Online shopping and the enterprise: 5 tips for a safer holiday season

Online shopping can be a high-risk activity during the holiday season—for both workers and the companies that employ them. Sure, employees are not supposed to engage in online shopping from work, but with the line between our work and personal lives becoming ever fuzzier, it’s inevitable that activities from one world seep into the other. Even if an employer could shut down all online shopping from work during the holiday season, workers’ risky off-site behavior could still be brought to work on a personal smartphone or laptop.

“A perfect storm of things happen at the holidays that make it so much easier for criminals,” said John Wilson, field CTO at Agari, an email security company. Everyone is buying gifts both online and offline, and those purchases are generating a lot of notifications. “When you get things like an order notification or a shipping notice, you’re more likely to open one that a criminal has slipped into the mix.”

Even if notifications are being sent to a personal mailbox off the company network, an employee who just visits a shopping site from work can create problems. That’s because a shopping site may be infected with malvertising, which is malicious advertising designed to poison the computers of visitors to legitimate websites. “Criminals know people are going to various shopping sites at the holiday season,” Wilson said. “Because you’re shopping with your work computer, your work computer will be the one that gets compromised by a piece of malware. That poses a risk to the enterprise, because once the criminals get a foothold, they’re able to move laterally and ultimately find more privileged accounts within the enterprise network and establish an advanced persistent threat.”

Accidentally infecting a corporate network through a shopping site may be a bonus for some Internet marauders, but for others, it’s intentional. “When you make a request to see a web page, a cybercriminal can tell where you’re coming from,” noted Ben Johnson, chief security strategist at Bit9 + Carbon Black. “If there’s something malicious at that website, it can wait until it sees a visitor from a company it wants to hack into and then send an exploit to that visitor’s computer.

“So you’re actually increasing the threat to you because you’re shopping from your corporation,” he added.

While all risk to an enterprise during the holidays can’t be eliminated, it can be reduced by minimizing risky behavior. Here are five ways to do that.

1. Don’t click on links

One of the top ways shoppers get exploited by hackers is through phishing. Phishing emails masquerade as some kind of trusted correspondence, perhaps a shopping receipt or shipping notification. The email will contain links or an attachment. Clicking on any link or opening the attachment usually leads to a computer becoming infected with malware or ransomware.

Averting the risks of phishing messages seems simple: Don’t click on links in emails or open attachments to them. But if you’re an office worker, clicking on links and opening attachments are part of doing business.

That means you need to take some precautions to protect yourself from phishers. For one, always be suspicious of unsolicited email. Even if the email appears to come from a site you’ve purchased things from in the past or your bank, you should check that the email address on the “from” field of a message is where the message actually comes from. Before clicking a link, you should hover over it to see if the URL in the hover box matches the one in the message text. If you absolutely feel compelled to follow a link in a dubious email, it’s better to type the address into your browser by hand than clicking it.

“Think before you link,” advises Derek Manky, global security strategist at Fortinet.

2. Don’t reuse passwords

Security experts never tire of warning users about reusing passwords, for good reason. Once a password is in a hacker’s hands, it will be tried across myriad high-value websites—banks, retailers, investment firms, or just about anywhere money or goods can be obtained—until the criminal hits paydirt. Creating a unique password for every site can be a pain for consumers, especially when a site will be used only once during the holidays. But it’s a lot less painful than having someone break into your Amazon Prime account and go on a spending spree.

“You shouldn’t use the same password all the time and on all your shopping sites, because if your credentials are stolen, instead of having stolen credentials to one site, you’ll have them stolen to multiple sites,” Manky explained.

3. Use two-factor authentication

At sites that support it, you should activate two-factor authentication, or 2FA. With 2FA activated, when you enter your username and password at a website, you’re also asked for a security code that’s typically sent via text message to your mobile phone. More and more sites are offering the service, which makes it difficult for hackers to crack accounts because while they may be able to get your username and password, it’s unlikely they’ll get your mobile phone. Amazon recently added 2FA for its users, and Yahoo liked the idea so much that it offers an option that replaces all password use with a variation on 2FA.

“A simple username and password isn’t enough anymore,” Manky said. “They can be stolen so easily.”

4. Use HTTPS where available

More and more sites have begun to support secure transfer of information between a browser and a website. This HTTP protocol can protect transactions conducted with a website. Some websites have HTTPS available, but they don’t offer it by default. A plug-in for most browsers, called HTTPS Everywhere, is simple to install and will automatically force HTTPS communication with any website that supports it.

5. Avoid public Wi-Fi networks

As financially attractive as using free Wi-Fi in public places may be, it’s not a good idea to shop on those networks because you don’t know who may be listening in on that traffic. “Either be on a secure Wi-Fi connection, like your home, or just use your wireless carrier,” said Andrew Hoog, CEO of NowSecure. “You’re going to get better security because someone sitting on that network can’t intercept your data and put you at risk.”