The festive spirit isn’t the only thing that’s infectious as the 2018 holiday season approaches. It’s typically the time of year when we see an uptick in cybertheft. With US online spending expected to increase 14.8% compared to 2017, representing a huge $124.1 billion of internet commerce, it’s a mouth-watering proposition for criminals.

With retailers swamping inboxes with millions of promotional emails, and hungry shoppers desperately looking for great buys, it’s the perfect time to slip phishing emails and malicious links into the flood of traffic.

If you’re one of the millions intending to shop online this holiday season, make sure you’ve taken all the appropriate precautions before you get started. Whether you’re shopping from your laptop or mobile, workstation or tablet, here’s five essential things to do before you pull the trigger on that perfect purchase:

1. Update Your Kit

If you’re not using “the latest and greatest” version of your OS and software, you’re leaving open security holes that have not only been patched by the vendors since your last update, but which have been published and are therefore known to criminals by now as well. Hackers study security fixes made by vendors and then go looking for devices that haven’t been patched by users. So, first check your OS for any updates, and then take an inventory of any software you might use for online shopping purposes. Web browsers, banking apps, shopping apps, and password managers all need to be on the latest available version.

2. Refresh Your Passwords

Nobody likes changing their passwords – all that new muscle memory to learn! But the start of the holiday season is the best time to do it, for two reasons. First, your fingers will find it easier to learn these new taps as you’ll likely be exercising your password routines more than usual during this time of year. Second, online password dumps have become so common that if you haven’t refreshed your password since last Holiday season, there’s a good chance it’s already floating around in some database for sale on the Dark Web by now.

Be sure to use a password manager and a secure password generator. Your pet’s name and birthday do not fall into the category of “secure”! Reversing your name or phone number aren’t going to cut it either, and don’t even consider patterns like “superman99” and “batmanOO7” or using the word “love” anywhere in your password! The cyber criminals are way ahead of you!

3. Add Additional Authentication Layers

Wherever available, opt-in to two-factor (2FA) and similar authentication layers which make it more difficult for breaches to occur. On top of the extra security step when you log in, you will typically receive a message whenever your account is accessed.  This can help alert you to hacking attempts sooner rather than later. Some sites and services allow you to use OTPs (one-time passwords), which usually expire after a short time. These may be sent to you via email, text or through a dedicated security app like Google’s Authenticator if you’re using Gmail or other Google services.

Always take the opportunity to register for these extra protections when offered. Check your account settings with major providers like Google, Microsoft Live and Apple iCloud to turn on two-factor authentication if you haven’t done so already.

4. Ensure Websites are the Real Deal

Fake websites are becoming harder to spot, and hackers have got very good at cloning commercial sites to the point where they are almost indistinguishable from the real thing. Look for the little padlock to the left of the URL in your browser’s address bar, and click it to view details about a site’s security. Note that the color of the padlock signifies different things. Here’s Microsoft’s explanation for Edge:

“While a gray lock means that the website is encrypted and verified, a green lock means that Microsoft Edge considers the website more likely to be authentic. That’s because it’s using an Extended Validation (EV) certificate, which requires a more rigorous identity verification process.”

If you’re using the latest version of Chrome, the browser will now warn you about sites that are using the older insecure HTTP protocol and outdated certificates. Heed the warnings. For Safari users, in the browser’s Advanced Preferences, be sure to check the “Show full website address” box for the smart search field so that you can easily see at a glance the real address that you land on.

5. Stay Off Public Wifi

Of course, we all enjoy a coffee while traipsing around the brick-and-mortar stores, and what better time to compare prices in the mall with online offerings, or to check the balance of your bank account?

Don’t, however, be tempted to take up that free Wifi offer that comes with your cappuccino. Sure, you might be connected to an encrypted site, but that doesn’t stop snoopers on a public network from gathering information about where you bank or what items you’re shopping for. That might be just what they need for a targeted spear-phishing attack. Worse, if the hotspot itself is infected or malicious, you could be subjected to a man-in-the-middle attack or be tricked into downloading malware.

When browsing on the move, stick to your cell provider and link your laptop or tablet to your phone’s personal hotspot service if available.


We all need to exercise safe browsing and computing practices throughout the year, but if you haven’t started yet, the holiday shopping season is the right time to begin! By employing the tips we’ve outlined above, you’ll make yourself a more difficult target and reduce the chances of becoming yet another victim on the stats sheet.

For enterprise security, check out SentinelOne and see why Fortune 500 companies are switching from their traditional solutions.