Our top tips for making safer online payments

Online shopping is ubiquitous and essential for many of us, but that makes it all the more important to make sure you’re spending your money safely.

While you probably use a few sites regularly and have accounts with them, it helps to make sure you’re in the right place.

In fact, clicking a link and then being prompted to log into an account on the site you swear you were logged into an hour ago is a potential warning sign that you’ve clicked a phishing link.

If this or anything else raises your suspicions, here are some key things to look for when confirming that you’re entering your payment information in as secure a place as possible, and some additional security tips to help you keep it that way.

Kaspersky Total Security – Now 60% off

Award-winning protection against hackers, viruses and malware. Includes, Free VPN, Password Manager and Kaspersky Safe Kids.

USE code: KTSQ210 to save an extra 10% on top of the already fantastic 50% off

  • CODE: KTSQ210
  • 60% off
  • £16 per year

See the offer

Are you on an HTTPS site?

Check that the URL starts with https:// rather than just http://. HTTPS stands for HyperText Transfer Protocol Secure and means that TLS encryption is used to protect your data, such as your debit card number and CCV code, as it travels between you and the site.

Click on the padlock symbol in your browser bar to verify. It should say something like “Site information for [the URL you expect to see here]. Secure connection”. If you click where it says “secure connection“, you will see the Certificate Authority (CA) that issued the certificate. Popular CAs include LetsEncrypt, DigiCert, GlobalSign, and IdenTrust.

But just because a site has a valid TLS certificate doesn’t mean it’s secure. All the certificate shows you is that your data is encrypted in transit, not that the site on the other side is necessarily trustworthy. You’ll have to do a bit more checking if you want

Do you know who you are buying from? Are they at the correct URL?

Beware of scam websites and malicious typo squatters. Typing bandcmap.com instead of bandcamp.com just takes you to a random advertising and sales portal, but some typo squatters host phishing sites designed to target anyone who swipes their finger.

Also beware of obfuscated sites that appear to have the correct URL but might lead you somewhere else, such as the following obfuscated link to amazon.co.uk. Firefox users should see a potential fraud warning when they click on this – it will redirect you to the main Trusted page.

The Bandcamp purchase page is highlighted to show key purchase security features
Look for the lock icon in your browser, make sure the web address starts with https, and verify that the site URL is correct before purchasing

How did you get there?

Did you go directly to the URL? Is it correctly typed? If you clicked on a link in a promotional email, did it look legitimate and lead you where you expected, or did it behave like a phishing attack?

Does it have an HTTPS URL?

Many retailers will send you to a third-party payment processor. It’s all right and there’s nothing to worry about. But payment processors have specialized security in place that is simply not practical for many businesses to implement on their own. It also means one less site that could store your payment information, which can reduce the risk of your data being compromised in a breach. Some payment providers also offer purchase protection.

Are you on a dedicated payment page?

There should be no unnecessary elements on the page to enter your payment information, and if an external payment provider is used, you should be taken to their site, rather than seeing an embedded iframe.

The MageCart hacker group has been responsible for several major attacks on online payment services since 2016, injecting malicious code into retailer websites to skim card details entered on the site. These attacks affected TicketMaster and British Airways, as well as many smaller retailers.

It’s really hard to spot these attacks – often users only found out when the compromised retailer contacted them.

Are you prompted to authorize the purchase using your bank’s multi-factor authentication app or device?

Not all retailers and banks support this, but most do, and it’s a good chance to make sure you’re being charged the amount you expect and that the retailer or payment processor has correctly integrated the latest security measures on its website.

Of course, you may not see a 2FA request if you have already authorized the retailer or processor to take payment from your card. Amazon and PayPal do this regularly, for example.

Check your bank statements

Check your bank statements regularly and if you see anything wrong, check your account history with the retailer. Contact your bank if you notice a fraudulent transaction. I use a Wise card for a lot of online purchases, partly because I immediately get a notification from the app whenever money comes out of my account.

Kaspersky Total Security - Now 60% off

Kaspersky Total Security – Now 60% off

Award-winning protection against hackers, viruses and malware. Includes, Free VPN, Password Manager and Kaspersky Safe Kids.

USE code: KTSQ210 to save an extra 10% on top of the already fantastic 50% off

  • CODE: KTSQ210
  • 60% off
  • £16 per year

See the offer

Check if your data has been involved in a breach

It is possible to have your payment date stolen without immediate visible consequences. Follow my guide to checking if your password has been breached to check HaveIBeenPwnd, which also lists breaches that have stolen personal payment data. If so, and money was spent using this stolen information, you may be entitled to compensation, or at least a transaction reversal from your bank.

Designed to help you shop securely, virtual cards give you an additional credit or debit card number associated with your account, but which has no physical counterpart. They’re designed to be easy to limit with payment limits and easy to remove and replace, whether it’s for fraud or because you want to proactively deactivate the card after a certain number of purchases or a certain period of time.

Avoid using virtual credit cards for anything that uses your credit card number to later verify your identity, such as concert or train tickets printed at the station.

Comments are closed.