By Brian Krebs
washingtonpost.com Staff Writer
Wednesday, November 21, 2007 10:14 PM
If you're one of the nearly 39 million consumers the National Retail Federation expects will do their holiday shopping online this year, then listen up! Use your street smarts in the virtual marketplace and follow these basic online shopping tips to protect yourself and to ensure that your money doesn't become part of the $3.6 billion that merchants expect to lose this year to online fraud by spammers, scammers and shifty retailers.
Here are five tips for staying safe online this holiday season (and the rest of the year too):
1. Shop From a Secure PC
If possible, avoid using the family PC that your teens or children use to chat with their buddies and play games online. Those machines, especially if they're a Microsoft Windows computer, are often already infested with spyware. An infected system will undermine all of the other precautions you might take to avoid online fraud.
Before you start shopping online, make sure your system is running with up-to-date anti-virus software, and that you're using a firewall to block potential intruders. Just as important, be sure that your computer has the latest Microsoft software security updates installed.
2. Shop Smart, and Only at Sites You Know & Trust
Avoid search-engine shopping, which can often lead to random merchants you've never heard of. For the safest and most hassle-free online shopping experience, it's best to stick with merchants you know and trust. Most importantly, make sure you have read and understand the merchant's shipping and return policies before making any purchases.
If you're worried that you'll miss out on the discounts if you shop online, there are a number of well-established online coupon sites -- such as couponcabin.com and currentcodes.com -- that list different promotional codes that you can enter at participating Web merchants during checkout. Generally these discounts range from $5-off coupons, to 10-20 percent off of a certain purchase amount, to free shipping.
Be sure to print a copy of each receipt or confirmation e-mail you receive. Keep all of your receipts in a folder and filed away in a safe place.
Never buy anything advertised via unsolicited e-mail. Such offers are almost always a scam. Criminals even build attractive storefronts for fake businesses that close up shop within days of accepting your online order.
3. Shop with Your Credit Card
Most online merchants accept both credit and debit cards. Under federal law, credit card issuers can only hold customers liable for the first $50 of fraudulent transactions, and most issuers will waive even that amount.
While debit card issuers have largely adopted that same approach, your bank account could be overdrawn while you dispute fraudulent charges, particularly if you don't notice the fraud immediately. Experts say credit cards still present less potential for hassle when dealing with your financial institution should unauthorized charges show up later on a monthly statement.
"It's still harder to get your money back from fraudulent transactions on a debit card unless the process is transacted in exactly the way the bank wants to be, and a lot of times consumers have no way of knowing whether a given purchase meets those requirements," said Avivah Litan, a fraud analyst with research firm Gartner Inc.
Never, I repeat, never, shop at sites that ask you to wire your payment or send money orders.
4. Consider Alternative Payment Methods
For the truly fraud-wary online shopper, there are still plenty of alternatives to entering your account number at multiple Web sites. Many financial institutions and card issuers -- including Bank of America, Citibank, Discover, and PayPal -- offer customers the ability to generate unique, "virtual" or "one-time use" account numbers that are good for a single transaction or a handful of specified transactions only and cannot be reused.
While virtual account numbers may make shoppers feel safer online, they may be more hassle than they're worth, Litan said. "These virtual numbers generally are there to protect [the card issuer] more than the consumer, but they do give some online shoppers more peace of mind."
Gartner's recent studies show online shoppers are starting to turn to other alternative payment methods, such as pre-paid gift and credit cards, and services like billmelater.com. The latter allows online shoppers to shop online at some well-known retail outlets without ever having to enter a credit card number (the company requests your name, address, date of birth and the last four digits of your Social Security number to decide whether to grant you instant credit). A number of participating sites are offering perks for purchases made through billmelater.com, such as free shipping and deferred payment for up to six months.
5. Get a Handle on Spam
If you worry that giving away your e-mail address at multiple online merchants might wind up cluttering your inbox with more junk mail, consider creating a new address for each new Web site that requires you to enter one as part of the registration process. This allows you take action if a merchant you're doing business with sells or rents your e-mail address to marketers.
You don't really need to create a brand new e-mail address for each site: Some free Webmail providers -- most notably Google's Gmail -- will allow you to create as many "aliases" for the same e-mail address as you want.
Here's how it works. Let's say your Gmail address is firstname.lastname@example.org, and you're being asked to enter an e-mail address at widgets.com as part of their online ordering process. Simply enter the name of the retailer as part your real e-mail address by using the "+" sign. In this case, you'd enter email@example.com. That way, future communications from that retailer or any company that happens to share that particular marketing list will come addressed to firstname.lastname@example.org.
Later on, if a particular online merchant generates a wave of junk e-mail offers, you can create e-mail filters to automatically send all e-mail addressed to the custom address you created to the virtual trash bin.
For the latest computer security news, read the Security Fix blog by Brian Krebs.