Staying Cyber Safe This Holiday Season

As the holiday season rapidly approaches, millions of Americans are preparing for the busiest shopping time of the year. Unfortunately, cyber criminals are also preparing for the holidays along with the lucrative opportunities they bring to steal passwords, financial details, and personal information from busy, unsuspecting shoppers. To help protect yourself and your information, be sure to read the following tips to stay cyber safe while shopping this holiday season:


  • Beware of phishing websites designed to steal your usernames, passwords, and payment card information. Cyber criminals commonly build webpages that look like popular Internet shopping and banking websites, even using valid digital certificates to make the websites appear legitimate. Although it’s important to check that the address of the website you are visiting starts with HTTPS (the “S” stands for “Secure”), double-check the URL to make sure that you are visiting the real site and not a fake one.

  • Remember: if it sounds too good to be true, it probably is. Companies have already begun advertising their holiday deals on goods and services through marketing emails, online advertisements, and social media platforms to drive business and increase profits. However, be wary of anything that's advertised at extremely low prices. Scammers may use these tactics to trick shoppers into visiting malicious or fraudulent websites. Even legitimate retailers may use the lure of deeply discounted products to try and trick shoppers into signing up for unwanted recurring subscription charges or additional items. This tactic is called “dark pattern manipulation” and it’s important for online shoppers to recognize the signs before making any online purchase. Read the NTIC Cyber Center’s blog post titled Securing Our Communities: Dark Patterns to learn more.

  • Don’t click on links or open attachments in emails from unexpected or unknown sources. ‘Tis the season for phishing emails disguised as legitimate communications such as package tracking notifications, e-cards, charity donation requests, or purchase confirmations. Remember, just one click can result in the compromise of your computer, information, and identity.

  • Watch out for malicious mobile apps. Cyber criminals are increasingly targeting mobile device users by developing and distributing malicious apps designed to steal data, monitor phone usage, or deliver unwanted advertisements. Only download apps from official app stores and make sure to read user reviews prior to installation to help you determine if an app is legitimate. If an app requests certain permissions on your mobile device, make sure that they match its advertised functionality. For example, a simple flashlight app should never need access to your camera or contacts to work properly.

  • Be on the lookout for indications that a website may be compromised with a payment card skimmer. Profit-motivated cyber crime groups, known collectively as Magecart, inject malicious code into ecommerce websites to steal payment card information from online shoppers. Signs that a legitimate site may be compromised by Magecart include being asked twice to enter payment or login information or being prompted to enter payment card details before being forwarded to a secure payment service provider. No matter where you shop, though, it’s always a good idea to monitor bank account statements closely for unauthorized charges and suspicious activity.

  • Gift Cards: Don’t get stuck holding a dud. Criminals often try to steal serial numbers and PINs from gift cards before they are purchased so they can quickly drain any amounts that unsuspecting buyers load onto them upon activation. To avoid raising suspicion, they replace the protective coating that covers these numbers with tape purchased cheaply online. Carefully check gift cards before purchasing and look for any evidence of physical tampering and, if you receive a gift card, use it as quickly as possible to avoid loss or theft.

  • Avoid connecting to unsecured public Wi-Fi networks. Attackers can easily intercept communications transmitted between mobile devices and Wi-Fi networks in hotels, airports, coffee shops, or other public places to steal passwords, payment details, or other sensitive information without your knowledge. Disable your devices’ Wi-Fi connections when not in use and set them to “ask” before joining new or unknown Wi-Fi networks to avoid connecting to unsecured or dangerous hotspots.

  • When possible, use credit cards rather than debit cards online and at physical retailers. If your payment card numbers are stolen or compromised, using credit cards can limit your liability for fraudulent charges. Debit cards often do not afford these same protections, so any charges incurred will be withdrawn directly from your bank account and can take up to 60 days to reverse.

  • Recycle your unwanted gifts, but never recycle your passwords! The sale of stolen username and password combinations is big business for criminals on underground marketplaces and recent large-scale data breaches have made it easier than ever for hackers to get their hands on your login information. The best way to protect your online accounts from unauthorized access is to use a lengthy, complex, and unique password for each account. To help you generate secure passwords and easily manage all of your login credentials, consider using a reputable password manager. Also, always enable two-factor authentication (2FA) on any account that offers it for an additional layer of security.

The NTIC is governed by a privacy, civil rights, and civil liberties protection policy to promote conduct that complies with applicable federal, state, and local laws. The NTIC does not seek or retain any information about individuals or organizations solely on the basis of their religious, political or social views or activities; their participation in a particular noncriminal organization or lawful event; or their race, ethnicities, citizenships, places of origin, ages, disabilities, genders, or sexual orientations. No information is gathered or collected by the NTIC in violation of federal or state laws or regulations.