(Ross May/The Washington Post; iStock)

On the first day of Christmas, a hacker said to me … I stole your i-den-ti-tee.

I know you’re thinking — really, Tech Guy? But there’s a real Grinch prowling your phone and computer this holiday season: cyberthieves after your money, your passwords and your personal data.

I’ve got some advice to keep hackers from ruining your Christmas.

We’re easier targets under holiday stress. The desperate hunt for Junior’s must-have Poopsie Slime Surprise (this year’s hot toy) makes you more inclined to trust an unknown online merchant. Decking the halls makes you a little less mindful about clicking on that email you thought came from your bank. Even on old reliable Amazon, fraudsters prey on you through fake reviews, shady gift cards and sneaky shipping fees. (Amazon founder and CEO Jeffrey P. Bezos also owns The Washington Post, but I review all tech with the same critical eye.)

Hackers mostly want money, so the shopping season is big business. Security firm Carbon Black says there was a 58 percent increase in attempted cyberattacks on its corporate clients during the 2017 holiday shopping season compared to the rest of the year.

And we need to adjust to a new reality in the online world: Data breaches are now extremely common. This year’s major hacking targets included lots of big, familiar brands such as Marriott, Under Armour and Saks Fifth Avenue. Through no fault of your own, any data — including passwords and credit card numbers — you hand over to a company have a decent chance of someday getting stolen.

So what should you do? There are a few steps that help even when you’re not shopping: Make sure your phone, computer, WiFi router and other connected gadgets are running the latest updates available. (Hackers know their way into older software.) And if your phone or computer is more than five or six years old, ask Santa for a new one. There is no way to keep an old device secure past a certain point.

Beyond that, practice defensive shopping. Here are eight pretty simple rules I learned from security pros that are especially useful now, but work all year.


This Bank of America phishing email sent to Colin Bastable, the CEO of training company Lucy Security, was designed to look convincing on both a smartphone and laptop. The link, circled in red, leads to a fraudulent website.

1. Don’t click on links in emails. Not even the “order confirmation” ones.

The No. 1 way hackers get to you and your family is through phishing scams. These are emails or messages that pretend to be from someone legitimate, but actually are trying to trick you into handing over information like a password. That’s how the hackers got Hillary Clinton’s 2016 presidential campaign — John Podesta clicked on a link in a phishing email.

During the holidays, phishers try to fake you out with emails that look like they’re an “order confirmation” from a retailer, an overdraft alert from the bank or a delivery message from the post office or UPS. Think you’re smart enough to tell the difference between a real and fake email? You’re not. They’ve come a long way from messages from Nigerian princes. Phishers have gotten so sneaky, even the pros get tripped up. It’s just not worth clicking.

But what if that email has a deal you want, or a bank alert you need to check out? You still don’t need to click on the email. Pull up your web browser and type in the related website directly. Or open your bank or the retailer’s trusted app on your phone.

2. Use PayPal, Apple Pay, Samsung Pay or Android Pay whenever possible.

Paying with one of these newer services keeps your credit card number out of the hands of merchants. So when a merchant eventually gets hacked, it can’t leak your 16-digit account number.

How does this work? PayPal and Apple Pay use an extra layer of security called tokenization that makes sure the bill gets paid, but generates a one-time-only code to do so. You’re still paying through a credit card that you’ve enrolled with PayPal or Apple, but your information stays more private.

Banks issuing credit cards are responsible for fraud — and they use artificial intelligence and your typical spending patterns to look out for shady transactions behind the scenes. But having your credit card number stolen is still a hassle worth avoiding.

3. When a site asks you to set a password, don’t reuse an old one.

If you’re shopping on a site you don’t frequent, use “guest” checkout instead of setting up an account. The less information you share, the better.

But if you have no choice, don’t use a password you’ve used elsewhere. When a site gets hacked, the bad guys scoop up names, emails and passwords. So if you’re using the same password for an unimportant website as, say, your bank — you could get in big trouble.

Your password may already be floating around out there and up for grabs. The website haveibeenpwned.com lists the ones we know about. (Go and check yours: It is a real nightmare before Christmas.)

Okay, but how are you supposed to keep track of different passwords for all these different sites? You can’t, which is why I recommend using a password manager program. (Here are my favorite ones.) It’s a little annoying at first, but eventually you’ll wonder how you ever managed without one.

4. Only interact with Amazon merchants through the Amazon website.

Amazon isn’t the only company that sells stuff on Amazon. Half the merchandise sold there these days is from third-party sellers, who are supposed to run everything through Amazon. So if a merchant ever asks you to email them directly, pay through some other channel or use gift cards, just say no and contact Amazon customer service.

Sometimes merchants might try to scam you by charging very little for a product but a ridiculous sum for shipping. That violates Amazon’s rules, too.

5. Don’t put too much faith in Amazon ratings.

They’re no guarantees of quality. Some merchants pay for fake reviews that boost their rankings in Amazon’s search listings. Others may beg customers to take down bad reviews — it happened to a colleague last week. (Both violate Amazon’s rules.)

Amazon polices its store for fraud, but merchants set their own return policies. Even when they’re legitimate, online ratings don’t necessarily communicate what you think. What’s “average” isn’t three stars — it’s usually closer to 4.3 stars. The most important information is the total number of reviews, and the honesty of what you read in the good and bad reviews.


Smartphone apps from Bank of America, left, and Chase allow you to turn on alerts or text messages for a range of activity on credit card accounts. (Geoffrey Fowler/San Francisco)

6. Turn on alerts for all credit card transactions.

You probably get alerts on your smartphone for all sorts of unimportant things, such as Facebook likes, doorbuster sales and news about the Kardashians. So you definitely should turn them on for credit cards and bank accounts. That way, you’ll know every time a purchase goes through — and you can leap into action if it wasn’t your charge.

Every bank does this slightly differently: Some let you sign up for text-message or email alerts via their websites. Dedicated bank apps let you sign up for smartphone push alerts. Some banks, such as Chase, let you use an app to lock and unlock cards.

7. Don’t shop on WiFi at the mall, airport, coffee shop or hotel.

Public WiFi is just that: public. Hackers who want to snoop on your laptop or phone can do so with relative ease if you join one of those networks. Digitally speaking, you’re walking around the airport as naked as the day you were born.

You’re more protected if you use a virtual private network, or VPN, which encrypts all the data coming in and out of your device.


Look for the encryption lock symbol — even on your phone’s Web browser, as seen here on an iPhone. (Geoffrey Fowler/San Francisco)

8. Look for the lock logo in your Web browser — but don’t rely on it.

The lock icon that appears in your browser’s address bar means that a site is encrypted, so prying eyes on the open Internet can’t easily see the data going back and forth. Using encryption is a best practice for all sorts of sites, but it’s critical on any site that has your sensitive personal information, like your bank details. Any site that doesn’t have it isn’t prepared to protect you.

Unfortunately, the lock isn’t a guarantee that a retailer is legitimate. Lately, fraudulent sites have also started using encryption in the hopes of duping us into trusting them.

Read more tech advice and analysis from Geoffrey A. Fowler:

Are Apple products too expensive?

Hands off my data! 15 default privacy settings you should change right now.

Your smartphone photos are totally fake — and you love it