Online shopping is booming. At the same time, an army of cybercriminals is getting into position to rip off trusting online shoppers. Our security specialist Martin Wrona explains how to best protect yourself from internet scammers.
The internet’s awash with phishing e-mails, hacker attacks and social engineering attempts – and it’s not letting up any time soon. That was true when we first published this article a year ago*, and it’s still true today. Hardly a week goes by without reports of a new scam appearing in the press. Evidently, it’s during the lucrative pre-Christmas period that brazen hackers wreak the most havoc. Some Digitec and Galaxus customers are falling victim to this too.
With this in mind, it seems like a good time to remind the Community of the tips and tricks recommended by our in-house IT security expert Martin Wrona. They’ll help you avoid any nasty surprises while you’re shopping online. Pausing for a moment to cast a critical eye over any strange e-mails you get is a good place to start.
How can a layperson spot a phishing e-mail?
In many cases, there are clear indications. That said, I’ve noticed that e-mails from fake senders are becoming more and more perfidious. Some cybercriminals are true artists – it’s only when you really scrutinise their e-mails that you realise they’re malicious.
And how do these username and password combinations get circulated?
Criminals sell lists of stolen username and password combinations on the internet to fraudsters. These con artists then try to log into popular online shops. That’s why people who use the same username/password combination in more than one place are particularly susceptible to internet fraud.
Header image: Manuel Wenk
*This article was first published in November 2023. It has been changed slightly and republished in view of Black Friday Week and Christmas.
Martin Wrona (right) showing me some scammers’ tricks on his screen. Source: Manuel Wenk
Martin, what sort of scams are Galaxus and Digitec customers encountering right now?
Internet scammers are creative – they try all kinds of things to get their mitts on customer data. Phishing e-mails, which each and every one of us finds in our inbox daily, are very popular among internet criminals at the moment. Classic examples would be a notification that your Netflix subscription needs renewing or that a parcel you ordered is held up at customs and won’t be delivered until you pay a fee. People who don’t question the messages they get may get caught up in one of these «data phishing nets» and end up giving out their data.
What should we be looking out for?
Whenever you get an e-mail, I’d recommend asking yourself a few questions. Do you have any connection to the sender? If the answer’s no, send the e-mail straight to «Trash» without opening it. Do you notice any typos, odd wording or something off about the sender’s company logo or e-mail text? If so, delete the e-mail. Is the sender putting pressure on you, say, by threatening to terminate an existing contract? If so, get rid of the message. Is the sender’s e-mail address hidden? Clicking on the sender’s name or hovering over it with your mouse will reveal their actual e-mail address. If anything about it strikes you as weird, stick the e-mail in the trash. It’s important you don’t open any attachments or click on any links in the e-mail.
In this example, the scammer’s trying to put their victim under pressure. Their plan is to use the QR code to guide their target to a page where they’re asked to enter their login details. Source: Manuel Wenk
How can I protect my Galaxus and/or Digitec account from unauthorised access?
There are several ways people can significantly increase the security of their accounts. My most important tip? Definitely use a unique password and make sure it’s long and complex enough. We recommend a minimum ten-character password combining special characters, upper- and lower-case letters for login. Twelve or more characters would be even better. And when I say «unique», I really do mean you should use one password for one thing. Anyone who uses the same username and password combination for their online banking, grocery order and tyre-fitting booking is unnecessarily putting themselves at risk of fraud.
... Even if that password has twelve or more characters and follows all the rules about combining upper- and lower-case letters, numbers and punctuation marks?
It doesn’t matter. These often identical username-password combinations are exactly what makes fraudsters’ lives easier. The passwords are stolen via phishing e-mails or malware such as viruses and Trojans. Let’s say a scammer creates an e-mail with the Digitec or Galaxus logo and writes: «Your order is ready, click here to collect it.» If you click on the link, you’ll be taken to a new, usually quite well-copied page of the supposed provider. If you then enter your login data, «Login and password incorrect» often appears. But the data is actually stored by the criminals.
What about having a second level of security? Like the two-factor authentication that financial service providers offer?
We recommend using two-factor authentication (2FA). What this does is ask customers to confirm any new logins via mobile. An example might be when they log into the shop on a new laptop for the first time. We inform our customers about our 2FA option in editorial articles, and let them know it’s available each time they place an order. A second level of security can prevent fraudsters from logging into your customer account and ordering something without you noticing. It’s also advisable to activate 2FA in your other places it’s available, such as your e-mail account.
Safe surfing: Martin Wrona’s protected online – not least because of the guard dog on his laptop. Source: Manuel Wenk
Why don’t Galaxus and Digitec require 2FA by default? In other words, why are security measures optional?
We don’t want to treat our customers like babies – not even when it comes to security. Sure, us IT security folks would love to have a huge, red, flashing warning sign saying, «Enable 2FA.» Still, we don’t want to force anyone to do it. Our fraud detection is effective and we’re constantly developing it. However, if crooks have stolen a valid username and password from their victim’s PC and 2FA isn’t enabled, it’s very difficult for us to detect fraudulent orders.
What should I be aware of when paying for my shopping by credit card?
We don’t store any credit card data. These payments are processed for us by a specialist company called Datatrans. To ensure the security of our customers’ accounts, we require credit card issuers to be 3-D Secure compliant. This means that whenever a user accesses their account or makes a payment, they essentially need to provide secondary proof of identification, which the bank asks for. This could be in the form of an SMS code or fingerprint scan. We can’t verify whether all banks require this second proof of identification. That’s why we recommend that our customers only use credit cards that trigger a 3-D Secure query for online shopping.
Which security measures haven’t we talked about yet?
Most of the time, it’s helpful to simply engage your common sense and immediately delete any e-mails that don’t add up. Take these absurd promotions that reel people in with shiny price tags, for example. «Macbook Pro 2022 for 1.99 CHF» and the like. And if your suspicion ever causes you to delete an important e-mail by mistake, the sender’s bound to get back in touch with you.
