5 Ways to Stay Safe Online on Black Friday, Cyber Monday

Thanksgiving is just around the corner in the U.S., and so are Black Friday and Cyber Monday, two of the busiest shopping days of the year. It's also a peak period for malware, phishing and spam. Since employees are increasingly using their own devices to access corporate resources (or simply using a work PC to sneak in a little shopping on Cyber Monday), it's a good idea to share some best practices with your users to help protect them and your network from threats.

"You could tell them no," says Bob Bunge, professor of Cyber Security in the College of Engineering and Information Sciences at DeVry University. "In some circumstances, that's absolutely what you should be telling them. Don't use the office network for retail. It's just a bad idea, period. It's a lousy, bad thing to do."

However, employees often don't perceive the security threat as acutely as IT managers do, so a few pointers on keeping safe are a good idea. After all, shopping sites are among the top malware-infected sites on the Web, according to Symantec.

Five Best Practices to Stay Safe Online

When it comes to dodging malware and phishing attacks, there are a few simple things you can watch for on shopping sites to help keep you safe:

Look for an HTTPS and/or padlock in the address bar before submitting personal information on a website. This is a sign that the site is leveraging the SSL/TLS cryptographic protocol to secure your communications with the website in question. This helps protect against man-in-the-middle attacks that allow an attacker to intercept your communications with the site and inject new ones.

Look for your browser address bar to light up green. This is an indication that the identity of the website you're visiting has been strictly validated with an Extended Validation Certificate. In other words, you really are at the website of the merchant you're trying to shop with rather than fake site created by a malicious attacker to fool you into sharing personal information.

Look for a trust seal. Many merchant websites bear trust seals, usually at the bottom of the home page or on pages where you are asked to provide personal information. They come in many different shapes, sizes and colors and are used to verify a number of different claims about a website, from its use of data encryption to its status as a legitimate business entity. For instance, the TRUSTe seal is a privacy seal that indicates TRUSTe has reviewed the site's privacy policy, while the Verisign Trust Seal verifies the identity of a website's owner and operator and that the site is subject to daily malware scans and uses verified data encryption. Scammers can forge a legitimate seal, so you should always verify a trust seal's authenticity by clicking on it and checking the seal's validation page.

If an offer in an online ad or email sounds too good to be true, avoid it. These are often lures to infect you with malware or gather your personal information. "If it sounds scammy, it's probably scammy," Bunge says. "If I had to cut a large IT security training program into just a paragraph or so, probably the first thing I'd say is 'Don't click on that link!' The whole phishing industry nowadays is based on finding ever more creative ways to get you to click on some link.

Use good passwords. Pay attention to the passwords for your email, social networking and online banking accounts. Don't use the same one for everything. "Add up the asset value of everything in the world you have attached to that password," Bunge says. "All your email, all your online storage, all your credit cards and bank accountsthat's an awful lot of asset attached to just one password." Symantec recommends you use passwords that are at least eight characters, a random mixture of upper and lower case characters (including numbers, punctuation and symbols) and are not found in the dictionary. Additionally, never use the same password twice and change your passwords every six months.

"My main advice to consumers is to get yourself simple, reliable routines," Bunge says. "Find three, four or five online merchants that you trust and stick to known commodities. If you do want to branch out and surf the general Internet and try some merchants you haven't work with before, do some research. Put the name of the merchant in a search engine and see how often "fraud" or "rip off" pop up.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place