Choose carefully where you shop
It's worth doing some research on online retailers to check they are legitimate. Read feedback from people or organisations that you trust, such as consumer websites.
Some of the emails or texts you receive about amazing offers may contain links to fake websites. If you're unsure, don't use the link, and either:
- type a website address that you trust directly into the address bar
- search for it, and follow the search results
Use a credit card for online payments
Use a credit card when shopping online, if you have one. Most major credit card providers protect online purchases, and are obliged to refund you in certain circumstances. Using a credit card (rather than a debit card) also means that if your payment details are stolen, your main bank account won’t be directly affected.
Debit card payments and purchases are not covered by section 75 of the Consumer Credit Act. But you might be able to make a claim for a refund under a voluntary scheme called ‘chargeback’.
Also consider using an online payment platform, such as PayPal, Apple Pay or Google Pay. Using these platforms to authorise your payments means the retailer doesn’t even see your payment details. They also provide their own dispute resolution should anything go wrong. When it's time to pay for your items, check there's a 'closed padlock' icon in the browser's address bar. It will look like this:
The padlock icon doesn’t guarantee that the retailer itself is legitimate/reputable (and that their website is secure). It means that the connection is secure. If the padlock icon is not there, or the browser says not secure, then don’t use the site. Don't enter any personal or payment details, or create an account.
Only provide enough details to complete your purchase
Only fill in mandatory details on a website when making a purchase or signing up for information. These are usually marked with an asterisk (*), and will typically include your address and payment details. When the merchant's website transfers you to your card issuer to verify payment, you may get asked for further security details to confirm you're the cardholder. See this Visa page for typical details.
If possible, don't create an account for the online store when making your payment. You can usually complete a purchase without creating an account, or by using an online payment platform (such as PayPal). If you think you'll become a regular customer with the store, then you may want to create an account with them.
The store may also ask you if they can save your payment details for a quicker check-out next time you shop with them. Unless you're going to use the site regularly, don't allow this.
Keep your accounts secure
If you're using the same password for your online accounts (or passwords that could be easily guessed), then you're at risk. Hackers could steal your password from one account, and use it to access your other accounts. For this reason, you should make sure that your really important accounts (such as your email account, social media accounts, banking accounts, shopping accounts and payment accounts like PayPal) are protected by strong passwords that you don't use anywhere else.
This NCSC infographic explains how you can create strong passwords and store them safely (so you don't need to remember them).
You can further protect your important accounts from being hacked by turning on two-factor authentication (2FA). It's also referred to as 'two-step verification' or 'multi-factor authentication'. Turning on 2FA stops hackers from accessing your accounts, even if they know your password. It works by asking you to confirm that it's really you in a second way - usually by asking you to enter a code that's sent to your phone.
Watch out for suspicious emails, calls and text messages
You'll probably receive messages from online sources, as a result of 'opting in' to receive communications. Lurking amongst these genuine messages, there may also be fake ones (containing links designed to steal your money and personal details) that can be very difficult to spot.
Of course, not all messages are bad, but if something doesn't feel right, you can report it to the Helpdesk, or during the holidays, follow the NCSC guidance on dealing with suspicious emails, phone calls and text messages:
If you have received an email which you’re not quite sure about, again, forward it to the Helpdesk or to the Suspicious Email Reporting Service (SERS) at firstname.lastname@example.org.
If you've received a suspicious text message, forward it to 7726. It won't cost you anything, and allows your provider to investigate the text and take action (if found to be a scam).
If you come across an advert online that you think might be a scam, report it via the Advertising Standards Authority (ASA) website. This allows ASA to provide online service providers with the details they need to (if appropriate) remove these from websites.
If things go wrong
- If you think your credit or debit card has been used by someone else, let your bank know straight away so they can block anyone using it. Always contact your bank using the official website or phone number. Don't use the links or contact details in the message you have been sent or given over the phone.
- If you think you have responded to a suspicious email or text message, or visited a scam website, don't panic. In a work context, report it to the Helpdesk; in any case, read the NCSC’s guidance on dealing with scam emails, phone calls and text messages.
- If you've lost money, tell your bank and report it as a crime to Action Fraud (for England, Wales and Northern Ireland) or Police Scotland (for Scotland). By doing this, you'll be helping to prevent others becoming victims of cyber crime.
- If you don't receive the item (or it doesn't match the description given), Citizens Advice has some useful information about getting your money back if you paid by credit card, debit card or PayPal.
- Stay safe.