We always have a bit of fun whenever we hit on a good online sale. That is, until the credit card bills start hitting the doormat with annoying insistence.

What seemed to be a logical thing to do – frantically trying to virtually elbow the other shoppers out of the way and bag that last bargain – is now a spectre which must be paid.

The main worry then might have been whether the goods will arrive at all if the seller was unknown to us. But that should have been just the tip of a rather large and slippery iceberg.

Legal or not, everyone out there is monitoring your online activity and trying to target you with advertisements. However, some are trying to obtain your credit card and bank details, and yet others to download malware onto your machine. The cheapest source of the latest movie may not be the most reliable. Is it cheap because the seller has no security for handling your personal information?

There are at least two immediate sources for a lack of trust. First, the address in the browser should start with https://. This doesn’t usually happen until you reach the payment stage.

All your browsing of products has been open to your service provider to read. Once you are paying, only the https connection will guarantee your credit card number is sent to the retailer confidentially. This is really important if you’re ordering from your mobile phone since anyone can listen in to wireless connections.

Of course, at home the communication between your wireless router and laptop is encrypted, isn’t it? It’s only encrypted if you set it up that way and only secure if you picked a strong password. By default, it’s all unencrypted, intelligible, plain text. Usually that’s the case in a wireless hotspot where the person drinking coffee at the next table could have listened in to all your e-mails and browsing until you reached the https connection.

However, https is no guarantee that your credit card details are secure once they reach the seller. They may then be stored in a database on a server – this can easily be hacked and may even be readily accessible to the retailer’s employees.

You need the trust which depends on the desire of the seller wishing to retain a good reputation. There’s no technological means of providing that – moreover, the small retailer who only operates online can easily change name.

What about the security of your own machine? We have already noted the need to encrypt your Wi-Fi connection. As you browse online offerings, your machine may give you an alert that it has detected a virus and advises you to download the latest anti-virus software to remove it. Don’t.

You have just run a phishing script which is preying on your fears to persuade you to download some malware. Close the window and only trust your own AV software to tell you if there is malware present. Needless to say, you should always have all your software up-to-date to guarantee that known security issues have been patched. That includes every application, not just the firewall and anti-virus, which should both be running.

There is also the threat of spam and phishing e-mails. A special offer apparently from your favourite online store may invite you to click on a spoof website, or your bank may contact you claiming unusual transactions on your account. Perhaps both are genuine, but you always need to verify their identity before proceeding. Never identify yourself first.

You wouldn’t buy from a door-to-door salesman or someone cold-calling. Treat all online contacts with the same suspicion. For example, you need to look very carefully at the address in your browser and compare it with what you know to be correct. Has ‘bank’ been added or deleted from the URL, or the correct “.co.uk” been changed to “.com”?

You might not notice. Even more subtle, could the name of an online store come with a numerical ‘0’ instead of the character ‘o’? The authorities which provide the digital certificates that enable you to have a secure connection with a merchant may do very few checks. They don’t guarantee that you are buying from a respectable store, but only the one with the ‘0’ in the website address given by the attackers. The spoof websites are equally able to buy the right certificates and appear legitimate.

You should always have all your software up-to-date to guarantee that known security issues have been patched

Many stores require you to register with them before you can buy products. In this way they can spam you for evermore. It’s important to have a different username and password for every such registration because the dodgy websites may try the same details on your bank account. You should also use different e-mail addresses at least for different purposes (social networking, banking, personal, business and shopping), even if you can’t manage a different one for every site, as well as using different passwords. In that way you can help separate legitimate e-mails from spam and phishing, and you can also tell who is spamming you.

You need to store all these registration and login details somewhere. Perhaps pen and paper is the best way – one copy of everything, you know where it is, it’s easy to keep securely, and few people are interested in stealing bits of paper.

Mobile devices, in particular, still have relatively low levels of security for holding data but are easy to lose and highly desirable to steal. Keep the absolute minimum of such data there and assume it will be compromised at some point. At least make sure your devices are password protected with a strong password or your package might include more than what you bargained for.

Dr Colin Walter is director of the MSc Information Security Royal Holloway University of London.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.