Online shopping safety tips: How to protect yourself from scams

Online shopping is convenient, no doubt about it. With just a few clicks, you can buy almost anything from anywhere in the world and have it shipped to your doorstep. But with convenience comes risk: fake sites, phishing links, and counterfeit goods are everywhere.

Staying safe while shopping online involves building simple, repeatable habits that let you grab the deals you love without handing cybercriminals the keys to your finances and identity.

In this guide, you’ll learn online shopping safety tips that work whether you’re a first‑time buyer or a seasoned bargain hunter. Follow along to shop with confidence.

Why online shopping safety matters

Think about your last three online purchases. Groceries, concert tickets, maybe a streaming subscription? Each one created a digital trail of your personal and financial data, shared between merchants, payment processors, and shipping services.

If any of these points are insecure, or if the seller is fraudulent, your money, login credentials, and personal information like your full name, address, and phone number are at risk.

Because these threats often go undetected until it’s too late, it’s vital to adopt secure shopping habits to protect your money, your identity, and your online privacy.

The rise of digital scams

Digital fraud, which surged during the pandemic, has since become a massive criminal enterprise. In the U.S. alone, the FBI reported that losses to internet crime topped a record-breaking $16 billion in 2024, a 33% increase from the previous year.

This financial damage is driven by increasingly sophisticated methods. Organized crime syndicates now sell “fraud-as-a-service” kits that can clone legitimate online stores in hours, complete with fake reviews and AI-powered chatbots.

These operations can be massive; the “BogusBazaar” network, for example, created thousands of fake shops to defraud consumers across the U.S. and Europe. These scam campaigns are often timed around major sales events like Black Friday or Cyber Monday, using a sense of urgency to bypass a shopper's caution.

YMYL (Your Money or Your Life): Why this is critical

Every time you click “buy now,” you’re making what digital safety experts call a “Your Money or Your Life” (YMYL) decision. The term refers to any activity that can directly impact your financial stability or personal safety.

Online shopping is a prime example. A single misstep like trusting a fake site or using an unsecure network doesn’t just lead to a disappointing purchase. It can expose your credit card numbers, compromise your bank account, or open the door to identity theft.

Because the stakes are so high, you should approach online shopping with the same seriousness you would your banking or financial investments.

Common mistakes shoppers make

Even savvy shoppers can slip up and make costly mistakes online. These errors often happen when the desire for convenience overrides a sense of caution:

• Recycling passwords: You recycle the same easy-to-guess password across multiple e-commerce websites, which means that a single data breach at one online store can provide criminals with the key to unlock your other accounts.
• Trusting unfamiliar sites blindly: Chasing a great deal on an unknown website without doing any research can lead to scams. Fake e-commerce sites often lure victims with too-good-to-be-true prices. Falling for this scam means you’ll likely pay for an item that never arrives or is a worthless counterfeit. Or worse, the fake site will capture your credit card info and other personal details. This stolen data can then be sold or used by the criminals, exposing you to a much greater risk of financial loss and identity theft.
• Hidden URL traps on mobile: On a smartphone’s small screen, the browser’s address bar often cuts off the end of a long web address. Fraudsters exploit this by creating look-alike domains, knowing the deceptive part of the address may be hidden from view.
  Always long-press the URL and scroll to the end to reveal the full web address before you sign in or pay. In some mobile browsers, you might need to copy the URL to view it on your device’s clipboard, as behavior can vary by browser.
• Saving card details in browsers: It’s tempting to let your browser save your card details for faster checkout, but this convenience has risks. While reputable browsers encrypt this information, there’s malware specifically designed to try and steal it. And if your device is lost or compromised while you’re logged in, anyone with physical access can simply use the autofill feature to make purchases. This turns a stolen laptop into an open wallet.
• Using public Wi-Fi for shopping: Connecting to free public Wi-Fi at a coffee shop or airport to make a purchase is risky. These networks are often unsecured, allowing cybercriminals to intercept the information you send, including credit card numbers and passwords.
• Ignoring software updates: Those update reminders on your phone and computer are easy to ignore, but they’re vital for your security. Software updates often contain patches that fix security holes discovered by developers. By not updating, you leave your devices vulnerable to known exploits that criminals actively search for.

Being aware of these common pitfalls is half the battle. Now that you know what not to do, let’s focus on the proactive steps you can take to protect yourself.

20 essential online shopping safety tips

Building secure shopping habits involves a layered defense, from choosing the right retailer to knowing your rights if things go wrong. Each layer of protection increases your safety, so use as many as possible.

1. Stick to trusted online retailers

Long-standing brands and online retailers spend millions on online fraud prevention, secure checkout, and data protection. For example:

• Amazon: Its A‑to‑z Guarantee covers missing or materially different items. Plus, you can enable two-step verification and pay with tokenized options like Amazon Pay or Apple Pay on iOS.
• Walmart: Combines in-store return options with online fraud-detection algorithms, offers purchase protection, and supports third-party payment gateways.
• Target: Locks your account after multiple failed login attempts. Plus, two-factor authentication is available, and the Circle Card credit program includes zero-fraud liability.
• Best Buy: Device‑focused but security-minded: digital receipts, returns or exchanges on pretty much all products, and extended warranty options make disputes easier.

That’s not to say that smaller boutique stores are unsafe, but they do warrant extra vetting: confirm their contact details and check if they favor third-party payment services. Single payment methods, such as cryptocurrency or wire transfer, which offer no recourse if the seller disappears, are often a red flag. Also, check if they have positive independent reviews.

2. Look for HTTPS and the lock icon

A secure online shopping session starts with encryption. Web addresses beginning with “https://” use SSL/TLS certificates that encode data in transit. This means your sensitive information, like passwords and credit card details, is ciphered into an unreadable code as it travels from your device to the retailer’s server.

Click the padlock (now under the Tune icon in Chrome) to view certificate details (e.g., TrustedSite verifications) and check that the issuing authority and company name match the store. If you see “Not Secure” or an expired certificate warning, abort the purchase.

3. Avoid public Wi‑Fi or use a VPN

Free airport or café Wi‑Fi might seem harmless, but when you use an unsecure network without protection, your data is often sent “in the clear.” It’s like shouting your credit card number across that room. Anyone else on the network could easily intercept this information, capturing everything from the websites you visit to the passwords and financial details you type in.

If you must shop on the go, use ExpressVPN to create a private, encrypted tunnel that shields your data from prying eyes.

4. Use an antivirus and keep software updated

There are many shady “coupon” extensions out there that appear to be helpful shopping tools. However, once installed, they can hijack your browser, bombard you with ads, or even steal your sensitive data.

This is where a good antivirus program helps. If you’ve downloaded a malicious extension or clicked through to a phishing site, you can use a reputable anti-malware tool to run a full scan of your device and remove any threats.

You should also enable automatic updates for your operating system, browser, and security suite so new patches install as soon as they’re released. Updated software closes doors that attackers count on.

5. Use strong, unique passwords and 2FA

When a website you use is breached, criminals use bots to test your stolen login details on thousands of other sites. This attack, known as credential stuffing, means a single reused password can give thieves access to your most critical accounts.

To prevent this, every online account should have a password that is both strong (12+ characters with a mix of letters, numbers, and symbols) and unique.

A password manager like ExpressVPN Keys makes this easy. It generates unique, complex passwords for all your accounts, stores them securely, and fills them in for you. This means a data breach on one site won’t put your other accounts at risk.

For an even stronger defense, enable two-factor authentication (2FA) wherever it’s offered. Always choose an authenticator app over SMS for 2FA if possible, as criminals can intercept text messages through SIM swapping attacks.

6. Don’t save card details in your browser

Although browsers encrypt the payment details you save, the protection isn’t foolproof. Certain types of malware can still extract this data, and a lost or stolen device becomes an open wallet if someone can access your logged-in browser.

If instant checkout is essential, use tokenized wallets like Apple Pay or Google Pay instead. These digital wallets generate one-time tokens in place of your actual card number, so the merchant never sees or stores your real details.

7. Use a dedicated email for online shopping

Separating shopping traffic from personal or work correspondence helps you spot phishing and weed out spam. For example, if a “bank alert” lands in your shopping-only inbox, you’ll know it’s fake because your bank doesn’t have that address.

8. Monitor your credit card and bank activity

Turn on instant transaction alerts and review statements weekly. Quick detection means you can dispute unauthorized charges before they spiral. For an even earlier warning, you can monitor for the data breaches that often lead to this kind of theft.

For example, ExpressVPN’s Identity Defender, available to U.S. users, can alert you if your personal information, like your email address or Social Security number, is detected on the dark web. This gives you a heads-up to change passwords and secure your accounts before fraudulent charges appear.

9. Use credit cards instead of debit cards

Credit cards offer stronger legal protections and don’t drain your checking balance if fraud occurs. Many issuers waive liability entirely when you report unauthorized charges within 30 days.

While some debit cards are starting to offer similar protections, credit cards still provide the most comprehensive safety net and keep your direct cash balance out of the immediate transaction.

10. Consider virtual credit card numbers

Issuers like Capital One and privacy‑focused services like Privacy.com let you create merchant‑locked or single‑use numbers. If that merchant is ever breached, the stolen virtual number is useless anywhere else, and your real credit card account remains secure.

11. Don’t click links in promo emails; type URLs manually

Phishing emails often embed malicious links behind legitimate-looking anchor text. Typing the retailer’s address manually or using a saved bookmark bypasses this trap.

Be equally wary of unexpected text messages (smishing) or phone calls (vishing) claiming to be from a retailer or shipper. Scammers use urgent messages about a delivery problem or a suspicious charge to trick you into giving up personal information or clicking a malicious link.

12. Be skeptical of unrealistic deals

If a PS6 console is offered at 70% off while every legitimate store is out of stock, assume it’s a scam. Cross‑check prices on comparison engines, and remember: when a deal feels too good to be true, it usually is.

13. Research online reviews and seller reputations

Star ratings alone can be deceiving; a dishonest seller can easily fake reviews and testimonials on their own domain. It's essential to see what people are saying on platforms the seller doesn't control such as Google My Business, Amazon, and Yelp.

Beware of sudden surges of five‑star reviews posted within a narrow window, as it’s often a sign of review farming. Review farms are businesses paid to generate and post large volumes of fake positive reviews.

14. Verify the site’s physical address and contact info

Legitimate businesses list phone numbers, email addresses, and real‑world locations. Use Google Street View to confirm the address isn’t a vacant lot or UPS drop box.

15. Check refund and return policies before buying

A seller’s return policy shows how much confidence they have in their products. Before you buy, look for a policy that is clear, fair, and easy to find. A huge red flag is when a site has no return policy listed at all, or if the terms are buried in confusing legal jargon.

Be wary of hidden restocking fees, unusually short return windows, or “final sale” disclaimers, as these can leave you with no options if the product is disappointing or defective.

16. Log out after completing a purchase

Always log out, clear cookies, and close the browser tab once you’re done. This is especially important on a shared device (where staying logged in can leave the door open for snoops), but it’s a good idea on your personal devices, too.

17. Shop using apps from official app stores only

When you side-load an APK file on Android or install an unofficial iOS profile, you’re essentially opening a side door and letting an unchecked package onto your device.

Scammers often offer paid apps for free through these methods, but they might have malicious software like spyware bundled with them, which is designed to secretly steal your passwords, bank details, and other personal information. Stick to Google Play, the Apple App Store, or the retailer’s verified site.

18. Understand the risks of Buy Now, Pay Later (BNPL)

BNPL services are convenient, but they introduce another party into the transaction. Before using them, understand their data-sharing policies with the retailer and their dispute resolution process. A problem with your order could now involve three parties: you, the retailer, and the BNPL provider, potentially complicating refunds.

19. Avoid giving unnecessary personal info

Your birthdate, mother’s maiden name, or Social Security number are not needed to ship a T-shirt. A legitimate retailer will never ask for these details. When a site wants lots of info for a simple purchase, it's a major red flag because the goal might be to commit identity theft or take over your existing accounts. Provide only what’s essential and leave optional fields blank.

Beyond this, consider the site’s privacy policy. This document explains how your data, including your browsing and purchase history, is collected, used, and shared or sold. If you’re not comfortable with the practices, shop elsewhere.

20. If scammed, report it and contact your bank immediately

If you suspect you've been scammed, speed is essential to limit the damage. Contact your bank or credit card provider immediately to report the fraud, dispute the charge, and lock your card. While you have them on the line, gather all documentation to support your case, such as screenshots, email threads, and transaction IDs.

Also, make sure that you understand your broader consumer rights. These often include chargeback rights, which give you a legal basis to dispute a charge, and statutory “cooling-off periods” that let you cancel a purchase. Should you fail to get a resolution, public ombudsman services may be available to mediate. Knowing the local rules ahead of time will help you act decisively if trouble strikes.

How to tell if a shopping website is legit and verify its authenticity

Even with good habits in place, you might land on an unfamiliar store, like a niche hobby shop or a pop‑up boutique you found via social media. Look for the following trust signals and red flags to determine if an unfamiliar shopping site is safe to use:

WHOIS lookup

WHOIS is a public database that contains the registration information for every website domain. You can use this free tool to see details like who owns a site, which company registered it, and when it was created. A brand-new domain registered overseas last week deserves scrutiny, whereas an eight-year-old domain tied to a known company is more reassuring.

That said, some legitimate sites use privacy services to hide their contact details, so hidden information isn’t automatically a red flag. But a brand-new domain using privacy protection and displaying other red flags is definitely suspicious.

SSL certificate details

Click the Tune icon (in Chrome) or the padlock icon (in other browsers) to inspect the site’s security certificate. Select “Connection is secure,” then click “Certificate is valid.” You’ll find the certificate information, type, and issuing authority under the Details tab.

Also, look for official trust seals on the website itself from services like the Better Business Bureau that link to a live verification page; static images of these logos are meaningless.

Check for reviews and test customer service

Search “[site name] scam,” “[site name] complaints,” or “[site name] reviews” to see if other users have flagged any issues. Send a simple email or call the listed number. Authentic companies respond promptly and professionally; fraudsters usually ignore inquiries or provide generic answers.

Use a site scanner

Tools like Google Safe Browsing, VirusTotal, and PhishTank flag malicious domains within seconds. VirusTotal, for example, checks the URL against dozens of different security databases at once.

Scrutinize the overall look and feel

Broken English and missing pages like “About Us” or “Contact” indicate a rushed setup. That said, with how easily accessible AI tools are now, spelling and grammar issues are not the giveaway they used to be. Scammers can easily use AI to create flawless copy for their fake websites. Nonetheless, a site with an unprofessional look and feel is still a definite red flag.

Common scams to look out for

1. Look-alike URLs

Scammers create web addresses that are nearly identical to those of trusted brands. These domain spoofs often use minor typos or different domain extensions like .top or .xyz. For instance, you might see exaample.top instead of example.com.

Unsuspecting customers, searching for a good deal, land on the fake site, which has copied the real brand’s look and feel, and hand over their payment details to cybercriminals.

2. Supply-chain attacks

This type of attack injects malicious code into the payment pages of entirely legitimate and trusted online stores. This means you could do everything right and shop on a familiar site with HTTPS using a credit card, but your credit card data can still be stolen by an invisible script running in the background.

In the cybersecurity community, this threat is known as a Magecart attack. The name is a combination of Magento, the e-commerce platform originally targeted, with shopping cart, the part of a website where the malicious code steals payment data.

The best way to avoid damage from a Magecart attack is to protect your payment information directly: Use a virtual credit card, choose digital wallets over saving your payment details in your browser, and monitor your accounts closely.

3. Hidden fees and subscription traps

A site may offer a product at a great price or as a “free trial,” but the fine print enrolls you in a costly monthly subscription. The Federal Trade Commission (FTC) has recently cracked down on companies for using these practices, where a one-time purchase for $20 could lead to hundreds of dollars in hidden charges that are nearly impossible to cancel.

4. The phantom storefront (non-delivery scams)

This is the most common tactic, where you pay for a product that never ships. The scammers’ websites are designed to look professional, often running targeted social media ads before vanishing once enough payments are collected. A prime example is the “BogusBazaar” network. These stores often use stock photos for products instead of unique images, suggesting the store scraped listings.

This single Chinese operation created over 75,000 fake online shops that impersonated well-known brands. Promoted heavily through social media ads, these stores lured over 850,000 people, primarily in the U.S. and Europe, into making purchases.

5. Counterfeit goods

In this scenario, a package does arrive, but it contains a low-quality knockoff. These operations rely on the victim being too frustrated to deal with the complex return process for a worthless item.

What to do if you’ve been scammed

Even with precautions, a scam may slip through. Acting fast can contain the fallout and sometimes reverse the damage.

1. Update your passwords and security info

Start with the compromised site, then work outward to any sensitive accounts like your banking and email accounts, and any that share similar credentials (ideally none). Enable 2FA if you haven’t already.

2. Gather your evidence

Before you start reporting, take a moment to collect all the relevant information. This will make your reports more effective. Take screenshots of the fraudulent website, the product page, and your order confirmation. Keep copies of any emails or messages exchanged, and have the transaction details (date, amount, transaction ID) ready.

3. Contact your bank or credit card provider

If you made a payment, your first and most urgent action should be to call the fraud department number on the back of your credit or debit card. Explain the situation clearly, provide evidence, and request a freeze or replacement card. Most issuers investigate fraud claims within 10 business days.

4. Report the fraudulent website

If you encounter or have been victimized by a fraudulent shopping website, reporting it is an important step. Your report can get the site taken down and prevent others from being scammed. Here are the most effective places to report it, starting with the most urgent:

The website’s hosting company and domain registrar

To get a fraudulent site taken down at its source, you should report it to its hosting company and domain registrar. You can find these details by entering the website's address into a free online WHOIS lookup service.

The results will provide the contact information for the registrar (which manages the domain name) and the hosting provider (which stores the site's files and is listed under name servers), so you can report the abuse and have the site suspended.

Search engines and web browsers

By reporting a fraudulent site to search engines and browsers, you contribute to a collective security effort. While a single report is unlikely to cause an immediate takedown, it provides these services with important data. You can report malicious sites directly to Google Safe Browsing or Microsoft’s reporting tool.

Your report, combined with automated scans and other user reports, helps to identify malicious domains. This process can lead to the site being flagged as dangerous, which removes it from search results and triggers a full-page warning for future visitors.

National consumer and cybercrime agencies

Filing a report with national authorities helps them track scam trends and contributes to broader law enforcement efforts against criminal networks. While they may not resolve your individual case, your information is vital.

You can file a detailed report with the appropriate agency in your country, for example, the FTC at reportfraud.ftc.gov in the U.S. or Action Fraud in the U.K.

5. Monitor your accounts for suspicious activity

Set up credit report alerts and check statements regularly going forward. Identity theft often surfaces some time after the initial breach. If the scam involved identity documents, consider a credit freeze to prevent new lines of credit from being opened in your name.