Toronto, November 29, 2005 — With the holidays fast approaching, a great number of Canadians are using the virtual aisles to purchase their gifts (over 3.5 million Canadians purchased gifts online last year, a 60 percent increase the previous year according to an Ipsos-Reid survey), but unfortunately, so too are the hackers and scammers trying to lure customers to disclose sensitive information. Some of the tactics these online “gremlins” use are:

• Pharming — the latest emerging threat of misdirecting users to fraudulent websites without their knowledge or consent
• Phishing —  bogus websites where customers are asked to disclose passwords and credit card numbers
• Spyware —  hidden applications that track users surfing habits and keystrokes

According to research firm Gartner, over the past year the volume of phishing attacks has increased by almost a third and continues to grow. To ensure customers’ online shopping experience remains joyful yet secure, Deloitte’s Security & Privacy professionals offer the following tips for safe online shopping:

• Make sure the firewall and anti-virus software on your computer are updated and running. Scan the computer to detect any malicious programs (Trojan horses, spyware) that may have been planted to disclose sensitive information or to misdirect you to a fraudulent website. Your operating system may offer free software “patches” to close holes in the web browser or operating system that spyware, hackers, or phishers could exploit. If your anti-virus application does not support detection of spyware, a free spyware scan tool can be found online on websites such as earthlink.com (spy audit) and others. 
• Verify that your browser has been updated with the latest security upgrades (also known as patches) and that it supports 128-bit encryption. The browsers encryption level can be found in the “Tools” menu, under the “About” option. A high encryption level ensures that sensitive data, sent via the web while shopping, cannot be identified and used by unauthorized people.
• When using wireless networking to shop online, make sure the wireless access point you are using has strong wireless security and controls built in such as Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA). These controls will ensure that your password is protected on the wireless networks you are surfing on. WEP and WPA will protect your data from being intercepted by “war-driving” hackers trolling to gain unauthorized access to your computer or data.
• Never respond to emails requesting that you login to a shopping/financial transaction website claiming that your login credentials need updating or your account is in arrears. Choose and type in the URLs of websites that interest you and avoid entering websites that have sent you their link via email. Phishers often use this technique to lure customers to bogus, look-alike websites to collect sensitive information.
• Confirm the online seller’s physical address and phone number in case you have questions or problems. If you get an e-mail or pop-up message that asks for personal or financial information, never reply or click on the link in the message. Legitimate companies do not ask for this information via email.
• Never send your financial information via email as it is not a secure method of transmitting information such as your credit card, chequing account or social insurance number. If you initiate a transaction and want to provide your financial information through an organization’s website, look for indicators that the site is secure, like a lock icon on the browser’s status bar or a URL for a website that begins “https:” (the “s” stands for “secure”). Be careful because unfortunately, no indicator is foolproof. There have been cases where some fraudulent sites have forged security icons.
• Be very cautious about opening email attachments. Don’t open email attachments, even if it looks like it’s from a friend or co-worker, unless you are expecting it or know what it contains. If you send an email with an attached file, include a text message explaining what it is. Remember not to click on links in pop-up ads. They could install harmful files on your computer.
• Consider shopping at sites that offer strong encryption (128 bit vs. standard 40 bit). Before entering credit card numbers, contact information etc., make sure a yellow icon of a lock appears on the bottom-right corner of your browser and that the website address has been changed to HTTPS (instead of HTTP). The yellow lock verifies the website has a secured zone so the information entered cannot be read or used by others. Placing the pointer on the yellow lock for a few seconds will verify the sites encryption level.
• Look for “Seal of Approval” icons provided by different authorities such as Verisign, WebTrust, etc. These seals verify that the website has been reviewed for adherence to their stated privacy and/or security policies.
• Check the privacy policy of the website you are visiting. All reputable sites should let you know what personal information its operators are collecting, why, and how the information will be used. If you cannot find a privacy policy — or if you cannot understand it, consider taking your business to another site.
• Avoid opting for the “Remember Password and Username” option. Although some websites and browsers offer this option as a convenience, anyone who uses your computer will then have the ability to gain access to your account and personal information.
• Print and save records of your online transactions, including the product description and price, the online receipt, and copies of correspondence with the seller. Read your credit card statements as you receive them and be on the lookout for unauthorized charges.