Truth 32 Online shopping scams

The proliferation of online shopping has created a fertile hunting ground for identity thieves. All it takes is a little Web-site savvy, the promise of bargain prices, and a few dollars in site hosting fees, and the thief is in business. As you’ve no doubt learned already, making a fake Web site can take as little as 20 minutes for the skilled identity thief. Often, the thief will simply copy a real Web site and then change the information needed to make it his own. The thief will then entice you to “order” from him by offering prices far lower than other stores and perhaps even offering hard-to-find items during the holidays (gaming console systems, the hot children’s toy of the season, and so on).

When I conducted my own tests with this attack, I made a site that targeted people looking for the Nintendo Wii game system, which helped drive buyers to my site. Using Google ads, I advertised a low price, which I knew would bring in the buyers. Sure, I had to pay to get my ad to be circulated, but were I a true identity thief, the small amount invested would be well worth it for the payout in the end. Within minutes of my ad hitting the Internet, I started getting traffic.

I have to admit that my site was nothing fancy, and I had assumed that people might grow suspicious because of the poor quality. But to my surprise, it seemed that most buyers didn’t notice. Because I was offering a great price on a then hard-to-find item, the credit card numbers started to roll in. Obviously, I am not an identity thief, and I didn’t want to ruin Christmas for anyone, so for my tests, I only recorded the last 4 digits of the credit card number as well as the contact name and phone number. Also, when buyers clicked the Submit button, a pop-up message appeared telling them that currently we were out of stock, so the order could not be processed and the credit card would not be charged.

After a couple days, I had more than 30 attempted purchases and 200 visits. I imagine if I had put more effort into the Web site, my purchase rate would have been even higher. But for testing purposes, I had more than enough information. I had seen firsthand just how easy it was for an identity thief to capture credit card information.

I called a few of my victims to discuss the theft. Every victim told me the price was too good to pass up. I asked if they had noticed that the Web site was a little low budget, and one of them told me he assumed that we probably didn’t care about our site design since we knew our prices were so good.

When shopping online, you really have no idea who is on the other side of the transaction. Obviously, you can feel comfortable with the big online retailers, such as Amazon and Netflix, or the brick-and-mortar stores, such as Sears or Wal-Mart. The same can’t be said for some of the no-name Web sites that are selling sweaters to raise money for the homeless. How do you know it’s safe to give your credit card, and is it truly worth the risk? Let me answer the second part of that question first. The simple answer is yes, if you have found a great deal or an item that you just have to have, it is worth the risk. Now, that said, I am not a big fan of risk and would rather just attempt to prove the site is safe.

Make sure the site is using a security certificate. When you visit any site that requires confidential information, you will notice that the URL changes from http:// to https://. In addition, if you are using Internet Explorer 6 or Mozilla Firefox, you will see a picture of a closed lock in the bottom-right side of your browser. This lock is not in the Web page but in the frame of the browser. (In some cases, malicious sites try to trick visitors by just putting a picture of a lock in the Web page.) In Internet Explorer 7, the lock is located on the top in the location bar. Being a secured site does not guarantee complete safety, but it does mean the site has filed for a security certificate, paid a fee, and given some verified contact information.

Look up how long the Web site domain has existed. The newer the site, the more you are at risk. To look up the domain, visit www.networksolutions.com and select the WHOIS Search option. Type in the domain name such as amazon.com, and WHOIS pulls up all the information for that domain. If the creation date is less than a year old, I generally shy away. On the flip side, just because it may be two or three years old doesn’t guarantee you can trust it.

Watch for poor Web site design, including broken links and missing images. Much like I was not willing to put the time into making a great-looking Web site, many real thieves will feel the same.

Check for a contact phone number, and attempt to call it. If you can’t reach a real person, you may wonder how you will be taken care of should there be a problem with your merchandise.

Legitimate sites often have received certificates that are posted on their home page. Click on the link, and make sure it takes you back to the site that certified it. That site should list information about the company, including its domain. If they do not match, you should not trust the site. (In some complex scams, however, fake certificates and Web sites are also made to add to the illusion.)

Check for business partners listed on the site and contact them to get feedback about the company.

Of course, a site could meet every criterion I listed and still be malicious. This is where I have one last piece of advice for the online shopper: Never use your banking debit card to make purchases online. While a credit card is easy to challenge bogus charges, with a debit card the money is coming directly out of your bank account. This means that your account could be bone dry before you ever realize that there is a problem. Instead, use a dedicated credit card that has a lower limit, and make sure to check the billing statement carefully each month.