Safe online shopping: How to and what to look out for

With the festive season around the corner, it's a great time to brush up on how to shop safely online. Online fraudsters will utilise the popularity of events such as Black Friday, Cyber Monday and Christmas as they know there is an increased level of online activity, and once you get into the groove of Christmas shopping, it can be easy to miss some of the tell-tale signs of fraudulent activity.

We've compiled this guide on what you should be looking out for as you browse online. Fraudsters can attempt to gain your information or lead you to take an unsecured action through many means and platforms, so make sure you're thinking about the trustworthiness of everything from an email to the website you visit.

Websites

When you visit a website, there can be some signs that it isn't a safe place for you to be visiting. Websites may act as a front to obtain personal information about users and can even play host to malicious software that affects your device. If you're savvy as to what to look out for and proceed with caution when browsing online, you can do so in confidence that you're not at risk.    

Although it may sound like every website could pose a risk, this just isn't true. Most of the websites we visit are from trusted retailers or established companies. These websites have to be secure for the company to succeed and be trusted, so you shouldn't put your focus on the websites from brands or companies you know, but rather on those you may have never heard of. You should be aware that some people will try to mimic the website of a large company, but these can usually be pretty quickly sussed out. Some search engines will show a warning when you try and visit a website. In these cases, if you're in doubt, do not proceed.

SSL certificate

An SSL certificate, or Secure Sockets Layer, is a digital certificate that means any users connecting to a website will have their information encrypted. They're commonly used on websites that require you to enter personal information, such as eCommerce or marketplace platforms, however, most established business websites will have an SSL certificate. If a website does not have an SSL certificate, it means that your personal information is potentially at risk.

How can I tell if a website has an SSL certificate?

It’s very easy to find out if a website is encrypting their information, the clue is within the URL of the page itself. Follow these steps to find out:

1. Go to the website in question and look at the URL at the top of your browser window.
2. If the website address starts with ‘HTTPS’, then it has an active SSL certificate.
3. If the address starts with ‘HTTP’ (without the additional S), then they have no valid security certificate, and your information won’t be encrypted.
4. If the URL is not showing either ‘HTTPS’ or HTTP’, then copy and paste the website address into somewhere you can view text. After pasting it in, the full URL will show.

For example, the website address of this page may only appear as ‘ukpostbox.com/blogs/safe-online-shopping’. But if you copy and paste the address, you’ll be shown: ‘https://www.ukpostbox.com/blogs/safe-online-shopping’, confirming that an SSL certificate does exist.

Top tip: Ensure you’re using a secure browser such as Google Chrome or Safari. They will show you additional information (such as a padlock) to confirm whether a website is secure to use. If you’re using an unsupported browser and a website has an SSL certificate, it does not necessarily mean it’s safe to use.

Website content

The content on a website is also an excellent way to uncover whether a website is legitimate or if you should be cautious. Look out for the following 3 things:

• Written content - most companies will go through a rigorous process to ensure the content going live on their website is error-free and written well. That’s not to say that mistakes do not happen, but if you’re spotting multiple instances or broken English, it may be a sign that the company is not legitimate.
• Privacy terms - within the EU, it's a legal requirement that companies show their privacy terms and demonstrate where and how they'll be using your data. Websites without this information are not adhering to EU law and should not be trusted to handle your information safely and genuinely.
• Contact information - all legitimate businesses in the UK should include their contact information such as their address, email and phone number on their website. If you’re unable to see this information, then you should be wary that a company is hiding its location. 

Top tip: paste the website address into Google and see if it matches the company it is claiming to be. If nothing appears, then it may mean that their business isn’t registered at the address they claim it to be.

Online adverts

If a website plays host to online advertisements, this isn't a reason to worry on its own. Many websites will generate all of their income through adverts alone, but it's how the adverts look, where they're placed on the page, what happens when you interact with them and the destination of the ads that should be looked at. 

1. Do pop-ups appear? If so, do they appear when you would expect after clicking a link? If pop-ups are appearing seemingly sporadically and their destination URL looks suspicious, it's a good indicator that the website you're on shouldn't be trusted.
2. Are there an excessive number of adverts? Are there a disproportionate number of adverts on the page? Commonly, websites will have adverts, however they are usually placed in a non-intrusive way and shouldn't lead to unsecure links. If you hover over the advert, you should be able to see the destination web address.
3. Do the adverts look professional? Organisations spend money developing online adverts that look professional and are likely to attract the attention of online users. If they do not look professional, contain typos or sound misleading, avoid clicking on them.

If in doubt, do not click an online advert and leave any website you do not trust.

Customer reviews

Customer reviews are a fantastic way to judge the trustworthiness of any online business. There are many third-party unbias review websites that are diligent in ensuring only legitimate reviews are posted on their platforms. For example, reviews from Trustpilot, Tripadvisor and Feefo can be trusted, and if a business has reviews in those platforms, you'll be able to judge whether a site can be trusted.

Just bear in mind that some new companies may not have any reviews yet, and if everything else on the website looks legitimate, a lack of reviews shouldn’t deter you from shopping with them. Keep an eye out on obvious paid or fake reviews; they’ll generally be posted by new accounts that leave the same review with little to no word/content changes.

Social media profiles

Most online retailers will have social media profiles as it helps them to reach new customers, allows them to advertise on multiple platforms, and it can be used as a communication tool between the business and customers.

Not every company will have a social media profile, especially if they're very new. However, taking an extra step to see if they do have them can help to give you more information on whether they appear fraudulent or legitimate.

‍

Phishing emails

Fraudsters send phishing emails in an attempt to collect your sensitive information, usually relating to a business they are pretending to be. For example, you may receive an email from a fraudster who appears to be from Paypal. They will ask you to visit a website they've created that looks similar to Paypal, however, you won't be able to log in successfully, and the fraudster can access any information you used. Banks and payment processors will never ask for personal information in an email, but this is commonplace in Phishing emails. Be especially wary if you email is pressuring you into a sense of urgency and claim that an action will be taken against you if you don’t comply in a set time period. Phishing emails can be extremely dangerous as they often seek to obtain financial information. However, they can be easily spotted if you know what you're looking out for:

Email lists

Fraudsters may purchase email lists that provide them with contact information for many people, including their email addresses and names. This can make it easier for fraudsters to appear as if they know you, or they’re contacting you in relation to something you have an interest in.

You should bear in mind that GDPR requires all companies operating within the EU to obtain consent from a customer before contacting them with marketing emails. So, if you’re contacted by a company you don’t recognise and you’re sure you haven’t opted to be contacted by them, you should be wary that they’re not complying to GDPR and may be fraudulent. 

Senders email address 

One of the very first things of every email to check is who it's from. This information will appear at the top of your email message, meaning that it can be quick to determine whether an email is secure. Look out for the following:

1. What name is the sender using? Fraudsters can change the ‘name’ that appears with their email account at the top of any email correspondence. When looking at the email address, be sure that you’re not just looking at the sender's name when checking for fraudulent signs 
2. What email address is the sender using? Fraudsters can forge an email address to make it seem legitimate. Your email provider will often automatically put these into your spam folder, but be sure to check out for other signs of fraud even if the email checks out.
3. How does the email address end? Most businesses will have unique email addresses that match their website. If someone is claiming to be a company but using a publicly available address, such as @gmail.com, it’s likely to be fraudulent. The email address should match the company it’s representing, for example, all UK Postbox emails will end in @ukpostbox.com. 
4. Does it match their website? When being diligent with online safety, you should open your browser (do not use any links within the email) and visit the company in question. Find their contact information, and if the email addresses on the website matches your email, you should be safe to proceed.

Top tip: In some cases, fraudsters may hack a companies email account making it difficult to judge whether it’s secure. 

Email lists

Fraudsters may purchase email lists that provide them with contact information for many people, including their email addresses and names. This can make it easier for fraudsters to appear as if they know you, or they’re contacting you in relation to something else.

You should bear in mind that GDPR requires all companies operating within the EU to obtain consent from a customer before contacting them with marketing emails. So, if you’re contacted by a company you don’t recognise and you’re sure you haven’t opted to be contacted by them, you should be wary that they’re not complying to GDPR and may be fraudulent. 

The messaging

Another clue to look out for in phishing emails is the content of the email itself. Fraudsters will have a generic email that is sent out to thousands of targets which means they'll be void of any personalisation. Emails that are discussing sensitive information and account details are likely to address you by name rather than generic terms such as customer, user, member etc.

Similarly to websites, email campaigns will go through a review process and if they appear to be from a large company, then the spelling, grammar and English should be of high-quality. Fraudsters will often operate from outside of the UK, meaning that errors in writing can be obvious to native speakers. One small typo isn't something to worry about, but broken sentences and strange word choice can reveal that an email isn't genuine.

Links to external websites

One common occurrence in phishing emails is that they’ll link to a website that you think is from the company they’re pretending to be. Once you visit this link, you’re then vulnerable to having your information stolen.

1. Is the link directing you to the website it claims? You can either hover with your mouse or hold down on a smartphone to display the destination URL. The address should match the website of the company it is claiming to be.
2. Are there any attachments? It is unlikely that you’ll be sent an attachment from online retailers, but if you are, be cautious when opening them. If they do claim to be a brochure or something that you may expect, you have the option of using a search engine to see if you can download it directly from the website. Files ending in .exe should never be opened from email as these are essentially programs that will install software on to your computer. Never open attachments from sources you don’t trust.

Safe online shopping

Many of the tactics to look out for when online shopping is relevant to what we have discussed about using websites safely, but there are some additional things to look out for.

• Online adverts aren't always safe.
• Are the prices too good to be true? Check their prices against other major retailers or marketplaces as a good indicator to its actual value.
• How long is the delivery estimate? A long delivery estimate means that an item is likely being purchased from abroad. This doesn't necessarily mean a website is fraudulent, but it's important to look at it for if you need the item to arrive quickly.
• Look out for strange imagery or use of English on a website.
• Where is the company based? Check their address as they should legally include this information.
• Are they using a payment method you're unfamiliar with? Some online payment methods aren't secure, and you should only complete a transaction through a secure network.

Fraudsters can also use alternative methods of payment as a way to scam you, such as requesting you pay outside of a platform you purchased a product on.

Paying securely

You should ensure that you only pay for online goods through a secure payment method. All major online retailers will have this integrated within their checkout process, so you should avoid deviating from using these options where possible.

Fraudsters may ask that you pay them via alternative payment options after purchasing a product from them. If you agree to pay for something outside of the retailer's payment system, then you are at risk of being unprotected for the transaction. Here's an example:

1. You purchase an item such as a gaming console from eBay.
2. The seller contacts you and requests that you pay them outside of Ebay's payment system.
3. If you agree to pay outside of eBay, you won't be covered for the transaction, and you'll have no claim should your item not arrive.
   

The issue in this scenario is that the fraudster may have never owned the item in the first place, and it's simply a front to get you to pay them unsecurely.

As an example, if you purchase a gaming console from a platform such as eBay and the seller requests that you pay them outside of eBay's payment system. The issue is that the fraudster may not have the intention of posting the item they have sold to you. If you agree to pay outside of a secure payment system, you may not be protected by the transaction meaning you cannot claim for the missing item.

Example of secure payment methods

Major online retailers will use a secure payment method, but if you're shopping with a lesser-known company, here are some payment methods that are safe to use:

• Apple pay
• Google pay
• Samsung pay
• Paypal
• Credit cards
• Visa checkout
• Shopify pay
• Mastercard masterpass

Most major credit card providers offer buyer protection, meaning that if you make a purchase and use them for payment, you’ll be covered if a good arrives damage or doesn’t arrive at all. This can be a safe payment option to use online as you’re offered additional buyer protection.

Account security

Ensuring that any accounts you make are secure is another thing to bear in mind. User accounts will often house personal information such as your full name, address and may have your card saved for future purchases. Fraudsters may attempt to log in to your account to access the information you need, so ensure you follow these steps:

1. Use a unique and complex password for each account.
2. Where possible, set up two-factor-authentication
3. Have a backup email address in case you lose access to another
4. Set up unique security questions for each account you create
5. Where possible, have a notification sent to your email/device when someone attempts to log in to your account
6. Regularly update your passwords
   

How to shop safely online recap

Being savvy to the fraudulent methods taking place can keep your sensitive information secure and private. If you follow the points in this guide, you should easily be able to uncover whether something is genuine. To recap, always think of the following when shopping online:

1. How trustworthy does their website look?
2. Does the email appear genuine and as you’d expect?
3. Are you making a payment through a familiar provider?

If in doubt, it is always safer to avoid a potentially fraudulent email or website than take the risk. Due to the availability of goods across a wide range of retailers, you should be able to find alternatives easily.