It's the season for eggnog lattes, office parties, and lots of online shopping. But it’s also the most wonderful time of the year for hackers.

Like the Grinch peering down the mountain at Whoville, cyber criminals are watching you. They're seeking easy targets for phishing, ransomware, credit card fraud, identity theft, and other nefarious schemes.

More on Protecting Your Privacy

So before you start typing in your credit card number to get that too good to be true deal you saw in a Facebook ad, take a minute to make sure that your devices are locked down.

And be careful where you click and who you give your information to. What looks like a gift from Santa could actually be a big pile of coal.

Here are a few ways to stay safe from online threats as you do your holiday shopping.

Better Watch Out

Update everything. One of the easiest and best things consumers can do to boost their digital security this holiday season is make sure that all of their devices are up-to-date, says Kelvin Coleman, executive director of the National Cyber Security Alliance.

When software providers find out about bugs, they send out patches to fix them. But hackers are constantly on the lookout for old, unpatched systems.

NCSA is working to remind people of the importance of this through a new campaign called UpdateMeow, a reference to the popularity of cat videos on the internet. The website includes an online tool kit designed to make updating easy.

In a nutshell, make sure the operating systems on your computers and mobile devices are up-to-date, as well as all the apps on them that you use to shop.

And don’t forget about your antivirus software. Don’t have any? There are many good free and paid versions out there. Consumer Reports members can consult our ratings for help in picking one.


Go to Consumer Reports' 2018 Holiday Central for updates on deals, expert product reviews, insider tips on shopping, and much more.
 

Strengthen weak pass­words. Creating strong passwords is especially important on shopping, email, and banking accounts. Long strings of random letters, numbers, and symbols are best. And never use the same password for more than one account.

Enable multifactor authenti­ca­tion. You’ll need two pieces of information to log in to an account from a new laptop or phone. The first is your password; the second item is typically a one-time code sent to your smartphone. This will help keep hackers out of your accounts even if they have stolen your password.

Is Santa (or a Hacker) Really Watching?

In the past, cybersecurity experts warned consumers to stay off public WiFi for fear that their internet traffic could be intercepted by a hacker. But thanks to the widespread use of encryption, that's not as big of a concern anymore, says Chester Wisniewski, a principal research scientist for the cybersecurity firm Sophos.

“I think we’ve reached the point now where there’s very little we can do that’s unsafe” in terms of the hacker at the next table, he says. “We’ve come close to saving the world. We’ve encrypted everything. We’ve actually succeeded.”

Wisniewski says you’d be hard-pressed to find a major retail, banking, or social media site that isn’t encrypted by now. But that doesn’t hold true for smartphone apps. It’s hard to tell whether a particular app is encrypting traffic. And while mainstream mobile browsers are intensely scrutinized for security flaws, the same can’t be said for all of the millions of apps out there.

And the likelihood that a hacker would choose to hijack a store’s WiFi and target individual people is incredibly low. Doing so would be very risky, take lots of work, and be considerably less profitable than sending out phishing emails or ransomware, he says. 

Consumers still worried about a potential hack can take the extra step of using a virtual private network (VPN), as Wisniewski does. But he says most people don't actually need one.

Still worried? Just use the data connection on your phone. It's significantly more secure than WiFi.

“For people that are super concerned about security and privacy, these are things to still be concerned about, and look into, and make decisions about,” Wisniewski says. “But I’m not sure that’s the biggest thing I’m worried about when my mom’s doing her holiday shopping.” 

Checking It Twice (and Maybe More)

What Wisniewski says his mom, and everyone else out there, should be focusing attention on are their bank and credit card statements.

Cyberattacks against retailers are on the rise. Kaspersky Labs, which makes antivirus products for businesses and consumers, says it detected 9.2 million attacks against e-commerce sites around the world in the third quarter of this year. That compares with 11.2 million attack attempts throughout all of 2017.

And if a major retailer gets breached, untold numbers of consumers could find themselves compromised, even if they themselves did everything right.

The easiest way to keep an eye on your accounts is to use the same credit card and email account for all of your holiday shopping. In addition to making it easier to spot phishing emails, you get the added benefit of keeping a closer watch on how much you’re spending.

And stick with credit rather than debit. While banks and credit unions will eventually make you whole if someone empties your checking account, seeing your money disappear can be a a lot more stressful than an inflated credit card bill.   

One more tip: Many banks will let you set text or email alerts for transactions that exceed a certain amount of money. That lets you know right away whether a cybercriminal has gone on a shopping spree with your account.   

Feast of the Phishes

Speaking of phishing, the sending of scam emails spikes during the holiday season. They could appear to be amazing offers on hot holiday gifts, masquerade as shipping notifications, or even look like they're from charities asking for donations.

While bad grammar and strange-looking email addresses can be red flags, experts say hackers have improved their pitches in recent years.

If an offer looks too good to be true, it probably is, NCSA says. Following a link or clicking on an attachment in a phishing email could result in your computer getting infected with malware or your personal information being stolen. If you see a great deal, you’re better off opening a browser window and going directly to a retailer’s website.

That also goes for discounts and other holiday-themed offers you see on social media. Apps claiming to contain amazing deals could be be malicious as well.

Bottom line: "When in doubt, throw it out," NCSA says. While everyone likes to get the best deal possible, getting too Scrooge-like now could come back to haunt you in the future.

Editor’s Note: This article is an expanded version of one that appeared in the December 2017 issue of Consumer Reports magazine.