What to look out for when shopping online
The best way to avoid being a victim of cybercrime is to stay informed. It is really important to know how to secure your device and recognise a fake website or scammer.
Don't buy from suspicious websites. If you're not confident about how the website will use your information don't buy from them.
If you think you’re a victim of a scam act now.
Follow our advice on what to do if you find yourself a victim of a scam.
Learn how to shop securely online
Choosing where you buy
Do some research on online shopping websites before you buy. Stick to well-known trusted businesses and cross-check information on their website.
You can conduct research on online shops by:
- Searching for reviews from other customers.
- Reading the fine print including warranty, refund, complaints and handling. Also look at their privacy policies to find out how they will use your information.
- If it is an Australian website, it should have an Australian Business Number (ABN), which you can verify online, on ABN Lookup.
Be careful about spoofed hyperlinks and websites. Scammers may create fake websites to impersonate well-known brands, and use fake reviews to make you trust them. It can be hard to discern fake websites from genuine ones. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain: for example, amazon.live instead of amazon.com.
If you know the domain name of the website, carefully type it into your web browser URL/search bar and check that you didn’t misspell it. Otherwise use your favourite major search engine and click on the first result which isn’t an advertisement.
If you see these warning signs while shopping online, think carefully about proceeding:
- The website looks poorly designed and unprofessional.
- Products are advertised at an unbelievably low price, or advertised to have amazing benefits or features. If it looks too good to be true, it probably is!
- The other party insists on immediate payment, or payment by electronic funds transfer, a wire service, gift cards, or digital currencies such as Bitcoin.
- The website provides no contact information (e.g. phone number, email, address)
- The website does not provide adequate information about privacy, terms and conditions of use, return policies or dispute resolution, or the policies are not clear. The seller may be based overseas, or the seller does not allow payment through a secure payment service such as PayPal or a credit card transaction.
- Your credit card credentials are being requested for reasons other than your purchase.
- The shipping and extra charges seem abnormal.
- The links and the back button are broken or disabled.
If you are shopping on social media, classifieds or online marketplaces:
- When shopping from a store’s Facebook or Instagram page, look for the blue tick next to the page’s profile name. This indicates the page is verified by Facebook.
- The social media-based store is very new and selling products at very low prices. New social media pages or pages that only have a few followers may be indications that they are fake.
- Look out for pages where the conversation is one-way by the page owner. Little or no engagement from the page’s community is a red flag.
- If you’re buying from an individual, for example over a Facebook group, view the seller’s profile. If the account is new, is not very well-established, or has other listings that are very cheap or too good to be true, it could be a scam.
- When shopping on Instagram, check to make sure the page is public. A true seller is unlikely to make their page private.
- Scammers may create fake social media pages to impersonate legitimate businesses, sometimes copying the content from the real business to make it more believable. Watch out for slight variations in business names’ spelling, such as dots, special characters or numbers.
- Avoid using the friends and family option when sending money for goods or services with PayPal. This option does not offer buyer protection. If a seller asks you to do this, it could be a scam.
Be aware of fake sellers
Cybercriminals can create fake websites, social media profiles and email addresses. Their goal is to try and steal your money or personal details. These can look like genuine retail stores, even copying designs or logos from legitimate businesses. Their websites can even look identical to legitimate websites, but the URL might have a variation in spelling (e.g. one extra letter or a different domain extension – e.g. .net instead of .com).
Protect your devices and accounts
Make sure your device is up to date
It is important to keep the devices you online shop with up to date.
Turn on automatic updates for operating systems and applications (such as web browsers). Updates introduce new functionality and resolve security problems. New versions of operating systems and applications usually have new security features.
Operating systems and applications that aren't supported means you can't update them. If your operating system is no longer supported, you should think about buying a newer device or service.
Secure your high risk accounts
Where possible, you should turn on MFA for your high-risk accounts (such as those that store your payment information). MFA is when you use two or more different types of actions to verify your identify. You may already be using MFA. For example, when you receive an authentication code by SMS text message after entering your password to log into an online account. MFA makes it harder for cybercriminals to access your account, by adding extra layers of protection.
You should use different passphrases for your high risk accounts, such as those that store personal or financial information. It is important that the email address you use for accounts has a passphrase that you don't use elsewhere. If you’re having trouble remembering them all, you can use a password manager to store or generate passwords for you.
Use a secure network connection
Public Wi-Fi can be convenient, but it is also risky. If your Wi-Fi connection isn’t secure someone may use it to steal your personal or financial information for malicious purposes. Stick to secure, trusted networks or switch to your cellular data connection (e.g. 4G/5G) when online shopping.
It is unlikely you will get your money back if you've paid a scammer.
Scammers like you to use payment methods like direct bank deposits, money transfers or digital currencies like Bitcoin because it’s an easy way for them to steal from you. Always make sure that you use secure payment methods like PayPal, BPay or your credit card for any online shopping purchases that you make.
Follow these simple steps to make sure you are spending money securely online:
- Use secure payment methods like PayPal, BPay or your credit card. There are dispute resolution processes available for these methods if things go wrong.
- Never send your bank or credit card details via email.
- Don’t click on a link received via SMS to pay. Never provide payment details over SMS.
- Avoid doing any financial transactions when connected to public Wi-Fi, including hospitals, libraries, shopping centres or cafes.
- Check your bank statements for unusual transactions and report them to your bank.
- Only fill in mandatory detail fields when making an online purchase such as address and payment information. Look for an asterisk (*) to indicate a mandatory field.
If you use PayPal:
- If you are sending funds to someone using PayPal, there are two payment types to choose from. Only one of them is protected. If you are paying for an item you have agreed to buy online, use the goods and services payment option in PayPal. If a seller insists on the friends and family payment option, this could be signs of a scam and you will not recover any money sent this way.
If you use BPay:
- If you use BPay, use a legitimate biller code and customer reference number. Do not pay by direct transfers to bank accounts.
If you use a credit card:
- You may want to set up a second card with a low credit limit and keep it specifically for online purchases. If these card details are ever compromised after shopping online, this will minimise your financial losses, and if you need to cancel your card, you will still be able to continue using your primary credit or debit card.
Online auctions can be a lot of fun. They can help you find good deals, but they also attract cybercriminals.
A common auction scam is when cybercriminals say the winner of an auction you bid on has pulled out. They offer the item to you but have to pay for it outside the auction site. Once you have paid, you will not hear from them again and the auction site will not be able to help you.
Here are some tips to help protect yourself:
- Always make your transaction within the auction website. Do not contact buyers or sellers in private.
- Keep printed and/or electronic records of all bids. Make sure you have written down the item’s descriptions. Include emails to and from the seller, and transaction records or receipts.
- If you're buying something expensive, consider using a reputable third-party escrow service. These services hold the funds until you receive your goods.
- If the website uses a feedback rating system, check reviews and rating scores.
- Read the terms and conditions before using an online auction site. Marketplaces like eBay have dispute resolution processes if things go wrong.
35 year old Tony, from Albury, got caught out after spotting what he thought was a genuine ad on an online classified site for a second-hand digital camera. Looking at the pics of the camera, it was a great price at $310, and would’ve been the perfect gift for his father-in-law, an avid photographer. He confirmed by text message with the Melbourne-based trader that the item was still available and then transferred via a bank deposit the funds plus $20 postage.
By the end of the week, Tony hadn’t received the item and followed up with the phone number listed on the ad, leaving numerous voicemails and sending text messages. After a further week of no responses and the ad disappearing from the website, Tony came to the sad realisation he had been scammed. As he had paid by bank transfer as well, his bank was unable to help him recover his funds.
59 year old Jamie wanted to buy her husband a set of golf clubs for his birthday that she knew he wanted. She searched online and found the clubs at generally the same price on online golf sites, online classified sites. Jamie then found the same set of clubs on a website she had never seen before, offering them for $300 less. Jamie emailed the website to double check it was legitimate.
Someone from the website emailed back, explaining the very last set of clubs was available but credit card information would need to be emailed because of technical issues with the website’s shopping system. An alternate payment method was offered to Jamie to send funds via PayPal with the “friends and family” option as the website needed to ensure payment came quickly. They also asked Jamie to check out their other clubs on offer and to open the attachments and links within the email.
Jamie was suspicious, did not respond with her email address and did not open the attachment or links. She went back to the website and noticed the images of the golf clubs were the same images from a reputable golf website, and that every set of golf clubs were “the last set available”. Jamie also checked reviews of the website and found many complaints that it was a scam. Jamie deleted the email and bought the clubs from a known and reputable golf site. The next week Jamie tried to show a friend the website but it had been taken down and was no longer available.