This year, mega shopping event ‘Black Friday’ falls on November 23, closely followed by ‘Cyber Monday’ on November 26. At this time of year, with Christmas on the horizon, retailers tempt online customers to their websites with bargain offers and special deals.

Shopping online can be a quick and convenient way of bagging a bargain, but while we’re busy shopping, criminals are even busier taking advantage of the sales frenzy. As a result, we often see an increase in crafty phishing scams, fraudulent websites, and other tricks designed to line fraudsters’ pockets.

Don’t let a cyber-criminal ruin your festive season – here are three common online shopping scams:


You might get an email or text about an amazing bargain, an e-voucher, or this year’s must-have gift. Resist the temptation to click on the link, and instead make sure you close the email or text, and look for the offer details on the retailer’s official website. And if you get an email about any of your online accounts – warning you about an unusual transaction or saying there’s something wrong – open your internet browser and go to the genuine log-in screen to access your account. Don’t log in straight from the email.

“Sorry we missed you”

Beware of emails, messages and even cards through your letterbox appearing to be from the post office or delivery firms about packages you’re not expecting. It might tell you that you’ve missed a delivery or there’s been a problem with your order, and ask you to enter your details or open a document online, or call a number (which could be charged at a premium rate). Use the retailer’s website to track your orders and monitor deliveries, and never open documents in emails that you’re not expecting.

The fake website

Cyber criminals are experts at creating websites that look identical to your favourite retailers. Hackers can also manipulate search engines (Google, Yahoo!, etc.) to place their own dodgy links near the top of the search results, so keep an eye on the web address you’re clicking on, if using a search engine. And don’t enter your personal details or payment information if you see any signs that the site isn’t trustworthy, for example:

  • The site looks poorly designed, unprofessional or has broken links
  • You can’t find the business address or the usual sales, returns and privacy policies
  • The back button is disabled – so you get stuck on a webpage and can’t go back
  • The site doesn’t show a padlock icon in the left hand side of the address bar and the website address doesn’t start with ‘HTTPS’ (the S stands for secure). If it doesn’t have this, it means the website doesn’t use an encrypted or secure connection

Even if none of these warning signs are there, remember the golden rule: If the offer seems too good to be true, it probably is. So, if you’ve found the latest gadget but for a fifth of the normal selling price, it’s likely to be a scam.

If you think you’ve fallen victim to fraud, act fast and report it to the police, to your bank or credit card provider, to the retailer you thought you were buying from, and to ActionFraud.


Christina Shannon
Information Security Education and Awareness Manager

Join the conversation! 3 Comments

  1. Great advice Christina thanks!

  2. While looking for the padlock icon will tell you if the connection from your computer to the website you are looking at is secure, the padlock is NOT an indicator that you are on a genuine site. Criminals also set up websites that use secure links so many fake sites will also give you the padlock icon. So check the web addresses you are going to very carefully (even if you click on links in reliable search engines as those links can be spoofed as well as Christina says) – check for cleverly misspelt addresses (say rather than or addresses that use a foreign character instead of an English one (perhaps using an accented French e rather than a plain English one) as these will not take you to the legitimate web site.

    • Dear Guy,

      A quicker alternative way, would be to check that the web address is using a secure server connection. This can be easily identified by looking in the address bar, and if your using a secure server it would show at https:// – the ‘s’ being the identity of a secure server.

Comments are closed.


Digital, IT