be very dangerous.
Be aware of how you get to websites
Online services allow you to buy everything from DVD’s, groceries, take-away, event tickets, software and e-Learning courses. The first thing to be aware of is how you get to websites.
When shopping online you should always try to use the URL bar and type the site you want to use directly. Whilst it is unlikely that other scamming sites would show up on the front page of Google, it’s not impossible for the smaller online shops that you may use. My main concern is how many people click links in e-mails expecting to be taken to the shopping site.
I am going to use Amazon as a prime example here and show you how the information displayed to you can be changed easily to represent something official. Amazon has over 300 million active users. I could purchase a list of e-mails online for anywhere from a few pence to a few pounds per record. If I were to go on the dark web, this cost would probably be cheaper and contain more information.
With my list it would be easy to send out an e-mail that looks like it is from Amazon, whilst I may not have the details of whether they use Amazon, as one of the largest online retailers there is a good chance I would reach a high percentage of these users. (It is worth noting that some of these lists may have the information in, this wouldn’t necessarily come from a data breach at Amazon, but perhaps another shop that uses Amazon payments and has stored that information.)
The e-mail below is one that I received recently (after a bit of an anime spending spree.) When I hover over the Learn more button, most browsers will show you the link where you will be taken once clicked. This appears usually at the bottom of the window or as hovering text.
What you are looking for is the domain name. Bigger sites such as Amazon will own the domains for various regions such as Amazon.co.uk / Amazon.com / Amazon.co.jp etc. however care should be taken when using smaller independent online shops who likely don’t own as many.
The above is an e-mail styled the same way, where the ‘Learn more’ button goes to a different location. You may be thinking, that’s fine, I would realise I was on another site, but the fact is, scammers aren’t going to use e-mails like this to get traffic to their site and promote their services. How scammers get your details is by sending you to a site like this.
I have put this all together in a couple of minutes. You’re probably wondering what happens when you fill in your details. It would be easy enough to write all entries in to a database and forward you on to the Amazon Website. You will probably think it was just a glitch in the system if you had to log in again, but the fact is, you never logged in to Amazon.
What you have just done, is given your e-mail address and password on to a scammer.
What is going to happen to your information?
What is going to happen to your information after you enter it in a fake website? What do you do if you’ve done this?
Log directly in to your Amazon account and change your password. If you use the same password for your e-mail account and other sites you should change these also. However, your e-mail account should be first as if they gain access to this, they potentially have access to all of your passwords.
Chances are your e-mail address will be sold on regardless. There is nothing that you can do about this except make sure you don’t fall for the same mistakes again. (Changing e-mail addresses can be a nightmare.)
“But I can see that your example says www.sheilds.org“ you say.
One important thing to look out for is the use of subdomains. It’s highly unlikely a website would make it so obvious that they use a domain that doesn’t represent the original domain. It is best to understand what a subdomain is so here is a quick overview.
A subdomain is a part of a domain, usually used for separating information from the root. When you are looking for an e-Learning course from SHEilds, you may find this on the sheilds.org (root) however when you want to buy the course you are transferred to shop.sheilds.org (a subdomain.) Some websites may use the name of a subdomain maliciously to trick users into believing they are actually another site.
It is worth noting that you can call a subdomain anything, so I could set up amazon.sheilds.org if I wanted to, and use the above methods to trick users. This may not trick many people as it contains the name SHEilds. However, if I was to buy a domain name such as “securewithamazon” and set a subdomain name, the web address would appear as: amazon.securewithamazon.com. Probably enough to fool most people.
This would only cost £10 a year with the additional cost of hosting, (another £15 a year.)
Now if I was to use all the above methods shown, I could quite easily trick a lot of people into giving me their account details. With Amazon Prime, I could spend a lot of money and receive the products before the user even realised.
A family member had some tickets stolen for an event they wanted to attend from someone who used the exact same method listed above. Thankfully this was resolved though, and they managed to get their tickets for the event.
If you land on a site and you aren’t too sure how authentic the site is, it is best using PayPal.
PayPal offer outstanding coverage in the unfortunate event that you are scammed. If you are ever concerned, they have a support team that are available to talk. Whilst they do charge fees to either the seller or the buyer, the extra coverage you receive can be worth the small costs. Usually these are charged to the seller and not the buyer.
It is worth the reassurance that you are not inputting your card details; however, you need to make sure again that a site doesn’t direct you to a site other than PayPal, that looks similar.
If PayPal isn’t an option, you might additionally consider using a credit card as they also offer similar fraud protection schemes.
Checking SSL Certificates
To ensure that your information is transferred securely, you should always check for an SSL (Secure Socket Layer) certificate.
SSL Certificates ensure that any information transferred between you and the web server is encrypted. If this is intercepted then it will take years before anyone could do anything with it. By then it is highly likely that your information would have changed significantly. I personally would never purchase from a site that doesn’t use an SSL certificate.
Finally, passwords. Make sure you regularly change your password, especially if you use internet cafes or other public computers. Key-loggers can be hardware or software that runs on a machine without you knowing. They track every keystroke that is made, this includes financial information that is input.
This does mean that changing your password wouldn’t matter, however if you can connect a personal device to a network, it is worth changing your password this way.
It is hard to find if a key-logger is installed but one tell-tale sign is USB sticks left in the computer.
Web & e-Learning Developer