Want CNET to notify you of price drops and the latest stories?

Net shopping's blue Christmas

Holiday shopping online can be a minefield of potential threats for unsuspecting consumers.

Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
Matt Hines
6 min read
Frustrated by long lines at stores and hard-to-find gifts, many consumers are venturing online for the first time to buy for the holidays.

When that naivete meets the anything-goes Internet, the outcome is frequently all too predictable, said Sheila Atkins, an associate director at the Council of Better Business Bureaus. After purchasing a gift from an unfamiliar Web site, the buyer panics when no e-mailed order verification arrives. Then the victim belatedly looks for contact information on the Web site.

"They realize that the Web site doesn't have any phone number or physical address," said Atkins, whose organization deals with an influx of victims during the holiday season. "Consumers quickly find out that...if the deal sounds too good to be true, it probably is."

The holiday shopping season is the most important period each year for the majority of online stores, accounting for 30 percent of revenue on average during the months of November and December, according to analyst estimates. That volume attracts other entrepreneurs: criminals hoping to part unsuspecting consumers from their money.

While online fraud is overshadowed by offline scams, Internet shoppers tend to be more lucrative marks, according to a survey published in August by the Federal Trade Commission. People shopping online have higher incomes and are thus attractive targets for scam artists. Moreover, the influx of neophyte Web buyers during the holidays sweetens the pot.

"Scam artists just know that during this time of the season people are distracted or not alert. They are focusing on the bottom line--getting their gift," Atkins said.

Holiday threats aplenty
Security experts warn that there are plenty of traps awaiting unsuspecting buyers online.

One of the classic examples of holiday fraud trades on shortages. A scammer sets up a Web site that advertises popular gifts that have become hard to find because of overwhelming demand, said Pete Lindstrom, a research director at Spire Security, a security analysis firm. After taking orders and payment for the trendy presents, the online store often shuts down and disappears, leaving buyers without their items or their cash.

"People are shopping online, looking for low prices, and may go to smaller vendors that they normally wouldn't consider," Lindstrom said.

Protect yourself

Many consumers first try online shopping during the holiday season. Here's a guide to year-round secure e-commerce.

Use a secure browser
Internet Explorer, Firefox, Mozilla, Safari and Opera all have the ability to encrypt Web communications and typically indicate that security is in use with a padlock icon.
Know your merchant
Check out smaller companies online by searching for complaints. If in doubt, just use sites that you know or that others have recommended.
Guard your password
Don't ever give out your password to anyone--not even the merchant. A person who asks for your password most likely is someone who shouldn't have it.
Use a credit card
Unlike a debit card, credit cards are not directly linked to your money and, by law, require consumers to be responsible for only the first $50 in fraudulent charges.
Keep your receipt
In case something goes wrong, make sure that you print out your receipt and keep it on hand until you receive your order.

Source: Federal Trade Commission, CNET News.com

The ultimate in bargain-hunting--online auctions--have the highest level of scams associated with them. In 2003, auction scams topped the list of incidents reported by consumers to the FTC, accounting for 15 percent of all consumer fraud, both offline and online. In addition, the FBI's Internet Fraud Complaint Center found that 61 percent of all complaints it processed in 2003 were connected to online auctions.

Phishing scams have also grown rapidly to become one of the most daunting threats on the Internet. In the scheme, a fraudster creates an e-mail that appears to come from a legitimate company seeking customer information, but is actually a ploy to trick consumers into handing over their personal data.

The number of phishing attacks launched each month has increased nearly tenfold in 2004, according to MessageLabs. The technology security company reported that the volume of e-mail messages it classified as phishing attacks soared to 4.5 million in November 2004, up from 337,050 in January 2003.

The most prevalent instances of phishing have attempted to re-create valid e-mail correspondence sent by financial institutions, such as Citibank, or well-known online players, such as auction site eBay. However, industry watchers are convinced that phishers--those people behind the schemes--are working on e-mail campaigns specifically targeting consumers looking to do their holiday shopping on the Web.

"The holiday season isn't just a busy time for merchants and shoppers, it's also prime time for thieves to gather information and create identity

theft scams," said Prat Moghe, chief executive at Tizor Systems, a security applications vendor. "Phishers know that there will be a lot of credit card activity and that shoppers are less likely to be careful."

Other threats, such as the recent Christmas-themed Zafi computer virus, have also set their sights on consumers and their financial information.

Fending off the cold reality
The best thing consumers can do to protect themselves online is to apply the common sense they use when shopping offline, experts said. Nearly every industry watcher questioned regarding the holiday threat espoused the classic mantras of "buyer beware," and "if a deal seems too good to be true, it probably is."

Security professionals also encourage people to do as much research online about any company they may deal with, and to try to make sure that even reviews of an e-tailers' legitimacy are themselves valid. Moreover, shoppers should look to their own PCs to make sure that malicious software capable of spying on their transactions does not hitch a ride.

"There are two sets of things that need to be done," said Howard Schmidt, a former U.S. cybersecurity czar in the Bush administration and now chief security officer at eBay. "Secure your computer by keeping your antivirus up to date, keep your patches up to date, and the other piece is go to known sites, trusted sites."

Spire's Lindstrom also stressed the importance of dealing with an online store that you know.

"You simply must have a way to validate e-commerce sites that you're working with, and you should always work to establish a sense of the legitimacy of the companies that you're doing business with," Lindstrom said. Another good move is to use sites that advertise security validation from vendors such as VeriSign, Thawte and Authorize.net, he said.

However, Lindstrom pointed out that some fraudsters have gone to great lengths to imitate the endorsement of such security services, even creating hard-to-spot imitations of a security company's validation icons. For that reason, Lindstrom said, it is crucial to click through any e-commerce site promising such protection to make sure that any security endorsements are the real thing.

Merchants should be concerned about mimicked sites too, as the problem could make potential future customers more hesitant to shop online.

"The industry needs to educate those consumers--the new guys--as they come online, so that they don't have a negative experience and we don't lose them back to the brick-and-mortar world," said Mark Griffiths, vice president of authentication services at VeriSign, which processes online credit card transactions.

Consumers have to be convinced to stop and think before they give away their credit card numbers or transfer funds to e-commerce vendor, he added.

In the end, the key to avoiding holiday fraud is keeping a level head, said Jonathan Penn, an analyst with Forrester Research.

"The deal is: If you wouldn't normally buy from somebody, this is the worst time of the year to take chances," Penn said. "Don't be stupid--it's that simple."