How to navigate Black Friday and Cyber Monday without getting scammed or hacked

News
By , ,
published

We'll show you how to shop for deals securely

With Black Friday and Cyber Monday almost upon us, in the piece below, several cybersecurity experts give their thoughts and advice on how to navigate both shopping days without getting scammed or hacked.

Black Friday and Cyber Monday can make or break a year for retailers, with online becoming a critical channel for most. This necessitates highly available and rock-solid systems to deal with what has become a predictable yet simultaneously overwhelming demand. This shouldn’t just be focused on the underlying IT infrastructure; retailers also need to ensure their applications can handle the onslaught, be it their website, their mobile apps or their in-store payment terminals.

For years, the main driver for security within retail appears to have been PCI DSS, the data security standard merchants must comply with to accept and process payment cards. It’s reassuring to see some retailers join the BSIMM community, which may signal an evolution from a compliance-driven mentality to that of a proactive security mindset. Compliance will always be important, but retailers have much to gain from investing in strategic software security initiatives. This is especially true in territories where privacy legislation is getting stricter. Poor software security leading to information disclosure of customer data can now lead to business-altering fines in Europe, for example.

How to stay safe while shopping online this holiday

So, what are the issues when it comes to shopping online at this busy time of year and what can people do to remain safe?

The key is to identify the legitimate from the fake when a “50% off all iPads” deal is enticing. With all the various data breaches over the past few years, identification is particularly difficult. Some simple options are:

  • If you received an “great deal” email and don’t recognise the source, don’t assume because its personalised that it’s legitimate. 

Visit the website directly and while logged in look for the same deal. If it’s there and still interests you, then go for it. If it’s not, then the fact that the deal was tied to clicking a link in an email should indicate just how suspect the offer was.

Identifying the legitimacy of a “great deal” found on a non-vendor website is a bit harder. That deal might be the result of the website being an authorised distribution channel for the vendor or the website offering a fake deal. Authorised distribution channels will tend to behave in one of two ways – you’ll either purchase directly from them, or they’ll link you to the vendors website and pass along a referral code. 

The nice thing about authorised distribution channels is that neither party tends to benefit from the relationship being a secret. Perform an internet search with both company names and see if there is mutual identification and endorsement. Another thing to recognise is that if the deal site has you click a link and passes a referral code to the vendor, then that vendor will have your item in their cart. 

To avoid being scammed, first ensure you’re logged out from the vendor website and then click the link. That way if the deal site was suspect, they’re less likely to get any personal information from the vendor. Assuming the deal does show up in the cart at the correct price, simply login and complete the transaction.

In addition:

  • Use 2-factor authentication whenever possible.
  • If your credit provider doesn’t offer virtual credit cards, consider using PayPal or Amazon Pay (among other options) as a third-party payment solution. This provides one more layer of security between online stores and your financials.
  • Similarly, Google Pay (among others) will alert you when charges are made to your card. That way, if you’re not the one making a purchase, a red flag is raised early.
  • If you must create a password on the site to complete a purchase, don’t re-use a password. Take advantage of password managers to create new, unique passwords for each site.
  • Don’t allow websites to store your credit card information. Sure, it’s less convenient, but if the website or your account is hacked, the attackers won’t have access to your credit card information. 

Don’t assume your new device is secure

Some of the most popular items bought during Black Friday and Cyber Monday are connected devices. Gary McGraw, vice president of security technology at Synopsys says “when it comes to security, devices, gadgets, and consumer electronics are NOT secure by default.  If your gizmo maker does not mention security, do not assume that the thing you bought is secure.

IoT remains a security disaster waiting to happen.  One of the main problems is that there is no way to update the (broken) software and hardware running inside of IoT devices when new security problems are discovered.  IoT needs to be secure by design and secure by implementation.  Firewalls on the network will not fix this problem

In fact, IoT stuff is only one kind of cloud architecture.  And with cloud architecture…”

Follow this advice to stay safe online, and happy shopping! 

Tim Mackey, Larry Trowell and Nick Murison from Synopsys

  • Also check out our roundup of the best antivirus software to stay safe online this holiday season
Larry Trowell
Larry Trowell

Larry Trowell is a Principal Consultant at Synopsys. He has over 15 years of working experience. 

Latest in Security
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
A close-up of a phone screen showing the Telegram, Signal and WhatsApp apps
Agentic AI has “profound” issues with security and privacy, Signal President says
botnet
Another top security camera maker is seeing devices hijacked into botnet
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
How to prevent cyberattacks
NTT admits hackers accessed details of almost 18,000 corporate customers in cyberattack
Latest in News
Homepage of Manus, a new Chinese artificial intelligence agent capable of handling complex, real-world tasks, is seen on the screen of an iPhone.
Manus AI may be the new DeepSeek, but initial users report problems
Twitter social media application change logo to X. Elon Musk CEO of twitter rebranded Twitter to 'X'. Social media application technology concept.
X is down again – here's everything we know about Twitter's third outage of the day
A screen shot from a promotional video showing the HealthBuds fitness tracking earphones from Synseer
These mysterious wireless earbuds claim to monitor your heart and hearing health simultaneously, but there’s a catch
Nvidia geforce rtx 3050
RTX 5050 rumors detail full spec of desktop graphics card, suggesting Nvidia may use slower video RAM – but I wouldn’t panic yet
OnePlus 13
OnePlus is ditching the Alert Slider for an iPhone-style customizable button - and I’ll be sad to see it go
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
More about security
A hacker wearing a hoodie sitting at a computer, his face hidden.

Experts warn this critical PHP vulnerability could be set to become a global problem
botnet

Another top security camera maker is seeing devices hijacked into botnet
A screen shot from a promotional video showing the HealthBuds fitness tracking earphones from Synseer

These mysterious wireless earbuds claim to monitor your heart and hearing health simultaneously, but there’s a catch
See more latest