How to stay safe when online shopping

The internet is awash with phishing e-mails, hacker attacks and social engineering attempts – and it’s not letting up any time soon. Last year, the Federal Statistical Office reported a whopping 33,000 of these offences – a 10 per cent increase on the previous year. And it’s during the very months when online retailers do the most business that brazen hackers cause the most havoc. Some Digitec and Galaxus customers are falling victim to this too. Which is why we’ve asked our in-house IT security expert Martin Wrona for his tips and tricks on avoiding any nasty surprises while you’re shopping online. Turns out, pausing for a moment to cast a critical eye over any strange e-mails you get is a good place to start.

Martin, what sort of scams are Galaxus and Digitec customers encountering right now?
Internet scammers are creative – they try all kinds of things to get their mitts on customer data. Phishing e-mails, which each and every one of us finds in our inbox daily, are very popular among internet criminals at the moment. Classic examples would be a notification that your Netflix subscription needs renewing or that a parcel you ordered is held up at customs and won’t be delivered until you pay a fee. People who don’t question the messages they get may get caught up in one of these «data phishing nets» and end up giving out their data.

How can a layperson spot a phishing e-mail?
In many cases, there are clear indications. That said, I’ve noticed that e-mails from fake senders are becoming more and more perfidious. Some cybercriminals are true artists – it’s only when you really scrutinise one of their e-mails that you realise it’s malicious.

What should I be looking out for?
Whenever you get an e-mail, I’d recommend asking yourself these questions: 1) Do I have any connection to the sender? If the answer is no, send the e-mail straight to «Trash» without opening it. 2) Do I notice any typos, odd wording or something off about the sender’s company logo or e-mail text? If so, delete the e-mail. 3) Is the sender putting pressure on me, say, by threatening to terminate an existing contract? If so, get rid of the message. 4) Is the sender’s e-mail address hidden? Clicking on the sender’s name or hovering over it with your mouse will reveal their actual e-mail address. If anything about it strikes you as weird, stick the e-mail in the trash. It’s important you don’t open any attachments or click on any links in the e-mail.

How can I protect my Galaxus and/or Digitec account from unauthorised access?
There are several ways people can significantly increase the security of their accounts. My most important tip? Use a unique password and make sure it’s long and complex enough. We recommend a minimum ten-character password with special characters and upper-lowercase letters. Twelve or more characters would be even better. And when I say «unique», I really do mean you should use one password for one thing. Anyone who uses the same username and password combination for their online banking, grocery order and tyre-fitting booking is unnecessarily putting themselves at risk of fraud.

... Even if that password has twelve or more characters and follows all the rules about combining upper and lower case letters, numbers and punctuation marks?
It doesn’t matter. These often identical username-password combinations are exactly what makes fraudsters’ lives easier. The passwords are stolen via phishing e-mails or malware such as viruses and Trojans. Let’s say a scammer creates an e-mail with the Digitec or Galaxus logo and writes: «Your order is ready, click here to collect it.» If you click on the link, you’ll be taken to a new, usually quite well-copied page of the supposed provider. If you then enter your login data, «Login and password incorrect» often appears. But the data is actually stored by the criminals.

And how do these username and password combinations get circulated?
Criminals sell lists of stolen username and password combinations on the internet to fraudsters. These con artists then try to log into popular online shops. That means people who use the same username and password combination in more than one place are particularly vulnerable to internet fraud.

What about having a second level of security? Like the two-factor authentication financial service providers offer?
We recommend using two-factor authentication (2FA). What this does is ask customers to confirm any new logins via mobile . One example would be when you log in using your new notebook for the first time. We inform our customers about our 2FA option in editorial articles, and let them know it’s available each time they place an order. After all, a second level of security can prevent fraudsters from logging into your customer account and ordering something without you noticing.

Why don’t Galaxus and Digitec require 2FA by default? In other words, why are security measures optional?
We don’t want to treat our customers like babies – not even when it comes to security. Sure, us IT security folks would love to have a huge, red, flashing warning sign saying, «Enable 2FA.» Still, we don’t want to force anyone to do it. Our fraud detection is effective and we’re constantly developing it. However, if crooks have stolen a valid username and password from their victim’s PC and 2FA isn’t enabled, it’s very difficult for us to detect fraudulent orders.

What should I be aware of when paying for my shopping by credit card?
We don’t store any credit card data. These payments are processed for us by a specialist company called Datatrans. To ensure the security of our customers’ accounts, we require credit card issuers to be 3-D Secure compliant. This means that whenever a user accesses their account or makes a payment, they essentially need to provide secondary proof of identification, which the bank asks for. This could be in the form of an SMS code or fingerprint scanning. We can’t verify whether all banks require this second layer of security. That’s why we recommend that our customers only use credit cards that trigger a 3-D Secure query for online shopping.

Which security measures haven’t we talked about yet?
Most of the time, it’s helpful to simply engage your common sense and immediately delete any e-mails that don’t add up. Take these absurd promotionsthat reel people in with shiny price tags, for example. «Macbook Pro 2022 for 1.99 CHF» and the like. And if your suspicion ever causes you to accidentally delete an important e-mail, the sender is bound to get back in touch with you.