The phrase caveat emptor, Latin for “let the buyer beware”, has long been a warning to carefully scrutinize the quality and suitability of goods before making a purchase. In the world of eCommerce, caveat emptor has a whole new meaning. After meticulously researching any number of crowdsourcing sites, consumers get to buy the goods they want from the comfort of their sofas, but they need to be careful with their accounts in the exchange. It’s not just the buyers’ credit card numbers and home addresses that are at risk of exposure. Many cybercriminals make a living out of patiently collecting other sensitive personal data and selling it for use in any number of malicious activities. In this post, we’ll offer some guidance on how to make yourself a “hard target” by engaging in practices that give you the best chance to keep your personal information safe as you shop this holiday season.
1. Never re-use passwords. In 2020 according to a NordPass study, the average person juggles 100 passwords across various sites and services. Given this data, it’s easy to understand why people re-use easy-to-guess passwords — they simply have too many to remember. Years ago, the risk of this unsound practice was limited to exposure to individual attackers. Today, it plays right into the hands of sophisticated cybercriminals that execute an attack technique called “credential stuffing”. This attack method uses bots for automation and scale and is based on the assumption that many users reuse usernames and passwords across multiple services.
The simplest and one of the most effective ways to manage your dozens of passwords is to use a password manager. A password manager keeps all your passwords in one place and can automatically fill them in for you, without you having to remember what password you created for what site. Password managers also create strong passwords for you, usually much stronger than self-generated ones. Some services even monitor the web and alert you if your passwords are compromised through a breach or hack so you change your password immediately and mitigate any damage.
2. Say “yes” to two-factor authentication. Two-factor authentication (2FA), is a security process that cross-verifies users with two different forms of identification, most commonly the knowledge of an email address and proof of ownership of a mobile phone. Used on top of the regular username/password verification, 2FA bolsters security by making it more difficult for attackers to gain unauthorized access, even if a perpetrator gets past the first authentication step. Google reports that even two-step verification through SMS text messages, considered one of the weakest forms of two-factor authentication, can stop 100% of all automated attacks, 96% of bulk phishing attacks, and three-quarters of targeted attacks. 2FA is commonly employed in online banking websites, social media platforms, and e-commerce sites as a way to harden access controls to the more sensitive areas of a web application (e.g., admin panels or areas that store credit details and/or personal data). Other 2FA methods include getting one-time passwords from an authentication app, fingerprint readers, and retinal scans – all of which offer even stronger protection. In any case, when 2FA is offered, use it.
3. Assume every email, voicemail, or text message about your account is phishing. Phishing is a type of social engineering attack often executed to steal user data, including login credentials and credit card numbers. An attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack, or the revealing of sensitive information. For individuals, an attack can be devastating with results including unauthorized purchases, money theft, identity theft, or all of the above. While our advice here may seem extreme, consider that according to the FBI, phishing was the most common type of cybercrime in 2020. Successful phishing incidents nearly doubled in frequency year-over-year, from 114,702 incidents in 2019 to 241,324 incidents in 2020.
While junk filters provided by our email service providers have gradually helped many of us stop seeing a constant flood of phishing expeditions, many people have noticed an increase in SMS messages about an account issue this year, even for some accounts the people don’t even have.
The best way to avoid a phishing attack of any kind is never to click a link sent to you through any medium and never give your login information over the phone. If you have any questions about the account or think there might actually be an issue, you can: open a new browser tab, type in the URL or click the bookmark you may have saved, and log in as you normally would to check a balance. If the issue is legitimate, you’ll be able to find it in your messages or account profile.
Follow these steps to help ensure that cyber theft of your personal information does not play a role in your holiday shopping season. While it’s true cyberattacks become more frequent and sophisticated all the time, you have the ability to thwart them.
Try Imperva for Free
Protect your business for 30 days on Imperva.