Our top tips to make safer online payments

Online shopping is ubiquitous and essential for many of us, but that makes it all the more important to make sure that you’re spending your money safely.

While you’ll probably regularly use a few sites and have accounts with them that make it easy to be confident that you’re in the right place.

In fact, clicking on a link and then being asked to log into an account on site you swear you were logged into an hour ago is a potential warning sign that you’ve clicked on a phishing link.

If this or anything raises your suspicions, here are some key things to look for when confirming that you’re entering your payment details somewhere that’s safe as possible, and some extra security tips to help you keep things that way.

Are you on an HTTPS site?

Check that the URL begins https:// rather than just http://. HTTPS stands for HyperText Transfer Protocol Secure and means that TLS encryption is being used to protect you data, such as your debit card number and CCV code, when it’s travelling between you and the site.

Click on the lock symbol in your browser bar to double check. It should say something like “Site information for [the URL you expect to see here]. Connection secure”. If you click through where it says “connection secure”, you’ll shown the Certificate Authority (CA) that issued the certificate. Popular CAs include LetsEncrypt, DigiCert, GlobalSign and IdenTrust.

But just because a site has a valid TLS certificate, doesn’t mean that it’s safe. All the certificate shows you is that your data is encrypted in transit, not that the site on the other side is necessarily trustworthy. You’ll have to do a little more checking if you want to

Do you know who you’re buying from? Are they at the correct URL?

Watch out for fraudulent websites and malicious typo squatters. Typing in bandcmap.com instead of bandcamp.com just takes you to a random advertising and sales portal, but some typo squatters host phishing sites designed to target anyone who makes a slip of the finger.

Also watch out for obfuscated sites that seem to have the correct URL but might take you somewhere else, like the following obfuscated link to amazon.co.uk. Firefox users should see a potential fraud warning when clicking on that one – it’ll redirect you back to Trusted’s main page.

How did you get there?

Did you go directly to the URL? Is it typed correctly? If you clicked a link in a promotional email, did it look legitimate and take you where you expected, or did it behave like a phishing attack?

Does it have an HTTPS URL?

Many retailers will dispatch you to a third-party payment processor. This is absolutely fine and nothing to worry about. But payment processors have the specialist security in place that’s just not practical for many businesses to implement themselves. It also means one less site that could be storing your payment information, which can reduce the risk of having your data compromised in a breach. Some payment providers also offer purchase protection.

Are you on a dedicated payment page?

There should not be any unnecessary elements on the page enter your payment information into, and if an external payment provider is used, you should be sent to their site, rather than seeing an embedded iframe.

The MageCart hacker group has been responsible for multiple major attacks on online payment services since 2016, injecting malicious code into retailers’ websites to skim card details entered into the site. These attacks affected TicketMaster and British Airways, as well as many smaller retailers.

It’s really hard to spot these attacks – often users have only found out when the compromised retailer contacted them.

Are you prompted to authorise the purchase using your bank’s multi factor authentication app or device?

Not every retailer and bank supports this, but most do, and it’s a good opportunity to make sure that you’re being billed the amount you expect and that the retailer or payment processor has correctly integrated the latest security measures into their website.

Of course, you may not see a 2FA request if you’ve already authorised the retailer or processor to take payment from your card. Amazon and PayPal regularly do this, for example.

Check your bank statements

Check your bank statements regularly, and if you see anything amiss, check your account history with the retailer. Contact your bank if you see a fraudulent transaction. I use a Wise card for a lot of online shopping, partly because I immediately get a notification from the app whenever money goes out of my account.

Check to see if your data has been involved in a breach

It’s possible to have your payment date stolen with no immediate visible consequence. Follow my guide to check to see if you’re password has been breached to check HaveIBeenPwnd, which also lists breaches that have stolen personal payment data. If so, and if money has been spent using those stolen details, you may be eligible for compensation, or at least a transaction reversal from your bank.

Consider using a virtual card for online shopping

Designed to help you shop safely, virtual cards give you an extra credit or debit card number that’s associated with your account, but which doesn’t have a physical counterpart. They’re designed to be easy to restrict through payment limits and easy to delete and replace, whether that’s in case of fraud or because you want to proactively disable the card after a certain number of purchases or certain period of time.

Avoid using virtual credit cards for anything that uses your credit card number to later verify your identity, however, such as concert or print-in-station train tickets.