Skip to main content

May Your Holidays Be Merry and Secure

Kelly Downey

Buyers beware: Black Friday and Cyber Monday are lurking around the corner. Protect yourself during your holiday shopping with tips from UVA cybersecurity experts. Angela Orebaugh is Assistant Professor and Director of Cybersecurity and IT Programs in the School of Continuing and Professional Studies and Kelly Downey is Information Security Education & Awareness Senior Analyst in the Office of Information Security at the University of Virginia.


According to a recent poll, 53% of holiday spending will occur online, with 20% of that originating from a mobile device. The holiday season is a peak time for fraud. As shoppers are busy chasing deals, cybercriminals are chasing the money. Online shopping opens the door for cybercriminals to gain access to your information in a variety of ways. The following tips will help you protect your accounts and information during this busy season.

1. Shop at well-known, trusted online merchants

Large, well-known online merchants have robust systems to track inventory and delivery and to protect your information. However, we also recommend supporting small businesses online. In these cases, read reviews, check out the company on social media, and call the company’s phone number directly to ensure it is a real company.

2. Beware of good deals

We have all heard, “If it sounds too good to be true, it probably is.” This particularly applies to online shopping. Unknown sites may advertise great deals on merchandise that do not exist and that you will never receive. These sites may also collect your credit card information to use or sell on the dark web. Beware of texts and emails for hard to find holiday toys and other items as they could be from cybercriminals looking to obtain your personal and credit card information.

3. Beware of fake sites

Leading up to the holidays, scammers are increasing the number of copycat websites that look like your favorite e-commerce site. These fake websites have a slightly different spelling, or misspelling, of the name. Always doublecheck the URL of the website you are visiting to make sure that it is the real website for the merchant.

4. Use unique passphrases

Using the same password across multiple online sites makes you vulnerable to compromise. If an attacker gets your password for one site, they attempt to use the same username and password at other common sites. Use a unique passphrase at each online site. A passphrase, such as 1fish2fishredfishbluefish, is easier to remember and much harder to crack than a shorter complicated password. You can also use a password manager to track your usernames and passwords. Read the reviews and choose a reputable, secure password manager application. More importantly, enable extra identification measures at online sites, such as two-factor authentication, when possible.

5. Pay with a credit card, not a debit card

It is much easier to resolve fraudulent charges on a compromised credit card than to recover an empty bank account. Credit card compromises can be resolved in a matter of days, but bank account compromises may take weeks or months to resolve.

6. Don’t store your credit card information

It may be convenient to store your credit card information on your online merchant account, or on your computer or mobile device, but cybercriminals take advantage of this when they compromise accounts and devices. If your username and password are compromised, cybercriminals have direct access to your credit card information to purchase items. Additionally, some online merchants may not ensure proper security for stored credit card information.

7. Check your statements frequently

Checking your credit card and bank account statements daily is recommended during the holiday season, but at a minimum check once a week. Fraudulent charges often get overlooked with an increase in spending during this busy time of the year. Even reputable online merchants may be compromised, as in the case of the Macy’s Checkout and MyWallet compromise last month where attackers stole credit card information.

8. Be cautious about purchasing online gift cards

Only purchase gift cards online directly from the merchant’s website. Beware of purchasing gift cards from online auction sites or using gift card exchange services. Cybercriminals like to auction or trade gift cards with little to no funds. If you are venturing into this area, make sure the site you are dealing with has a crystal clear guarantee policy.

9. Beware of email and text scams

The holiday season is prime time for phishing scams. According to the FTC, the FBI’s Internet Crime Complaint Center reported that people lost $30 million to phishing schemes in one year. During the holiday season, phishers send emails that look like something went wrong with your order, fake shipping updates for orders, and offer great deals on hard to find items. These emails are designed to trick you into clicking a link or downloading an attachment, both of which can steal your information. Phishing isn’t just email; it may also involve texts. Some cybercriminals send texts telling you to reset your online banking password due to a fraudulent charge. Texts are designed to trick you into clicking a link and entering your banking information. You can protect yourself by knowing how to identify a phishing scam. Always call your bank directly when dealing with potential fraud. Check the “from” email address to ensure it is valid, inspect the URL when you hover over it with your mouse to ensure it is correct, beware of attachments, and most importantly, slow down. Taking time to stop and think about an email or text greatly increases your chances of detecting a phishing scam.

10. Do not give out too much information

To ensure your privacy, only fill out the required fields at checkout and beware of answering questions on a checkout page that doesn’t seem necessary for the purchase.

By being cautious and thinking about the possible consequences of your actions, you can truly enjoy peace of mind during the holiday season.