Here’s how to stay safe when you’re doing your online Christmas shopping

‘This the season to be jolly!

It’s also the season to be hyper-vigilant if you’re shopping online for holiday gifts.

Unfortunately, despite the good will this season tends to bring with it, it also brings many attempts by cyber criminals to exploit people and steal their money and personal information.

The holidays are also a great season for hackers.

And though many of us are in the spirit of giving, we’re not trying to give complete strangers money, our identities or access to our bank accounts.

So with that in mind, here are seven extremely useful tips for staying safe while doing your holiday shopping online this season.

The Same Email Etiquette Applies

We’re not here to patronise you, we realise you know to be careful opening emails and attachments. But, this is the holiday season. Chances are you’re signing up for more mailing lists than usual in hopes of getting some of those sweet, sweet discounts. Cyber criminals know this, and they’re going to use it as a pretext to phish you. So be extra careful with what you open. And here’s a tip, if you use Gmail (which many of us do) check for a little red unlocked padlock icon next to the recipient’s name in the top the left corner of any email you do open. If that’s there, it means this was sent from an unencrypted server. Most reputable companies have encrypted servers, so if you see that little red warning symbol, be very careful.

Use Common Sense

Hopefully, you’re using a pop-up blocker, but there may be a moment when you see a pop-up or get an email advertising a highly valuable product at a ridiculously low price. We’re talking iPads for 20 dollars or 4K HD TVs for $100. Granted, there may be a tiny, itty-bitty little chance that these deals are real. But, if you’re really honest with yourself you probably realise that it’s too good to be true. In fact, it’s more likely designed to get you to click the link and come to a page that will be unsafe and looking to further exploit your trusting nature. So don’t take the risk. Use common sense.

Learn About Visual Indicators

In the address bar of every browser, there exist visual indicators that are meant to indicate the security level of your connection with various websites. Now, these indicators can’t tell you a site is 100% safe. But they can tell you whether or not your connection with the site is encrypted. This is important because it’s a good starting point for figuring out whether or not the site is safe. So take a moment to learn what the various visual indicators mean (they tend to be similar, but do vary slightly browser to browser) and pay attention to them when you arrive at a website—don’t just look once, keep checking them on every single page.

Never Trust an Unencrypted Connection

If a connection is not encrypted, that site is not safe to do business with. A non-encrypted connection means anyone who knows how (read: cybercriminals) can see all communication being exchanged between you and that site. This includes personal information and credit card numbers. It would be like if the clerk at a Wal-Mart asked to read your credit card number, expiration date and CVV code out loud to them. You wouldn’t do it because someone else could hear it and then steal that information. That’s what buying something from an unencrypted site is like. So don’t ever enter any personal information on an unencrypted website. And for that matter, be cautious of them in general.

Those Visual Indicators Can Be Clicked

Here’s something, not a lot of people – even the ones who know what they mean – realise: you can click on the padlock visual indicator to find out more about the website you’re visiting. Namely, you can tell what kind of SSL Certificate they have and potentially learn about the identity of the site owner. Why should you care? Well, there are three levels of authentication that come with SSL. The lowest, Domain Validation, just requires you to prove ownership over the registered domain. This means that literally anyone can get one and install it on their site. When you click the padlock for a site with a DV cert, it just says who owns the site. The other two kinds of SSL Certificate (which offer business authentication) will list verified information about the company that owns the website when clicked. If the company’s verified information comes up when you click the padlock—you can trust it. But, be wary of DV SSL, the site may look legitimate, but if it only has a DV Certificate that’s a bit suspicious.

Trust the Green Address Bar

On the other end of the SSL, the spectrum is Extended Validation SSL Certificates. These require a company or organization go through a rigorous identity verification, but in turn, they grant a unique visual indicator: the green address bar. Now, in honesty, the green address bar is no longer green. It was in earlier incarnations, but now it just displays the organization name and country in green text next to the URL. But this is still easy to identify and impossible to fake. It means the website you’re visiting is encrypted and is owned by a verified business. Most of the biggest companies have invested in EV. So when you see the green address bar, you can proceed without worry.

green address bar

Site Seals Are Your Friend

Another way to tell if a website is encrypted is to look for a site seal. These are usually present on homepages (typically in the footer) and on checkout pages. If you’ve ever seen the Norton Seal with that big check mark, then you know what a site seal looks like. These are only available to websites that have invested in SSL and many of them can be clicked on to display verified company information. If you don’t see a site seal on the checkout page, you may want to double-check who you’re about to do business with.


Hopefully, these seven tips will help you to stay safe when shopping online this holiday season. And keep in mind, this list isn’t meant to scare you. It’s just our helpful way of reminding you to be vigilant. The holidays are a lot less fun when identity theft or financial loss are involved.

So keep your guard up, but enjoy this time of year.

Happy Holidays from all of us!


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.