Americans spent over 200 billion dollars online during the 2022 festive shopping season, making 2023 a record year for online retailers. This year, 97% of people recently surveyed said they plan to shop online. As festive season related revenues grow, so does the temptation for criminals to take a part of the action for themselves – over 300 million dollars were lost to scammers in 2022 according to the FBI’s IC3 report for 2022.
As we head into the cyber sales and festive months, online consumers may be asking themselves what they can do to keep themselves safe online. A new survey Yubico conducted with OnePoll indicates that online users continue to be concerned with their security. This survey examined how people adjusted their cybersecurity habits in a growing era of sophisticated phishing attacks and found that while 80% of survey respondents are concerned about cybersecurity when it comes to their online accounts, a surprising 39% admitted to using the same password for multiple accounts.
In addition to securing your online credentials, below are some top tips to ensure you’re staying safe from increased attacks not only during the holidays, but throughout the year.
1. Continue to be mindful of where you send your information
While cyber criminals tend to aim at your wallet, they also attempt to use your personal information to gain access to other online accounts and assets – most frequently collected through attacks like phishing. Effectively safeguarding personal and financial information and placing trust in an online retailer can be challenging to many consumers. In fact, Yubico’s survey found that about one third of respondents (32%) are not confident that they could spot a fraudulent or fake online retailer. As phishing attacks become harder to identify, your defenses to protect against them need to also improve. With this in mind, be cautious when you see the following:
- Websites asking for too much information
If what’s being asked feels completely unrelated to your purchase, then consider another vendor that won’t require as much information.
- Odd websites or requests for odd methods of payment
Asking for abnormal payment types is a red flag that warrants additional investigation. Consider another vendor.
- Coupon apps and websites
Everyone loves a discount, but beware of coupon apps or browser plugins that offer these deals automatically. Remember that if you’re not paying for a service, then one way that service continues to exist is through monetising your browser history, product usage, or personal information.
2. Beware of the latest scams such as tracking information scams
Some of the latest scams involve requests to disclose additional personal information to “fill in the gaps” for an unexpected delivery. It’s best to ignore these messages and go straight to the source to check your package status.
- Sign up for tracking notifications
Most major providers offer email based tracking notifications that can notify you when packages should be arriving.
- Investigate by going straight to the source
If an email or text is offering you an easy way to “click here!” to get your information, ignore that suggested “easy button” and instead go straight to the vendor’s site. For example, if an email purporting to be your credit card provider indicates an issue, directly call the number on the back of your card, or access the website address directly. Don’t click on links sent over SMS or in email.
3. Use protected methods of payment
Not all payment methods are protected equally, and some standard payment methods for day-to-day business may be tempting to use for online shopping.
- Use a credit card or a trusted broker such as PayPal to protect your purchases
Many credit card providers offer consumer protections on purchases, and also allow you to dispute charges that don’t result in your product or service.
- Avoid debit cards and never give out banking information or send wire transfers to pay for online retail
Some common scams involve using banking information to create the appearance of “pay us back” errors, or directly extract funds from your bank account.
4. Protect your login credentials
Passwords are no longer enough to protect your accounts and most consumers are not modernising their authentication methods to match newer methods of attack. Yubico’s survey found that approximately one out of two (49%) respondents stated that they do not use MFA, don’t know what it is, or are not sure if they have MFA enabled.
Consider the following tips to increase the security of your online presence:
- Use strong, phishing-resistant MFA
Not all MFA methods are created equally. Instead of SMS text message based codes that must be manually entered, or app-based push notifications that are easy to mistakenly approve, secure your accounts using phishing-resistant multi-factor authentication (MFA) methods, such as passkeys and security keys like the YubiKey, which have had passkeys since 2018. Passkeys seamlessly authenticate users by using cryptographic security “keys” stored on their computer or device (i.e. a YubiKey), and are considered a superior alternative to passwords since users are not required to recall or manually enter long sequences of characters which can be forgotten, stolen or intercepted.
The YubiKey works with hundreds of services that support passkeys to reduce the possibility that you mistakenly enter your credentials into a malicious site. The YubiKey is supported for use on services like 1Password, WhatsApp, Amazon, Apple, Google, and social media platforms such as X (formerly Twitter) and Meta.
- Use a password manager to cover the gaps
For those sites that don’t yet support phishing-resistant methods, use a reputable password manager, such as 1Password, to generate unique credentials per-site, make logins easier between devices, and watch for known breaches that may have affected your credentials. YubiKeys support the most popular password managers and adds an additional layer of security for your login credentials.
5. Ensure the highest level of protection for your most valuable assets
Most services offer a password reset pathway, allowing users to reset their accounts using a link sent to email or a text message. In some cases, this reset method may be the easiest way for attackers to gain access to your accounts. Ensure that your most prized accounts are protected with the highest level of authentication.
- Protect your mobile ecosystem
Our mobile devices are a key tool used for our online accounts. Ensure that you’ve protected your mobile’s ecosystem by configuring hardware-backed security keys, such as YubiKeys, to protect the ecosystem that controls your mobile device. (For instance, your Apple ID account or Google Account).
- Protect your email
Many email providers also allow users to configure phishing resistant methods such as PassKeys. Ensure that you have the highest level of protection for the one place that allows you to reset most of the other accounts that you want to protect.
- Protect your core identity providers
If you use “Sign in with ___” options for online activities, ensure that you have protected those services with strong MFA as well. Most major providers support methods such as the YubiKey (for instance, your Amazon, Meta and X accounts). Also be certain to include protecting your password manager from unauthorised access.
Consider all of the tips above to stay secure this festive season and beyond, and upgrade your online security to use phishing-resistant, hardware backed, and universally adaptable authenticators, such as the YubiKey.