Five tips for avoiding online shopping scams

While shopping online is convenient, it can also make you an easy mark for scammers.

Tashalee Rodriguez uses a smartphone app while shopping at Macy's in downtown Boston.

Michael Dwyer/AP/File

September 24, 2016

With the holiday shopping season fast approaching, many consumers are opting out of the mall experience, and choosing to play Santa on their laptops, tablets and mobile devices. According to the National Retail Federation, nearly half of all holiday shopping in 2015 was done online, and that number is only expected to grow in 2016. But while shopping online is convenient, it can also make you an easy mark for scammers.

We talked with both retail security expert Shaun Murphy, who has lots of tips to help online shoppers avoid being scammed, and our own team of shopping-savvy editors, and came up with five ways you can protect yourself while shopping online.

Be careful clicking links in fishy-looking emails.

We've written about this before, but scammers often use a tactic called phishing, or crafting fake but authentic-looking emails from trusted companies, in order to steal your personal information. If you get an order confirmation email from a company you don't remember ordering from, it should raise a red flag, especially if the email address it's sent from isn't an official company address. Here's how to spot a phishing email:

In the race to attract students, historically Black colleges sprint out front

  1. Order confirmation emails usually come immediately, or within a few minutes, after you make a purchase online. If you're getting a confirmation or "thank you" email and you haven't bought something within the last 15 minutes, it's probably a scam.
  2. Scammers often riddle phishing emails with misspellings and poor grammar, because people who don't notice these things are more likely to fall for their tricks. If a supposed auto-confirmation email from Target is stuffed full of typos, it's not from Target.
  3. As we mentioned above, double-checking the sender's email is important. If a Macy's rep is emailing you, they will have an @macys.com email address. If they don't, they're not legit.
  4. Hover over (but don't click!) on links in the body of the email. If they seem to be directing you somewhere other than the official store site, delete and don't look back.

Murphy also cautions shoppers against falling for phishing scams involving fake deals. If a too-good to be true deal shows up in your inbox and feels a little fishy, Murphy tells shoppers to look for that deal on the store's official site instead of clicking through the link.

"Or," says Murphy, "call a nearby location to verify the offer is real and not a spoof a criminal made to look like a real offer."

Use prepaid credit cards and mobile payment options to avoid identify theft.

With all the credit card security breaches at major retailers like Target, Staples and Home Depot over the past few years, it's not a bad idea for shoppers to go the extra mile to protect their data from being scraped while shopping online, or even in person! Murphy recommends using a digital payment service, like Apple Pay or Google Wallet, whenever possible, because these are much harder to hack or scrape than traditional credit cards (yes, even those annoying new chip cards can be hacked).

"Using pre-paid credit cards that are not linked to your bank account or credit history can stop thieves from accessing and using your financial information if the site you shop on ends up being hacked," says Murphy.

Make your passwords hard to hack.

Be honest. Are your passwords somewhere in the realm of "password123?" Have you ever used your pet's name followed by your birthdate? Your name followed by your street address? Maybe you came up with something complicated, something with lots of random characters and an assortment of upper/lowercase letters -- did you find yourself using that one for everything? It's safe to say we've all been guilty of poor password protection at one time or another, and who can blame us?

‘I’m exhausted by him.’ Why Trump resistance is fizzling.

With multiple email addresses, social media accounts, banking logins, and online utility accounts to keep track of, it's tempting to either make your passwords easy to remember (think chasebank11 for a Chase Bank account), or to use the same complicated password for everything. But both of these tactics make it very easy for criminals to hack your passwords, and rob you of money, your identity, or both!

You should create a different password for every single one of your online accounts. If you need help remembering them, use a password management system, like LastPass or 1Password.

Change up your usernames.

Just as it's a bad idea to use the same password for every online account, Murphy says it's also not smart to use the same username, especially if that username is the same one you use for your email or social media accounts.

"To keep your online history private from criminals, create a unique username for each website on which you shop," says Murphy. "For example, YourName+StoreName is a better username than your name plus a few numbers."

Murphy also notes that including your full name or location in your usernames is not a great idea either.

"Business professionals and students often use a variation of their full name as an email address, on social media and other online forums," says Murphy. "While people might be able to easily search for and follow or friend you, you are also making it easier for criminals to do the same....and including a meaningful location in your username is never a good idea. Not only is it one more tool criminals can use to narrow their search for your personal details, it is also a common password security question."

Beware fake coupon sites that ask you to enter information.

We have an entire article dedicated to this, but Facebook is rife fake coupons that either lead you to "survey" sites (which ask you to enter a whole lot of personal information) or install malware on your computer when you click on them. Here are our best tips for staying away from social media scammers:

  1. Double check where the coupon is posted. While the account that posted it might be called "Target Coupons," unless there's a verified blue check by that name, it's NOT associated with Target.
  2. Look at the link where the coupon will take you. Again, in our Target coupon example, if the link takes you to target.com, you're fine. If it takes you somewhere like, target-holidays.xyz, you're gonna get played.
  3. Is the discount too good to be true? Major retailers like Target RARELY offer storewide coupons for even 15 percent off, and usually there are LOTS of exclusions to the discount. We've literally never seen any storewide coupons at stores like Target for 50 or 75 percent off. That doesn't happen, and if it did, you can bet there would be tons of exclusions. Beware huge discounts with no exclusions. Nine times out of ten, they're fake, fake, fakity fake!

This article first appeared in Brad's Deals.