Cybersecurity Holidays Tips

Criterion | Cybersecurity CoE

Cybersecurity Holidays Tips


By Dan Chandler, CISO

The holiday gift-buying season with its long lines and pushy customers makes online shopping more attractive with each passing day. Furthermore, if you are shopping for distant family, relatives, and/or friends, the offer of free shipping makes online shopping almost irresistible. For these reasons and others, it will continue to be a popular method for finding the perfect gift for friends and family this holiday season. While there is nothing wrong with shopping online, here are several recommended cybersecurity tips and additional precautions for shoppers that you should be tuned in to:

  • Beware of Clicking on Links Delivered Via Email: During the Holiday season, a phishing attempt may come via an email with a link to a fake website built to steal your personal information. Exercise caution by refraining from clicking on such links and downloading files from unknown sources. Also, beware of emails or websites with typos and grammatical mistakes, which are common characteristics of phishing attempts.
  • Prioritize Shopping at Trusted Sites and Do Research When Purchasing From A Less-Familiar Site: On the internet, some websites are created by people just wanting to steal your information. To avoid this pitfall, shop at retailers you are familiar with and have used before. If you want to purchase an item from an unfamiliar retailer, do some research first. Consider checking out the company’s social media following, customer reviews, its record at the Better Business Bureau, or even call them. When buying from online marketplaces like eBay, thoroughly review the seller’s reputation, assess the item description carefully, read comments, and ask the seller direct questions before buying.
  • Be Skeptical of Suspiciously Low Prices: While big sales are a holiday trademark, if a price seems “too good to be true,” then it probably is. Compare prices for the same items on other websites. If the price is drastically lower, then it is probably a scam designed to acquire your information.
  • Fake Online Stores: Fake sites are likely to either mimic an actual site, using a slight variation in the web site address (;;, or try to reel the shopper in with deals that are too good to be true. Whenever possible, purchase from a site you have used before and trust. Bookmark those sites so you are not tempted to click a link to get there. If you feel the need to check out that “good or great deal,” type the name of the store or the web address into a search engine and see what others have said. Remember, a store doesn’t have to be a scam for you to avoid it. They might be legitimate but have horrible customer service, sky-high shipping charges, or delivery dates that are after the holidays – all of which make that deal not so “good or great.”
  • Be on the Lookout for Fake Shopping Apps: Hundreds of fake retail apps designed to steal your credit card information are popping up in Apple’s App Store and Google Play. Make sure to download the legitimate version of retail apps by downloading it directly from a store’s website, or by thoroughly checking user reviews if downloading from an app store.
  • Assess Website Security: Look for the padlock symbol in the address bar, or a URL that begins with “https” as opposed to “http,” with the “s” standing for “secure.” Some browsers will even indicate whether it’s safe for you to give out your credit card information by showing you a green address bar, while unprotected ones will be red.
  • Scammers on Legitimate Websites: Stores that allow “affiliates” such as an eBay or Amazon “marketplace” offer a wide assortment of products that the store itself cannot stock. Just know that the affiliate stores are not part of the primary store and are not bound by its customer service, shipping, or returns policies. Some of these affiliates are not as legitimate as the primary site and may crossover into the scam category. While it is reasonable to assume that Amazon would not allow scammers to operate in the marketplace if they know about it, reeling in unwary consumers is not exactly a scam. If you order a Bluetooth speaker and they send you a rock, that’s a scam. If you send them fifty dollars for the book entitled “How to get people to send you fifty dollars for a book”, that’s different. In both cases you are likely to be disappointed — one is a scam; the other is not.
  • Online Payments: Avoid using debit cards. They take money directly from your bank account and while you will probably get your money back, it can be a slow and painful process. If possible, have your bank notify you every time a charge is made to your credit card. Scrutinize your credit card statements and notify your bank right away if you find discrepancies. You can also use a trusted payment service so the vendor never gets your credit card number, or you can buy a pre-paid card or use a gift card for online purchases. Common vendors include Venmo, Google Wallet, Paypal, and Amazon Payments.
  • Check Credit and Debit Card Statements Routinely, Verifying All Activity: Protect credit and debit card numbers from “wandering eyes.” One way to do so is through a third-party payment vendor that protects the primary funding source. If these services are compromised, only the transaction will be affected. The credit and debit cards, or account info, remains protected. Set up “push” rather than “pull” payments. When paying for a service, the linked funding source will “push” a payment to a vendor, rather than having the vendor “pull” funds from the account. This gives you greater control when transferring funds and alerts you to any potentially fraudulent activity.
  • Backup and Update Before Leaving Your Home: Cybersecurity risk management includes backing up and updating regularly. It should be an action that is always on your mind, like turning off the lights when leaving home. If you’re not sure how to make a backup, make sure you visit the following pages for instructions that will make it an easy process: Windows backup, Mac backup, Android backup, and iOS backup. Also, whenever you see a notification for an update of the system or an application, click it.
  • Do Not Post About Your Holiday Location or the Time You Will be Leaving Your Home: It is crucial to resist posting online when and where you will be going on holiday. Even though it does not affect cybersecurity, the fewer details about yourself you post online, the better. You never know who might use your info in many different, unexpected ways.
  • Do Not Connect to Shared Networks: One of the issues of cybersecurity risk management is to avoid connecting to shared networks. How many times have you asked, “Do you have Wi-Fi?” in a restaurant, hotel, or a café? Well, we suggest you do not connect publicly. Though there are times when you need to connect, make sure not to purchase anything at that moment, share passwords, or access applications with banking information, credit card numbers, and other sensitive information.
  • Do Not Download Unfamiliar Applications: We also recommend that you avoid downloading apps you do not know anything about, such as applications some hotels offer to their guests. Make sure you rely on downloading applications from official sites such as Google Play or App Store.
  • Be Careful with Connecting a USB drive: Cybersecurity and risks you are exposed to should always be on your mind. If anyone ever asks you to insert their USB drive into your computer, do not allow it. USB infections are common because they are an old hacking tool.
  • Activate the Double Authentication: Data breaches are something that happen often because people do not do anything to protect their accounts. In order to avoid such situations, it is recommended, apart from having strong passwords, that you activate the double authentication factor whenever possible. If someone tries to log in to your account, they will also need a key you will get on your mobile phone.
  • Be Careful with Emails During the Holidays: Cyber criminals are becoming more sophisticated every day. Some of them use email which they send to companies during the summer to see what kind of automatic emails answer, informing about absence. This way hackers get valuable information when planning the attack, such as impersonation of a company’s employee. If you can, don’t use automated emails. Also, you should be careful with phishing scams.
  • Be Cautious of Your Inbox: Be aware of e-mails with pictures in attached files, as they may contain malware. Only open attachments from known senders, and scan for viruses if possible. Do not click on unknown links and do not respond to unsolicited e-mails. Avoid filling out e-mail message forms that ask for personal information.
  • Final Thoughts:
    • Just because a web site looks professional doesn’t mean it’s legitimate.
    • Use good passwords; make them different and use a password manager to store them.
    • Be on the lookout for fake emails with purchase “confirmations” or tracking information.
    • Consider having packages delivered to a service rather than left on your porch.
    • When you shop online, shipping charges are part of the price.
    • Posting a “wish list” is the best way to get stuff that you think you want as opposed to what I think you want. Amazon offers this service for free.

Be safe, shop safe, and have a joyful holiday season!

A special thanks goes to Roland Thomas (ISSM) for providing most of the content for this article.

For more information: Cybersecurity Tips for Holiday Shoppers, Recommendations for safe online holiday shopping – a cybersecurity perspective, by Sydny Shepard. Nov 23, 2018