Shopping online securely
Introduction Many of us are spending more time than ever shopping online. Our online shopping guidance can help you to avoid scam websites, and purchase items safely.
Choose carefully where you shop It's worth doing some research on online retailers to check they're legitimate. Read feedback from people or organisations that you trust, such as consumer websites. Reputable organisations will have information on their website about how they handle your personal data (which should only be used to fulfill your order, and not shared with third parties). Some of the emails or texts you receive about amazing offers may contain links to fake websites. If you're unsure, don't use the link, and either:
type a website address that you trust directly into the address bar
search for it, and follow the search results
Use a credit card for online payments Use a credit card when shopping online, if you have one. Most major credit card providers protect online purchases, and are obliged to refund you in certain circumstances. Using a credit card (rather than a debit card) also means that if your payment details are stolen, your main bank account won’t be directly affected. Debit card payments and purchases are not covered by section 75 of the Consumer Credit Act. But you might be able to make a claim for a refund under a voluntary scheme called ‘chargeback’. You should also consider using an online payment platform, such as PayPal, Apple Pay or Google Pay. Using these platforms to authorise your payments means the retailer doesn’t even see your payment details. They also provide their own dispute resolution should anything go wrong. However, they may not provide the same protection as a card provider, so check their terms and conditions before your sign up. When it's time to pay for your items, check there's a 'closed padlock' icon in the browser's address bar. It will look like this: The padlock icon doesn’t guarantee that the retailer itself is legitimate/reputable (and that their website is secure). It means that the connection is secure. If the padlock icon is not there, or the browser says not secure, then don’t use the site. Don't enter any personal or payment details, or create an account.
Only provide enough details to complete your purchase You should only fill in the mandatory details on a website when making a purchase. These are usually marked with an asterisk (*), and will typically include your delivery address and payment details. You shouldn't have to provide security details (such as your mother's maiden name, or the name of your first pet) to complete your purchase. If possible, don't create an account for the online store when making your payment. You can usually complete your purchase without having to create an account by:
using an online payment platform (such as PayPal) or
signing in using an existing account with a service provider (such as Apple or Google)
If you think you'll become a regular customer with the store, then you may want to create an account with them. The store may also ask you if they can save your payment details for a quicker check-out next time you shop with them. Unless you're going to use the site regularly, don't allow this. Finally, don't pay by direct bank transfer.
Keep your accounts secure If you're using the same password for your online accounts (or using passwords that could be easily guessed), then you're at risk. Hackers could steal your password from one account, and use it to access your other accounts. For this reason, you should make sure that your really important accounts (such as your email account, social media accounts, banking accounts, shopping accounts and payment accounts like PayPal) are protected by strong passwords that you don't use anywhere else. The trouble is that most of us have lots of online accounts, so creating strong passwords for all of them (and remembering them) is hard. This NCSC infographic explains how you can create strong passwords and store them safely (so you don't need to remember them). You can further protect your important accounts from being hacked by turning on 2-step verification (2SV). It's also referred to as 'two-factor authentication' or 'multi-factor authentication'. Turning on 2SV stops hackers from accessing your accounts, even if they know your password. It does this by asking you to confirm that it's really you in a second way - usually by asking you to enter a code that's sent to your phone.
Watch out for suspicious emails, text messages and websites You'll probably receive many messages from online stores, as a result of 'opting in' to receiving communications from them. Lurking amongst these genuine messages, there may well be fake ones (containing links designed to steal your money and personal details) that can be very difficult to spot. Of course, not all messages are bad, but if something doesn't feel right, follow the NCSC guidance on dealing with suspicious emails and text messages:
If you have received an email which you’re not quite sure about, forward it to the Suspicious Email Reporting Service (SERS) at firstname.lastname@example.org
If you've received a suspicious text message, forward it to 7726. It won't cost you anything, and allows your provider to investigate the text and take action (if found to be a scam).
If you have visited a website you think is trying to scam you, report it to the NCSC and we'll investigate.
If you come across an advert online that you think might be a scam, report it via the Advertising Standards Authority (ASA) website. This allows ASA to provide online service providers with the details they need to (if appropriate) remove these from websites.
If things go wrong If you think your credit or debit card has been used by someone else, let your bank know straight away so they can block anyone using it. Always contact your bank using the official website or phone number. Don't use the links or contact details in the message you have been sent or given over the phone. If you think you have responded to a suspicious email or text message, or visited a scam website, don't panic. Read the NCSC’s guidance on dealing with scam emails, phone calls and text messages. If you've lost money, tell your bank and report it as a crime to Action Fraud (for England, Wales and Northern Ireland) or Police Scotland (for Scotland). By doing this, you'll be helping to prevent others becoming victims of cyber crime.
If you don't receive the item (or it doesn't match the description given), Citizens Advice has some useful information about getting your money back if you paid by credit card, debit card or PayPal.