The Wall Street Journal
Online shopping is an easy way to shop for sales and avoid crowds at the mall. It is also an easy way to get ripped off.
And because online shopping spikes during the holiday season, scammers enjoy a larger pool of potential victims. ”They see it as an opportunity to defraud consumers,” says Ron Teixeira, executive director of the National Cyber Security Alliance, a nonprofit group that educates consumers and businesses.
Online-security experts say consumers should stay alert on auction and classified-ad sites, where a lot of the fraudulent activity takes place. And phishing activity – say, bogus email from charities that is used to fish for consumers’ financial information – tends to increase during the holiday season.
The Internet Crime Complaint Center, a partnership of the Federal Bureau of Investigation and the nonprofit National White Collar Crime Center, tracked $198.4 million in losses due to Internet fraud last year. That was up from $183.1 million in 2005. Under federal law, credit-card customers are liable for only $50 for unauthorized charges and some issuers don’t even charge the $50. But the customer first has to notice the bogus charge and report it to the card issuer.
By conducting a little research and using a few basic tools, you can limit your vulnerability to scams and fake e-commerce sites. Free software can alert you when you are at a fraudulent Web site, like one used for phishing. And financial institutions offer temporary account numbers so you don’t have to fork over useful financial information to online merchants.
Here are a few ways to shop safely:
Update your security software
The first thing you need to do before you even begin shopping is protect your computer. That means getting updated versions of a firewall and antivirus and antispyware software, Mr. Teixeira says. Many computers come with such software preloaded. But if the user doesn’t pay roughly $50 to $150 when the trial period is up, often after 90 days, the software expires.
Only 22 percent of Internet users say they have the core protection recommended by Mr. Teixeira, according to a study released in October by the security alliance and online-security company McAfee Inc. The most common reason users didn’t have the protection was because they failed to keep their security software up to date, he says.
If you’re online, click on the periodic update alerts that flash on your screen.
Determine if the store is legit
Before buying from a company you’ve never heard of, find out as much as you can about it.
Look for the business’s physical address, a telephone number and an email address in case you need to contact the company if something goes wrong, says Steve Salter, vice president of the Better Business Bureau’s BBBOnLine division. If the information isn’t on the vendor’s site, that doesn’t necessarily mean the site is fraudulent, Mr. Salter says. But resolving any problems after you’ve made your purchase will be more difficult.
You can also find information about a company by checking with the Better Bureau Business Web site (www.bbb.org). Plug the vendor’s Web address into the bureau’s database to see if any complaints have been filed.
Shoppers should also check to see if the site is certified by an online-security certification company, Mr. Salter says. Network Solutions has a certification program called SiteSafe (www.networksolutions.com), and ScanAlert runs a program called Hacker Safe (www.scanalert.com). The companies run daily checks on Web sites to hunt for vulnerabilities and confirm that transactions are secure.
Web sites vetted by programs like these typically display certification logos on their home page. When you visit a new site, click on any such logo to make sure it’s real, Mr. Salter says, because it is relatively easy to duplicate these images on fraudulent sites. When you click on the logo, you should see information about the site’s certification status.
While certification programs add a layer of security about a Web site, they don’t guarantee it is hack proof.
McAfee (www.mcafee.com) offers a free add-on for your Web browser, SiteAdvisor, that rates the safety of each Web site that turns up in search results. Next to each result is a colored icon: green for safe, yellow for suspicious and red for potentially dangerous. If you click on on a yellow or red icon, SiteAdvisor will provide an explanation. For example, the site may be known for downloading spyware or adware. McAfee cautions, though, that it can’t guarantee it will catch every hazardous site and that SiteAdvisor users must still exercise caution.
Avoid crazy deals
Auction and classified-ad sites, like eBay and Craigslist, are some of the riskiest places to shop online, says Susan Grant, director of the fraud center for the National Consumers League. Complaints about general merchandise, which includes classified-ad and e-commerce sites, were the No. 1 grievance the league received about Internet fraud from January to Sept. 15, accounting for 27 percent of the roughly 8,400 complaints. Auction sites came in at No. 3, making up 19 percent of the complaints.
A new scam is advertising purebred puppies for an absurdly low price or free if the buyer pays for the shipping, Ms. Grant says. The scammers keep the money sent to them and never deliver the dog. ”If somebody is offering something for way cheaper that it normally costs, I would be suspicious of that,” Ms. Grant says.
Sometimes, scammers will ask for payment via a wire service. ”There is no reason why somebody would ask you to wire the money to them. That’s how crooks want money,” Ms. Grant says.
Craigslist places antifraud warnings on all of its home pages and at the top of each for-sale posting. ”Craigslist users can avoid virtually 100 percent of fraud attempts by following one very simple rule: Deal locally with people you can meet in person,” says Jim Buckmaster, chief executive for Craigslist. The site constantly works on new technical measures to deter fraud, he says.
On eBay, the advice is to comparison shop not just for prices, but for sellers as well, says Jim Griffith, dean of eBay education. If the seller has poor feedback from other buyers or little feedback at all, you should reconsider buying from that seller. Also check to see if the seller gives refunds or insures items. Mr. Griffith says only a small percentage of eBay sellers engage in fraud. And once an eBay member is kicked out of the site for fraudulent behavior, eBay’s tracking measures make it ”next to impossible” for that person to reregister with the site, he says.
Try a temporary card number
There are new payment options for users wary of putting their credit-card information on the Web.
Citi, Bank of America and Discover offer temporary account numbers for their cardholders. These services will generate a random number that you can paste into a merchant’s payment form. This limits exposing useful financial information to thieves and hackers. The merchant can’t tell that you’re using a temporary number, and the charge appears on your credit-card statement like a normal purchase. You can request a new number every time you shop or use the temporary number for multiple purchases, though each number can be used with only one merchant.
PayPal (www.paypal.com) has a free add-on tool for your browser that works in a similar way. PayPal account holders can use this tool to make online payments at any vendor that accepts MasterCard. The tool will generate a unique MasterCard account number for the purchase.
One drawback is that you probably can’t use these offerings for all purchases. For example, they typically won’t work for items like concert tickets you have to pick up in person because the temporary card number will differ from the one on the card you present at the box office for verification.
Verify your bank’s emails
The holiday shopping season ”is a fertile time for the phishers to attack” since more shoppers are online, says Frederick Felman, the chief marketing officer for MarkMonitor, a brand-management company. Increased shopping also boosts the chance a consumer will respond to a phishing email that appears to come from a bank or credit-card company, especially if the email comes soon after a purchase, Mr. Felman says. Often a consumer might be multitasking when responding to email and not notice that he has clicked a bogus link.
If you receive an email about a transaction, call the number on your bank statement or credit card, rather than clicking on a link or using a phone number in an email.
Charity-related phishing also pops up during the holidays. In these scams, you receive an email with a link to a fake charity soliciting a donation. Enter your financial information and ”that credit card is up for grabs,” says Bari Abdul, vice president of Worldwide Consumer Marketing for McAfee.
”We tell people not to click on those links unless you have signed up to receive those charities’ newsletters,” says Sandra Miniutti, vice president of marketing for Charity Navigator, an online charity evaluator. Be wary of using search results to find a charity’s Web site. Or go to Charity Navigator’s Web site (www.charitynavigator.org), which links to 5,000 charities, she says.
The Better Business Bureau’s Web site also has reports on hundreds of charities.