From spotting shady websites to avoiding deals too good to be true, it’s important to stay vigilant while you shop, especially during the busy holiday season. While we’ve already seen an increase in scammers on third-party selling platforms like eBay and Facebook Marketplace during the holidays, other criminals are also lurking online, ready to ruin your festivities with fraud.
One example is the “fake shopping site” scam, as described in Visa’s 2025 Holiday Threats Report. Here’s how it works: Scammers use AI tools to clone popular websites and steal your credit or debit card number while you shop. It’s evil, it’s simple, and unfortunately, the scam works. Here are some basic guidelines to help you avoid incidents like this, as well as other ways to stay safe online.
1. Only Shop on Known, Reviewed Websites
(Credit: wera Rodsawang / Getty Images)
Search results can be rigged to lead you astray or even infect your device with malware. A good deal isn’t worth the risk when we all know Amazon carries everything under the sun. Similarly, every major retail outlet has its own online store. Before shopping with a new online retailer, look for independent customer reviews of the store to ensure its legitimacy.
Beware of misspellings or sites using a different top-level domain (.io instead of .com, for example)—those are the oldest tricks in the book. Yes, sales on these sites might look enticing, but that’s how they trick you into giving up your info.
2. When in Doubt, Look for the Lock
(Credit: BestForBest / Getty Images)
If you’re unsure whether the site you’re buying from is legitimate, check your browser’s address bar. Never buy anything online from a site that doesn’t display a lock icon near the URL. The lock icon indicates that the site has SSL (Secure Sockets Layer) encryption installed. This means your data transfers are more secure than they are on an unencrypted site.
Another way to tell if a site has SSL is to look for a URL that starts with https://, which is standard, even on non-shopping sites. Most browsers flag any page without the extra S as “not secure, ” so a site without it should stand out even more.
3. Research the Seller Before Buying
(Credit: NickyLloyd / Getty Images)
If you’re wary of a site, perform your due diligence and look them up before you shop. The Better Business Bureau has an online directory and a scam tracker. Read each retailer’s reviews online to ensure that it’s a legit business that has shipped products to customers in the past.
In other words, put companies through the wringer before you plunk down your credit card number. There’s a reason that non-delivery/non-payment is the most common cybercrime complaint: it hurts when that happens, financially and emotionally.
That said, online reviews can be gamed. If you see nothing but positive feedback and can’t tell if the writers are legitimate customers, follow your instincts.
At the very least, ensure you have a concrete address and a working phone number for the seller. If things go bad, you have a place to take your complaint. In fact, call them before you order so you can clarify a return policy and where to go with any issues after the purchase.
(Credit: OscarWong / Getty Images)
There is no reason an online retailer needs to know your birthday, middle name, Social Security number, or any other personal information beyond your payment method and mailing address. Feel free to lie if a retailer requires you to fill in that data to complete your transaction. What are they going to do? Tell on you?
The more scammers know about you, the easier it is to steal your identity. When possible, default to giving up as little personal data as possible. Major sites get breached all the time, so keep your information private.
5. Don’t Use Your Debit Card to Shop Online
(Credit: Westend61 / Getty Images)
If your debit card is compromised, scammers can access your bank account directly. Instead, use a credit card or mobile payment app when shopping online. Some banks offer disposable credit card numbers to make online shopping even safer, as do certain security services, such as IronVest. The Fair Credit Billing Act ensures that you are only responsible for up to $50 of credit card charges you didn’t authorize if you get scammed. Most reputable card issuers won’t hold you responsible for any unauthorized charges at all. Most banks will also return any cash stolen by identity theft, but they often have to perform an investigation, and it could take days or weeks to get your money back, compared with minutes for a credit card.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Regularly review the electronic statements for your credit card, debit card, and checking accounts. If you see something wrong, pick up the phone to address the matter quickly. In the case of credit cards, pay the bill only when you know all your charges are accurate. You have 30 days to notify the bank or card issuer of problems; however, you might be liable for the charges anyway.
6. Pay With Your Phone in Stores
(Credit: MoMo Productions / Getty Images)
Paying for items using your smartphone has become pretty standard in brick-and-mortar stores and is actually more secure than using your credit card. Using a mobile payment app like Apple Pay or Google Pay means you’ve authenticated your identity using your device, so no one else can claim to be you and steal your data or money. Plus, you avoid card skimmers.
7. Watch Out for Fraudulent Gift Card Exchanges
(Credit: Quinn Rooney / Getty Images)
When it comes to gift cards, stick to the source when you buy one. Scammers often auction off gift cards on sites like eBay with little or no funds remaining on them. Alternatively, the many gift card exchanges available are a great idea—they let you trade away cards you don’t want for the cards you do—but you can’t trust everyone else using such a service. You might receive a card and find that it has already been used. Make sure the site you’re using has a rock-solid guarantee policy. Better yet, visit a retail brick-and-mortar store to obtain the physical card, or purchase electronic gift cards issued by the retailer and have them sent directly to your recipient.
8. Don’t Tap the Ads
(Credit: Debalina Ghosh via iStock/Getty Images Plus for Getty Images)
According to survey results from online security company Malwarebytes, more than half of respondents (58%) reported encountering adware while browsing online. Adware is ad-related malware. If you’ve ever accidentally clicked on an ad in the margin of an article, and a bunch of other ads flooded your screen, you’ve experienced adware. Interestingly, the report shows that Gen Z is most susceptible to adware, as nearly 40% of respondents in that age group reported being victims.
Recommended by Our Editors
Also, be wary of ads for celebrity-endorsed products on social media. For example, Taylor Swift is not giving away free cookware sets on TikTok, and Tom Hanks is not selling wonder drugs. According to a report from McAfee, almost half (45%) of people surveyed encountered holiday ads featuring deepfakes or fake celebrity endorsements.
Consider installing an ad blocker extension on your favorite browser. An ad blocker not only cleans up your browsing experience by eliminating annoying or intrusive banner and pop-up advertising but also blocks trackers that monitor your browsing activity.
It’s also a good idea to protect all your devices against malware by regularly updating your antivirus software. Better yet, consider a comprehensive security suite, which includes antivirus software and will also fight spam, delete spear-phishing emails, and prevent non-targeted phishing attacks.
9. Install and Update Your Security Apps
(Credit: Westend61 / Getty Images)
Use a password manager to create uncrackable passwords and passkeys. It will keep track of them and fill them in as you shop. You can also save time filling out mailing address forms by storing that info in your password manager and letting it enter the data for you at checkout.
You should also enable multi-factor authentication for all of your online accounts. An authenticator app makes this incredibly easy, or you can use a hardware security key.
Remember, it’s not enough to have this stuff installed. Make sure your security tools are always up to date. Otherwise, any new threats can reach your devices—and there are always new threats.
10. If You Do Get Scammed, Don’t Get Mad, Get Revenge
(Credit: Prostock-Studio / Getty Images)
Don’t be embarrassed if you get taken advantage of while online shopping. Instead, make a bit of a scene—online, of course. Complain to the seller. If you don’t get satisfaction, report the incident to the Federal Trade Commission, your state’s attorney general, or even the FBI. That will probably work best if you buy in the US rather than from foreign sites or international dropshippers. If you’re going to get scammed, try to get scammed locally…or at least domestically.
Hacked? Here’s What You Can Do About It
If you still find yourself a victim of identity theft or if your accounts are compromised after your online shopping spree, check out our guide for what to do when you’ve been hacked. After following our steps to secure your accounts, bookmark and visit PCMag’s online safety checklist to keep yourself and your family safer online all year.
About Our Experts
Eric Griffith
Senior Editor, Features
Experience
I’ve been writing about computers, the internet, and technology professionally since 1992, more than half of that time with PCMag. I arrived at the end of the print era of PC Magazine as a senior writer. I served for a time as managing editor of business coverage before settling back into the features team for the last decade and a half. I write features on all tech topics, plus I handle several special projects, including the Readers’ Choice and Business Choice surveys and yearly coverage of the Best ISPs and Best Gaming ISPs, Best Products of the Year, and Best Brands (plus the Best Brands for Tech Support, Longevity, and Reliability).
I started in tech publishing right out of college, writing and editing stories about hardware and development tools. I migrated to software and hardware coverage for families, and I spent several years exclusively writing about the then-burgeoning technology called Wi-Fi. I was on the founding staff of several magazines, including Windows Sources, FamilyPC, and Access Internet Magazine. All of which are now defunct, and it’s not my fault. I have freelanced for publications as diverse as Sony Style, Playboy.com, and Flux. I got my degree at Ithaca College in, of all things, television/radio. But I minored in writing so I’d have a future.
In my long-lost free time, I wrote some novels, a couple of which are not just on my hard drive: BETA TEST (“an unusually lighthearted apocalyptic tale,” according to Publishers’ Weekly) and a YA book called KALI: THE GHOSTING OF SEPULCHER BAY. Go get them on Kindle.
I work from my home in Ithaca, NY, and did it long before pandemics made it cool.
Read Full Bio
Kim Key
Senior Writer, Security
Experience
I review privacy tools like hardware security keys, password managers, private messaging apps, and ad-blocking software. I also report on online scams and offer advice to families and individuals about staying safe on the internet. Before joining PCMag, I wrote about tech and video games for CNN, Fanbyte, Mashable, The New York Times, and TechRadar. I also worked at CNN International, where I did field producing and reporting on sports that are popular with worldwide audiences.
In addition to the categories below, I exclusively cover ad blockers, authenticator apps, hardware security keys, and private messaging apps.
Read Full Bio
