[SingCERT] Festive Shopping Advisory for Shoppers and Online Merchants

Published on Saturday, 10 November 2018 09:30

Background

As the holiday season is fast approaching, more people are going online to shop for gifts and make their travel plans. There are also a series of promotions for Singles' Day, Thanksgiving, Black Friday and Cyber Monday to entice shoppers.

For an enjoyable shopping experience, SingCERT advises members of the public to be more cautious of possible online threats such as:
  • Fake or phishing websites
  • Phishing emails
  • Greeting card scams
  • Impersonation scams
  • Travel scams
  • SMS scams

Such scams are popularly employed by hackers who lure shoppers with too-good-to-be-true discounts to entice them to click on links and complete their transactions on fraudulent websites. Online merchants may find themselves targeted by hackers as well.


Recommendations

For online shoppers
SingCERT recommends taking the following steps for a safer online shopping experience:
  • Avoid using public Wi-Fi networks when making online financial transactions.
  • Do not click on the links from promotional e-mails or SMS. Go to the official website by typing the web address directly into the address bar of your browser.
  • Verify that the website is legitimate and trustworthy by verifying the Secure Sockets Layer (SSL) certificate through the lock icon on your browser’s URL bar. This SSL certificate also enables encryption on the website through Hypertext Transfer Protocol Secure (HTTPS), and users should avoid websites that do not support have HTTPS.
  • Ensure that the site supports secure payment service when making online purchases
  • Use long and random passwords for all online accounts
  • Avoid having similar passwords for all online accounts
  • Enable Two-Factor Authentication (2FA) for all online accounts and transactions when available
  • Do not share your One-Time Password (OTP)
  • Turn on e-mail or SMS alerts for all online transactions or new logins so that you will be notified when a transaction is made

You may wish to do the following if you believe you have fallen victim to an online scam:
  • Inform the bank about the fraudulent transaction(s) and request for a card replacement if necessary
  • Lodge a police report
  • Change your account credentials on the actual shopping website

For Online Merchants
SingCERT recommends to take the following steps:
  • Patch your web servers and software to the latest versions
  • Ensure that your site offers secure payment service for customers
  • Implement data encryption to protect the data collected from customers
  • Avoid storing credit card details within your databases
  • Store the database containing sensitive data offline
  • Implement login policies to prevent unauthorised access to your databases
  • Implement 2FA for customer login to prevent credential stuffing attacks

You may wish to do the following if you believe your site has been targeted:
  • Lodge a police report
  • If you believe your customers’ personal data was compromised, report the incident to the Personal Data Protection Commission (PDPC) at https://www.pdpc.gov.sg/Contact-Page
  • Contact your affected customers, if any, to take steps to secure their accounts
  • If necessary, restore your system to a clean backup, and/or rebuild the compromised system. Take this opportunity to look into enhancing your site’s cybersecurity.

Please contact SingCERT at 6323 5052, or email us at singcert@csa.gov.sg, if you have any enquiries or require any assistance.


References
https://www.scamalert.sg