Tell Us Your Online Holiday Shopping Habits And We’ll Tell You How Safe You Are

This week, Yubico, one of our finest security partners, asked our Okta team about ways to stay safe during the holiday shopping season. Take the following little quiz to check your own security savvy when visiting sites and opening holiday emails. Give yourself a point for each best practice you do. How did you score?

How many of these online shopping best practices do you do? [Hint:] When shopping online, be a little paranoid.

⬚ In emails, check the url address for “typos” to avoid spoofing before clicking. Remember, amazom.co is not amazon.com.

⬚ Start directly from a store’s home page, not from clicking an email link. (Or if you do click on a link from an email, hover over the URL first to verify that it goes to the legitimate site.)

⬚ Start your search for offers from sites like shopping.google.com. (It saves you money and helps reduce the odds of fraud!)

⬚ Refrain from sending credit cards or personal info over email or chats—not even over direct message. (Attackers can pose as support personnel to phish for your information!)

⬚ Never type in credit card numbers and/or save them in sites you don't know and trust. (Use a 3rd-party payment mechanism like Apple Pay or PayPal instead.)

⬚ Don’t assume the green padlock icon means safety, and don't automatically trust https:// in the URL. (Keep in mind that half of all phishing sites now show the green padlock.)

⬚ When possible, use credit rather than debit cards to increase protection and limit your liability if it’s used fraudulently.

⬚ Use a single credit card for online purchases so, should your data be compromised, cancelling the one card won’t affect your other payments.

⬚ Ensure that the purchase protection for your credit card is set to “on”, and only use a card that includes online liability protection—an option that appears free with most new credit cards.

Which of the following security precautions do you practice to keep your account secure and protect your data from prying eyes?

⬚ Don’t reuse passwords across sites, and don’t duplicate your passwords across personal and corporate apps.

⬚ Don’t use easy-to-guess passwords, or ones that have been previously compromised as part of a breach! Instead, use a tool like Okta Passprotect to verify that you’re using safe credentials.

⬚ Try not to use public or unsecured computers when conducting high value transactions.

⬚ Use a password manager such as LastPass or 1Password.

⬚ Enable 2FA/MFA and use sites that support using these strong authentication mechanisms.

⬚ Take the time to keep checking your account activity, and flag any logins that you don’t recognize.

⬚ Call the vendor to make sure it’s a legitimate transaction if something on your statement or account page looks odd or incorrect.

⬚ Give yourself the gift of security: buy a hardware token (like Yubikey!).

Which of the following tell-tale signs do you to look for to guard against email phishing attacks? [Hint:] Be vigilant about the details—attackers are gaining in sophistication.

⬚ Differing domain names for a store/business.

Hover over all links to avoid an impersonation email. For example, storename.com/bigsale vs somerandomname.com/storename/bigsale.

⬚ Emails that convey a sense of warning or urgency if you don't click their link.

Many valid retailers will "warn" that you'll miss out on a sale during holiday promotions, but they should not suggest they'll be a problem with your account. Read before clicking!

⬚ It sounds too good to be true.

A new Instant Pot for only $10!? Don’t be fooled.

⬚ The displayed name for an email differs from the domain address.

Again, watch out for impersonation. To check, click on the name in the From: field to reveal the full email address, not just the displayed name. The part after the @ symbol (the domain) should show the exact company address—not something similar. And again, person@amazom.co is not person@amazon.com.

⬚ The reply-to email differs from the displayed name.

Make sure the reply-to email address is correct and consistent with the company name.

⬚ Asking for personal, sensitive information via email.

No reputable company is going to ask you for your SSN via email. You may get a notice that you need to change your password (due to a security compromise or a new system), but always double check the link website address, or better yet, instead of following link, go to the site directly.

Want even more tips and quiz questions? Check out the results of our live Tweet with our friends at Yubico!