Consumer Reports has no financial relationship with advertisers on this site.
Even as stores reopen in many parts of the country, people are still shopping online more than ever. And that includes using new sites set up by their favorite small businesses attempting to stay afloat through perilous economic times.
But be careful, experts warn, because cybercriminals are flocking to e-commerce sites, too. Their favorite crimes include opening fake accounts at retail sites and hijacking real ones through identity theft.
Online fraud was already on the rise before COVID-19, largely thanks to the rollout of chip-and-signature technology, which has made the in person credit-card fraud of the past a lot tougher to pull off.
Account takeovers jumped 72 percent in 2019, to 13 million cases, according to the most recent figures from the security firm Javelin, which tracks financial crime. Losses from consumer fraud in the U.S. hit $16.9 billion that year, with consumers directly paying $3.5 billion of the total.
The pandemic is just making the situation worse.
“While we can shop from home, [cybercriminals] can steal from home, too,” says Krista Tedder, Javelin’s director of payments.
Consumers are facing several new threats. Tedder pointed to the explosion of coronavirus-themed phishing emails designed to steal account credentials and other sensitive data. The emails tout everything from bogus cures to deals on masks and other essential items.
Meanwhile, previously existing methods of stealing consumer information, such as online card-skimming software, are becoming bigger problems as consumers flock to the new e-commerce operations set up by their favorite small businesses.
Here’s a rundown on some of the major threats to online shopping and tips for how you can protect yourself.
Rising E-Commerce Threats
As grocers, cafés, and shops rushed to adapt to the pandemic’s challenges, many hastily put together processes to take more orders remotely, in some cases to avoid the hefty fees imposed by websites such as GrubHub and DoorDash.
That’s not a bad idea. Many consumers probably like the idea of helping local businesses avoid overpriced middlemen. But Tedder says consumer security is suffering.
“People are taking card information over the phone and emailing card information with insecure methods,” she says. That opens you to the old-fashioned risks of unscrupulous employees, or anyone else, pulling credit card info out of the trash.
Meanwhile, hastily assembled websites often skip account safeguards such as two-factor authentication or strong-password requirements, making them easy targets for online criminals.
On top of that, small business websites can be susceptible to so-called Magecart attacks, in which loosely associated groups of cybercriminals compromise shopping sites, inserting online skimming software that steals consumers’ card information.
A handful of large companies, including Macy’s, Ticketmaster, and British Airways, have fallen victim to Magecart in recent years, but most of the businesses affected have been much smaller, says Ziv Mador, vice president of security research at SpiderLabs at Trustwave, a cybersecurity company focused on cloud security.
That’s because the attacks often stem from the compromise of website plug-ins that are used to do things like process payments or provide chatbots, he says. Smaller businesses, especially those in a rush to launch an e-commerce business, often use off-the-shelf plug-ins and fail to adequately vet them.
“The thing about Magecart is they never stop,” Mador says. “They make their living from skimming credit cards. They’re dependent on how clever they can be and that’s why we see them coming up with new techniques every couple months.”
To most consumers, the sites look perfectly normal, so they’d have no idea that their information has been collected and sent back to the criminals.
But avoiding small businesses, many of which are struggling right now, for fear of financial fraud isn’t something many people want to do. So, experts say, the best thing consumers can do is think before they shop and take reasonable precautions when they do.
How to Shop More Safely
Here are important tips for protecting yourself while shopping. Also, just a quick reminder, as a consumer, you’re not liable for fraudulent charges on your credit cards. If you see a charge that doesn’t look right, report it to your bank and it’ll remove the charge and issue you a new card.
Take care of the basics. Make sure your computer, mobile device, and antivirus software are all up to date. That can go a long way toward blocking all kinds of online threats. Setting good passwords, or better yet, using a password manager, will prevent a lot of problems, too. And, while you’re at it, enable two-factor authentication, which adds a second form of identification, such as a fingerprint or physical key, wherever you can, Tedder says.
Stick with reputable websites. While big-name retailers have been compromised by Magecart, Mador says they’re still the most likely to have adequate data security protections in place. And if a site looks sketchy in general, stay away. While it may not be a vehicle for Magecart, it could still be a scam.
Use cash or a payment app with local stores. You can use your favorite restaurant’s website to order your takeout, but it is safer to then pay in person. Consider using cash or a service such as Apple Pay, where the retailer doesn’t handle your credit card information at all.
Don’t take the phishing bait. Researchers have reported big spikes in coronavirus-themed phishing emails. Don’t click on links or open attachments in emails from people you don’t know. And never enter your banking or other credentials into a website you reached by following a link in an email. These are the ways the vast majority of account takeovers happen. Instead, open a new browser tab and enter the site’s URL by hand or by doing a web search.
Keep your shopping to one or two credit cards. This makes it easier to spot fraud. Even better, use a mobile payment service, such as Apple Pay or Google Pay, whenever possible. Instead of your actual credit card number, these services use secure tokens that are worthless if stolen.
Don’t mix work and pleasure. If you’re going to use the same computer for work or financial accounts as you do for shopping, set up separate browser accounts. That will help keep any malicious shopping-related browser extensions or scripts you might accidentally download from getting at your work-related information. You can even use two entirely different browsers, such as Chrome and Firefox.
More from Consumer Reports:
Top pick tires for 2016
Best used cars for $25,000 and less
7 best mattresses for couples
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2020, Consumer Reports, Inc.