How to protect your cards and accounts online
Whether shopping or paying bills online, take these steps to cut your fraud risk
Award-winning writer covering consumer and small-business credit cards.
You’re scrolling through your credit card statement and suddenly an odd charge jumps out at you. Then it hits you: A crook has used your card to buy an ultra-HD TV, a diamond ring or a designer bag.
While the thief makes off with that shiny new item, you have to deal with all the hassles, stress and possibly even the costs involved.
It doesn’t have to be this way. You can reduce your chances of falling prey to card fraud by taking simple steps to shore up security when you apply for a credit card and shop online.
What is card fraud?
When someone else uses your credit or debit card to make an unauthorized purchase that is card fraud. The thief might snag your physical card from your wallet, skim your information at a gas pump or use an online scam to steal your card number, expiration date and card security code.
Card fraud is the most common type of identity theft, accounting for more than one-third of the ID fraud cases reported to the U.S. Federal Trade Commission each year.
ID fraud victims hit a record high of 16.7 million U.S. consumers and they lost a combined $16.8 billion in 2017, according to a Javelin Strategy & Research’s 2018 report, “Identity Fraud: Fraud Enters a New Era of Complexity.”
So how does ID fraud relate to identity theft? Identity theft is a broader term that refers to gaining access to personal information without permission, whether or not that data is used to commit fraud, according to Javelin. This can include data breaches, which are a growing problem. The number of U.S. consumers who received notice of a data breach climbed to 30 percent in 2017, up 12 percent from the previous year, Javelin found.
Eva Velasquez, CEO and president of the Identity Theft Resource Center, says, “Year after year, we continue to see identity theft as a problem that isn’t going away anytime soon.”
How online fraud occurs and how it can cost you
Fraudsters can get hold of your personal information in many ways, from hacking retailers to buying your data on the dark web, a shady corner of the internet that’s not accessible via search engines like Google. Or, criminals can trick you into handing over your information through online scams.
Here are a few common online scams to watch out for:
Fake shopping website scamSome criminals set up a fake website that mimics a real shopping site, says Ron Woerner, CEO, president and chief cybersecurity consultant for RWX Security Solutions.
One example: The Better Business Bureau warned that scammers last year were using the phony site PandoraPick.com to fool customers trying to buy from the Danish jewelry site Pandora. Customers who placed orders at the fake site received cheap knockoff jewelry.
“Almost anyone can be fooled by a fake website,” Woerner says.
Payment info phishing scamIn a payment information phishing scam, a crook sends you an email designed to look like it came from your bank, credit card issuer or payment service. The message typically tells you there’s a problem with your account and you need to log in immediately.
When you click the link in the email and type in your username and password, the criminal snags the info and can break into your account.
In one recent PayPal phishing scam, consumers were getting emails claiming a recent payment couldn’t be completed.
In a phishing email purporting to be from Delta Air Lines, an email with colors similar to Delta's warns in the subject line that “Your Delta SkyMiles Account will be closed.” As first reported by Rene’s Points and then by The Points Guy, it’s just a scam. Do not click on the links. Hovering over the links shows they are not from Delta.
The Facebook ad scamHow this works: A criminal posting scam Facebook ads convinces consumers to pay for nonexistent items. Some scam ads use fake endorsements by celebs like Angelina Jolie and promise “free” skin care products if you enter your payment info to cover the cost of shipping.
One consumer who lost $168 on “discounted” golf clubs advertised on Facebook wrote to the BBB, noting that he received no response from the advertiser after he paid and his clubs never arrived.
He wrote: “Seemed too good to be true, but I tried it anyway.”
You can keep up to date on the latest scams and report cases of fraud with the BBB Scam Tracker.
What happens if you become a victim of ID fraud?
In many cases, your card issuer spots the suspicious purchase, contacts you immediately, cancels the card and sends you a new one. Or maybe you spot the fraudulent purchase and simply call your credit card company.
“You can fix the problem by talking to your credit card company right away,” says Robert Siciliano, an identity theft expert consultant for Hotspot Shield, a VPN provider.
In other situations, ID fraud can pose much bigger problems.
A criminal who gets your date of birth and Social Security Number can open new accounts in your name or otherwise cause havoc in your life.
The Identity Theft Resource Center found that over 25 percent of identity theft victims had to borrow money from family or friends to stay afloat while others took out bank loans, used an existing credit card or took out a payday loan.
ID theft victims often experience stress and may feel violated, says Sean McCleskey, director of organizational education at the Center for Identity at the University of Texas at Austin. “It’s like somebody breaking into your house,” he says.
Tips for protecting cards and accounts online (SOAR)
Data breaches are proof that you can’t always prevent your personal information from being stolen. You can, however, make it harder for fraudsters to target you.
Here is a step-by-step guide to beefing up your online security in six areas, including when applying for and using credit cards:
1. Secure networks
Staying safe online starts with the basics: Secure your phone, tablet or computer and your connection to the internet.
Also, make sure your operating system is up to date and
that your device requires a strong password or your fingerprint for access.
This is especially important with if you use Apple Pay, Samsung Pay or Google Pay on your phone because a lost or stolen phone could allow a fraudster to make payments, says Paige Hanson, chief of identity education for Norton.
“If you don’t secure your device, you’re leaving yourself vulnerable,” she says.
Here’s what to do:
updates right away.
“It’s one of the quickest, cheapest and easiest ways to stay secure,” Woerner says. Updates fix security issues that open your device to viruses and malware that can steal your passwords, take screenshots of your activities and swipe your files.
your home Wi-Fi.
Change your network name, also known as the SSID, and don’t put your name or any other personal information in the new name. Set a strong password that is at least 20 characters and contains letters, numbers and symbols. And make sure your network uses WPA2 or WPA3 encryption.
your devices with security software.
Install security software to protect your devices from viruses and malware. PCMag.com offers a list of the best security suites of 2018.
- Switch to
A virtual private network service from a reputable company offers you an additional layer of privacy when you go online. “A VPN creates a secure tunnel between your device and the internet and prevents other people from spying on you,” Woerner says.
- Be wary
of public Wi-Fi.
Don’t use the public Wi-Fi at your favorite coffee shop for banking, checking financial accounts, shopping and anything else that could expose your personal information. Why not? The guy sipping a latte at the next table could steal your info with a $100 device that fits in a backpack, Woerner says.
2. Online shopping and payment accounts.
We’re all shopping more online and paying bills through our computers or phones, and we need to do this safely. The rollout of EMV chip cards has fraudsters moving online to steal your cards and raid your bank accounts.
Online shopping now poses a bigger ID fraud risk than ever, Javelin reports. Because EMV chip cards have made it harder for crooks to commit fraud with physical cards, card-not-present fraud (typically when a crook enters the card info online) is on the rise.
Card-not-present fraud is now 81 percent more common than card fraud at brick-and-mortar businesses, Javelin found.
Here’s how to protect your card details and other personal information when you’re shopping online and wherever your financial information is stored on the web:
How to shop safely online
- Shop with
It’s best to choose larger trusted sites for your shopping. “The big guys really try to do their due diligence when it comes to cybersecurity,” Woerner says.
If you’re unfamiliar with a vendor or website, do some research to make sure it’s legitimate, Velasquez says.
- Watch out
for fake sites.
Fake sites mimic those of well-known retailers. For example, Target.com is the real site and the fake site might be Target.biz. Or a fake Walmart site could be off by just one letter that you may have trouble distinguishing, such as Waimart.com.
To protect yourself, double-check URLs when you shop and bookmark retailers you use frequently.
Also, watch for these problems that plagued that fake jewelry site reported by the BBB: poor grammar, social media links that don’t lead to real social accounts and notices about international shipping charges.
- Make sure
the site is secure.
Reputable online retailers provide secure transactions through encryption on their sites. If you’re not sure a site is secure, use an online site security checker to see the security grade of the site where you want to shop.
“Just look at the letter grade, and if you don’t see an A you should question the site,” Woerner says.
Also, look for the letters “https” in your browser’s address bar. The “s” stands for secure and means your communications with the site are encrypted. “Never input your credit card information on a site that doesn’t have https,” Siciliano says.
which retailers (and restaurant chains) are the biggest targets.
Any retailer can become the target of a data breach, but online apparel stores and restaurant groups appear to be especially vulnerable.
For example, Adidas.com notified customers of a data breach of 2 million records in June 2018, and Jason’s Deli, Panera and Chili’s have reported data breaches in 2018.
You can keep track of recent data breaches by using this data breach search tool.
- Use credit
instead of debit.
“Never use a debit card,” McCleskey says.
If your physical credit card gets stolen, federal law limits your liability to $50, and most card issuers offer zero liability. Also, the crook doesn’t have access to your actual cash.
Using a debit card opens up your bank account, Hanson says. Also, if your debit card number is stolen, your liability is limited to $50 only if you report the problem within 60 days of getting the statement that shows the fraudulent purchase.
A bank may also take time to reimburse your funds. “Meanwhile, you still have your rent or mortgage and your car payment due,” Hanson says.
your security with a payment service or virtual card.
Want to shop a smaller online retailer or just feel leery of giving out your card info due to data breaches? Payment systems like Apple Pay, Samsung Pay, Google Pay, PayPal and Venmo add an extra layer of security to online shopping.
“These services mask your card number, expiration date and CVV code,” Siciliano says. Another way to safeguard your credit card info is by using a virtual credit card, which gives you a temporary credit card number that is tied to your actual card.
Your credit card provider might offer a virtual credit card option to use for online shopping.
For example, Bank of America’s ShopSafe allows you to generate a temporary credit card number and choose a length of time up to a year for the number to remain valid.
Citi virtual account numbers are available with some of its cards.
Capital One rolled out virtual account numbers in March at the 2018 SXSW conference.
save payment information.
Avoid storing your credit card data on a site unless it’s a trusted site like Amazon.com that you shop frequently.
Manually enter the number every time you shop, Siciliano says. “The hassle means more security,” he says.
See related: As online fraud spikes, here’s how to safeguard your accounts
How to protect your online accounts
strong passwords and change them regularly.
Use hard-to-crack passwords and set a different one for each site.
Consider getting a password manager such as Keeper, LastPass or Password Boss. It’s fine to opt for a reputable free password manager. These tools can generate strong passwords, keep them in one place and fill in your username and password fields.
You also can use this password checker to see if a password is secure.
Never use common passwords like “abc123” or “iloveyou!”
- Keep your
personal info up to date.
When you move, change your email address or phone number, or go on a trip, alert your bank and credit card issuers. Keeping your info current can prevent personal information from getting sent to the wrong place and also help your financial institution to track fraud.
- Set up
extra layers of security.
Use two-factor authentification, or multifactor authentification, on your accounts. This typically means that in addition to typing in your password you also must enter a one-time-use code that is texted to your phone or sent via email.
You may have to set up this protection on your accounts. For example, here’s how to enable two-factor authentification on PayPal.
Know that some banks and credit card companies only use two-factor identification if you’re logging in from a device they don’t recognize.
Two-factor identification “is not the end all be all, but it definitely lowers your risk factor,” says Ian McClarty, a cybersecurity expert and president and CEO of PhoenixNAP Global IT Solutions.
alerts on your credit card accounts.
Set up free account alerts offered by your credit card company. For example, you can set a text or email alert for: any purchase over a certain amount, any card-not-present transaction or any use of the card outside the country.
“This puts the ball in your court,” Hanson says.
what you share on social media.
Avoid posting about your favorite color, dream trip or funny story about your first pet, Snuggles the snake. Why? You might be giving out the answers to the “security questions” some sites require.
Also, steer clear of geotags that broadcast your current location and tighten your privacy settings on social media accounts.
3. Apply safely for credit cards and offers.
click links in emailed card offers.
Scammers often send email offers that look real, so it’s best to call or visit the card issuer’s site to apply.
“My rule is never to respond to any card offer via email ever,” Siciliano says. “If you’re interested in the offer, do some additional legwork.”
- Sniff out
Signs of a scam email include: a suspicious email address, blatant misspellings and over-the-top offers. “Pause and ask yourself if it sounds a little too good to be true,” Hanson says.
- Apply for
cards through reputable companies.
Some blogs and personal finance sites, such as CreditCards.com, partner with card issuers for sign-up offers. Before clicking on an offer, make sure the site is reputable and secure.
How you do this: Check for the letters “https” in your web browser’s address bar. Also look for the company name to the left of those letters. Click on that name to verify that the site has an extended validation (EV) certificate.
4. Review your credit often.
If you do become a victim of ID fraud, you can limit damage
to your finances and credit by discovering the crime as quickly as possible.
Here’s what you should do to watch your credit:
your bank and credit accounts.
Check your bank and credit card accounts at least monthly if not weekly or daily so you can spot and report suspicious purchases to your credit card company immediately.
“Don’t skip the small purchases,” Siciliano says. “A charge for $9.95 could still be fraudulent.”
your credit reports regularly.
The best way to make sure no new accounts have been opened in your name by a fraudster is to check your credit.
You can get one free credit report from each of the major credit bureaus each year at AnnualCreditReport.com. You can get your free TransUnion credit report for free anytime from CreditCards.com.
Some credit card issuers also offer free credit monitoring to customers.
“Checking your credit is essential,” Hanson says.
- Lock down your
credit with a security freeze.
Want to stop criminals from opening new credit in your name? Placing a security freeze on your credit is the best way to do that, Siciliano says.
Credit freezes now are free in many states but in others may cost $5 or $10 for each credit bureau, but free credit freezes are coming this fall. The three big credit bureaus expect to meet a deadline of Sept. 21.
However, if you’re an ID theft victim with a police report, you can place a freeze for free. You’ll need to temporarily lift the freeze before you apply for new credit.
“A credit freeze really locks down your credit,” Siciliano says.
The major credit bureaus also offer credit locking services. Equifax’s Lock & Alert and TransUnion’s TrueIdentity credit locking service are free. Experian’s CreditLock costs $4.99 for the first month then $24.99 a month.
Your bottom line: Whenever you use your cards and make payments online, you need to make sure the financial transaction is secure. Know, though, that card issuers have gotten very good at recognizing normal purchasing patterns and spotting suspicious charges, Woerner says.
For example, he never uses Lyft, so his card company texted him immediately when a thief used his card to grab a ride.
“Fortunately, card issuers are watching your back,” he says.
- Credit freezes are now free – but do you need one? – Credit freezes, which keep lenders and other companies from viewing your credit, are now free. We compared them to other credit protection tools, including locks and monitoring services. Here's how to use them all to protect yourself ...
- Employer credit checks: Who does them, how they work and what laws apply – If you're applying for a new job, a credit check could determine your fate, depending on the position and where it's based. Here's how they work and what to expect ...
- My card issuer of 25 years suddenly wants to know more about me – Under the Patriot Act, banks are required to verify the identities of their customers and maintain accurate information on them. But my bank's demand to know how I earn my income is an invasion of my privacy ...