Category Archives: Security

website under cyber-attack

Russian Invasion of Ukraine and Cyber-attacks

Firstly, my thoughts go out to everyone in Ukraine and to anyone that has friends and family there.  I hope they are managing to keep safe.

Given that in the 20th Century we experienced 2 world wars, numerous regional conflicts that were proxies for, and could have escalated into, global conflicts, as well as countless civil wars and border disputes, to see a European country brazenly invade a neighbour based on patently untrue reasons is shocking.  I sincerely hope the Russians come to their senses and cease this invasion ASAP.

In the run up to this invasion, several web commentators suggested that there would be an increase in cyber-attacks that occurred in parallel with the invasion on the ground. Based on the activity logs of several websites I have created and or manage; this seems to have commenced already.

WordPress sites are particularly at risk

I have identified concerted and extensive efforts to access websites that are noticeably different to the everyday attempts to login using a likely administrator username.   You will understand if I don’t give any more details than this.

However, as the most widely used website development platform (by a considerable margin), it is not surprising if WordPress gets more attention.

I use Wix, Squarespace, Ionos, am I OK then?

Sadly not.  Whilst WordPress accounts for the vast majority of websites developed using a Content Management System (and therefore attracts more attention from cyber-attackers), ANY website that has an ‘admin’ login of some sort is likely to come under attack.

Am I under attack from the KGB?

No.  State organised cyber-attacks, should they occur, will focus upon major institutions such as banks, utilities, transport networks, government, and the military.  Unless you work in one of these organisations / sectors then state organised cyber attacks are unlikely to impact you.

However, Russia has, as Wired Magazine puts it “An expansive web on nonstate actors, from cybercriminals to front organisation to patriotic hackers that it can and has leveraged to its advantage”.  Moscow has habitually turned a blind eye to their activities so long as their focus has been outside of Russia.  Their activities might not be directed specifically at your business or organisation but as the WannaCry malware cryptoworm outbreak in 2017 proved, collateral damage can spread far and wide.  As a result of WannaCry, the NHS saw tens of thousands of computers infected, equipment such as MRI scanners out of action and postponed non urgent treatment for some patients.  It is unlikely that the NHS was a primary target for this malware but once it got into their systems, it spread rapidly and with devastating impact. 

Why do the attackers want to break into my website?

The cyber-attackers have numerous possible reasons for trying to access your site. 

  1. To spread misinformation and propaganda
  2. For financial gain – e.g. Ransomeware where your site and data is held ‘captive’ until you pay for it to be released
  3. To connect with your users and followers (you may have very few, but they don’t know this)
  4. To attack other websites
  5. Malevolence – lets create even more disruption and unrest by defacing / taking down websites

What might a cyber-attacker do?

The first thing they will probably do if they gain access to your site, is change your password thus freezing you out.  Other Administrators (if they exist) will be deleted to give them free rein to do whatever they like.

Your content may either be removed or amended to suit their objectives.

If you take payments for goods and services via your website, then most probably the beneficiary account will be switched so they take any future funds.

If you have a full eCommerce store on your site, you may find that your products are removed and replaced with goods that are under control of the cyber-attacker.

How do cyber-attackers break into websites?

They use a range of different methods.

  1. Brute force – they keep trying username and password combinations until they find one that works.  These may have been harvested from previous data breaches and be sitting in huge databases available to purchase from the dark web. 
  2. Via a known vulnerability.  White and black hat hackers are continually testing the integrity of software.  White hat hackers will inform the software developer so they can fix it, black hat hackers will sell details of the vulnerability to anyone that wants to exploit it.
  3. Social Engineering.  The easiest way to gain access to a website is to get someone to tell you their username and password.  Cyber-attackers are exceptionally skilled in creating plausible approaches to website owners and administrators encouraging them to divulge usernames and or passwords.  Be particularly suspicious of any request for a password reminder by another user on your site or a request by the ‘hosts’ for you to confirm the username and password for your site.

How can I protect myself / my website?

A few simple precautions will go a long way to helping to maintain the security of your site.

  1. Limit the number of users who have full Administrator rights to a minimum.
  2. Enforce strong username and password requirements for all users.  For WordPress this should mean…
    • Not using the default ‘admin’ username
    • Setting the public display for authors names to NOT be their username
    • Using long passwords – in excess of 15 characters
    • Ensuring that any password used is unique to that site
  3. If it is available, consider using 2 Factor Authentication (2FA) when people login to the site.
  4. Put in place an application firewall or security tool.  For WordPress, plugins like WordFence are a good place to start (though others are available).  They are easy to install and even with the default settings, provide an enhanced level of security.  The alerts and logs produced by these tools could give you enough warning that an attack is underway for you to step in and end it.
    If you use another Content Management System (Drupal, Joomla etc), search for Security Extensions that will serve the same purpose.
  5. Limit the number of failed logins and ban the IP address from where the login attempt originated.  You ‘might’ inadvertently ban a legitimate user, but it is easy to unblock them if this occurs.
  6. Get and keep your site UPDATED.  Cyber-attackers are on the look out for websites that are out of date and those which have known vulnerabilities in outdated software.  Why make it easy for someone to break in by leaving a weakness unaddressed?
  7. Make sure you have a recent BACKUP of your site.  Should the absolute worst happen, and your website be breached, knowing that you have a full and dependable backup you can revert to means that you have a level of insurance.
  8. If you only login in from one location (e.g. home or your office) consider restricting logins to only the IP address associated with that location.


Whilst you may believe that your website has little intrinsic value to a cyber-attacker, they may see it very differently.  Your website is a platform for them to conduct a whole series of malicious and criminal activities IF they can access and take control of it.

Be vigilant to what is going on with your website.  Even if you have no proof, assume your website is (or will be) under attack and act accordingly.

A few relatively simple steps can help to secure your website and give you peace of mind.  Far better you act now to secure your site than spending hours (possibly days) trying to recover control, remove unwanted content, restoring the site and rebuilding your reputation.

If you have any concerns over the security of your site or believe you have experienced a cyber-attack, QD Design can help.  Contact us for a free consultation.

Is your website backed up?

data centre on fire

As tens of thousands of website owners across Europe are discovering this morning, disasters do happen.

The OVH data centre in Strasbourg caught fire late on March 10th completely destroying the SGB1 data centre, damaging the SGB2 data centre and taking SGB3 and SGB4 offline for an extended period.  OVH is one of the largest data centres in Europe and hosts many well known sites and services.

Thankfully there were no injuries and firefighters have been able to control and extinguish the fire. It does however beg the question….

Is your website backed up?

Are you absolutely sure about that?

Apparently, many of the site owners at OVH had their sites backed up to the same data centre meaning that the backup has gone up in smoke as well.  They may never be able to restore their websites.

Backups, like almost every form of insurance, are far from ‘sexy’.  They are not the sort of thing that your web developer or host will make a big deal about – partly because we all hope never to have to call upon them.  However, when we do, we want to know that they are there and that they can be relied upon.

Backups are only part of the picture.

Having a backup is great but as the OVH situation has shown, where that backup is stored is vital.  It needs to be separate from the main site hosting in either a different physical location or as a cloud based backup.

Secondly, can you access the backup or are you reliant upon the hosts?  The staff at OVH will be working furiously to check that  the SGB3 and SGB4 centres can be brought back on line ASAP (though the thought of them having been doused in water to keep them cool makes it seem that it will be some time before this happens).  It could be days (if not weeks) before they get around to making any backups that exist for the affected datacentre available to customers.  If only the customer or their developer had access to their own backups, they could be back on line (albeit on a different server) before the end of the day.

What is your disaster recovery plan?

Having your own backup is a great start but what are you going to do with it?  OVH are frantically securing new servers and space in other data centres for their customers but this will take time.  For many businesses, every minute that their website is offline is a minute when they lack profile, cannot interact with customers or make sales.

A disaster recovery plan should cover what you are going to do with those backups so, should the worst really happen, you aren’t left scrabbling around trying to find alternate arrangements.

The QD Design approach

Every HTML / CSS site we create for customers is backed up daily to a cloud location.  We also have the latest site files on our server which are in turn backed up nightly to an off site location.

WordPress websites are also backed up every day to a cloud location arranged by our data centre.  We also make backups independently of the hosting centre and store them in our own cloud location which we can access without requiring the data centre to intervene.

Finally we have an Amazon Web Services (AWS) server on standby just in case we need to shift the hosting of a customer website to an alternate location. We hope never to have to use it but it is reassuring to know it is there and ready to deploy just in case.

What does your web developer / hosts do?

Now might be a very good time to have a conversation with them to check that backups of your website are being made, are being saved in a safe location AND they have a plan for what to do, should disaster strike.

If you are not happy with what you hear, we would love to speak with you.

WordPress under attack (again)!

WordFence – creators of one of the most widely used WordPress security plugins have reported a dramatic spike in attacks on WordPress based websites. This reflects our own findings here at QD Design based on data gathered from the access logs of the various sites we manage on behalf of customers.

WordFence believe the increase is around 30 times the usual volume of website attacks.

Website attacks are, sadly, nothing new. From the earliest days of plain html sites uploaded via creaky File Transfer Programs, ‘bad actors’ have tried to break into other peoples websites.

The popularity of WordPress as a development platform for websites means that it attracts more than its fair share of attacks. Automattic (the people behind WordPress), reckon it is used on around 30% of all websites globally. With that level of usage, it is no wonder that cyber criminals focus upon it (and in particular any known weaknesses within the WordPress environment).

The current threat aims to exploit these vulnerabilities to inject a block of code into a site with the ultimate aim of giving the cyber criminal access and control of the site. With access they could remove your content, replace it with their own or gather data on your membership (should your site have such a feature).

The weaknesses they are trying to exploit are, in the main, well known and in many cases had patches published some time ago.

What to do?

  1. Don’t get too alarmed; website attacks occur all the time (though this current level is considerably higher than normal).
  2. Most importantly – keep your site up to date. The core WordPress file system, the Themes, and any Plugins all need keeping up to date. Updates are pushed out when vulnerabilities are discovered and leaving key components of your website unpatched is opening your site to increased risk of being compromised.
  3. Remove any unused Themes or Plugins. Keeping a stack of old, unused (and probably unpatched) files adds to the clutter in your admin panel. Amongst those deactivated plugins could be one that has been deleted from the WordPress repository because it is a severe security risk. This may be providing an easy ‘back door’ to your site, without you even realising it.
  4. If you don’t use a WordPress security plugin and firewall, it might be time to actively consider it. WordFence (and no I make nothing out of recommending them) make a truly effective plugin that is easy to set up and use.
  5. Consider whether restricting the access to your site by geo-location might give you an enhanced level of protection. The IP addresses of the attacks we have been following can in many cases be traced back to countries well outwith Europe. To be frank, they are exactly the sort of countries you would expect a cyber attack to originate from. If your site provides information and services to an exclusively UK audience, blocking visitors from some of the less desirable locations would prevent them from even accessing the site to try and attack it.


If you have concerns over your WordPress site, have noted activity you are unsure of or need to strengthen your sites security, QD Design can help. Call us on 07718 589338 to discuss any issues you are having or improvements you would like to make.

Stay up to date and stay safe!

Google Chrome Tech Support Scam Misery

Google Chrome is by far the most popular internet browser.  There is a very good chance that you are reading this article using Chrome right now.  As of Jan 2018, a whopping 56.3% of all internet users browsed the web using Chrome (data from StatCounter)

This popularity has brought some unwanted attention to Chrome. Scammers are targetting the browser users with ever more sophisticated and realistic “Tech Support” scams designed to panic the user and con them into phoning a fake ‘helpline’.  Once on the ‘helpline’, you will be asked for your credit card number in return for sorting out the problem.

What does the scam look like?

tech support scam message affecting Google Chrome browser

Having landed on an infected site the Chrome browser displays the above information, often along with unsettling alarm sounds to heighten further the users level of anxiety.  Like all scams, it is cleverly designed to put you under pressure with dire warnings about what is being ‘stolen’ and a time scale (within the next 5 minutes) to frighten the user into following the instructions.

Behind the scenes the browser is instructed to try and save a file repeatedly – so fast that it cannot cope and becomes unresponsive to any commands to close or navigate away from this page.  At which point the scammers hope that you will phone their number and offer up your credit card number in return for their ‘support’ to fix the problem.

That is the very last thing you should do. Let’s dive a bit deeper into this scam and see how to get out of it and even avoid it in the first place.

Where is this scam found?

Frequently this scam is deployed via ‘Malvertising’ – Malicious Advertising – a seemingly innocuous advert appearing on a legitimate site that happens to contain a hidden payload designed to cause harm. These adverts might have been designed from the ground up by the scammers or were a previously safe advert that has been hacked and turned into a vehicle to spread the malware.  Wikipedia on Malvertising

What can I do, if I encounter this Tech Support Scam?

Firstly, don’t panic.  Recognise it for what it is and DO NOT under any circumstances phone the number given.
Secondly, try to close either the affected tab or the entire browser as you would normally using the X top right. In all likelihood, neither of these methods will work but it is worth trying it first. Beware that closing the browser will discard any work you may have open in other tabs.
Thirdly (and most probably), you will need to use the Windows Task Manager to kill off the unresponsive browser. It may be a while since you have had to use this, so here is a quick reminder.

1. Press Ctrl + Alt + Del to bring up the options screen and click on Task Manager.

2. Click on Google Chrome in the list of Tasks to highlight it, then click the End Task button

Windows Task Manager screen image
at the bottom of the screen. This will terminate the Chrome browser and the pesky fake tech support message.

3. For peace of mind, you may want to run a security scan of your machine now to reassure yourself that nothing untoward has happened as a result of this attempted scam.

Can I prevent it?

Yes, partly. As many of the scams are distributed via ‘Malvertising’, running an Ad Blocker such as Ad Block Plus can mean they never make it anywhere near your browser. There is a Google Extension for this service –  AdBlock Plus Extension – that we have used for years and can highly recommend.
Google is aware of this issue and is working on a fix.  However,  you can bet the scammers will also be working on ways to circumvent this, so it is unlikely this type of scam will go away anytime soon.

If you know of any Chrome users, please share this article with them to help keep them informed and safe.


Recently, cyber-security firm discovered on a community forum deep within the ‘dark web’, the largest aggregated database of emails / passwords found to date.  The searchable database contained 1.4 billion user login credentials hoovered up from a wide range of hacks, security breaches, data dumps etc.  These are in ‘clear text’ meaning they are not encrypted or scrambled in any way, they can be read by anyone.  Yes anyone.

Anyone who is active on the dark web, that finds the database can access it and start trying to log into other people’s accounts.  Quite possibly yours and mine.


4i have begun extensive analysis of the data and what was immediately alarming in the database was the extent to which people were either…

  • Reusing the same password across multiple services or sites (often multiple times)
  • Using incredibly weak and obvious passwords (and in some case they were reusing the same weak passwords, which is probably the cyber equivalent of leaving your car unlocked with the key in the ignition and the engine running)!

An example of the most common (and weakest) passwords is shown in the table below…

Astonishingly, the password ‘123456’ occurred over 9 million times in the leaked and stolen data.  That’s 9 million people who are making it unbelievably straightforward for someone to break into their account.

So What?

Whilst much of the data in the database will be old, some of it is not (14% of the credentials recovered have never been seen before in any other data breach or leak).  The latest data was added in late November 2017.  This stuff is current and could easily include your information.

4i have checked with a number of users to verify if the information in the database is correct.  Almost all of the users contacted have verified that the data was true.  Frequently their reactions were…

but that’s an old password…

commonly followed by…

Oh crap! I still use that password on <this> site…

You can check whether your information appears within the database by sending an email to with subject line: Password Exposure Check  4i will respond with the truncated list of found passwords for that email.  Of course they will only report the passwords related to the specific email from which you write to them.  If you want to verify different email addresses you will have to send an email from each of them.

Take Action Now

  Stop reusing the same password in different places

  Use long (more than 12 characters and ideally 15 characters plus) passwords

  Consider using a password manager such as KeePass or LastPass to hold these rather than trying to remember them all

  Consider using two factor authentication in as many places as possible.  Whilst it may be slightly inconvenient to do so, it increases your security enormously.

  Make your email account passwords particularly complex and long.  After all, this is where any password reset notifications will be sent. If a hacker has your email password they can reset it and then beaver away on all of your other accounts.

Please, please share or pass this onto anyone that you think might benefit from it. And, above all, stay safe out there.

Can I Trust HTTPS?

Can I automatically trust a site that uses HTTPS?

Recently, BBC Watchdog ran a story on bogus fundraising accounts being opened shortly after the horrific Grenfell Tower fire in London.  I thought I had ceased to be surprised by the depths to which some criminals would stoop but this one sickened me.  Not only is it deceiving the well-meaning folk who think they are donating to charity, it deprives those who really need support of the funds to help get them back on their feet.  Furthermore, once the scam is revealed, it  is likely to make everyone more wary of giving to any online charity.

A spokesman from Action Fraud said that you should look for the sign of security – HTTPS – in the URL of the website along the associated green padlock symbol somewhere in your browser.

https as a sign of security

So, should you trust a site simply because it uses HTTPS? 

In a word, NO!

HTTPS stands for Hyper Text Transfer Protocol Secure and signifies that the connection between a browser and the server hosting the website is secure and uses an encrypted protocol to transmit data between the visitor and the website.  This is a good thing as it means that your communication cannot be eavesdropped by a third party; particularly important when you are sending highly sensitive information such as your credit card details through a shopping cart at checkout time.  If you are running an eCommerce site, this is clearly essential.

Until fairly recently, acquiring the SSL certificate to facilitate HTTPS was a costly business. However, with Google’s drive to secure the web the cost of certificates has dropped and with the Lets Encrypt project now well established, it is possible to acquire a certificate for nothing.

Whilst the cost of a certificate was certainly a barrier to potential scammers in the past, the price drop means they are available to all.  And with countless tutorials available online, even the most inept of cyber criminals are able to find out how to install a certificate and set up an HTTPS site.

But surely, HTTPS means it is secure, I can trust a site that is secure can’t I?

The certificate that underpins HTTPS refers simply and only to the transmission of data.  It does not certify the site, its content, the identity of the site owner or the activity conducted on that site.  Any assumption that using HTTPS indicates a more trustworthy site is therefore clearly unwarranted.

So what should you look out for?

  • Use a familiar and trustworthy website.
  • Don’t rely upon a link to a site in an email or in social media, even if it is a site you have used before; type the address into your browser address bar. It is easy to make a link look like it goes to a safe site where in fact it goes somewhere else.
  • When you arrive at a site check the address bar. Is the URL (web address) correct?  Look out for tricks such as…
    1. a different domain ending, so rather than it is
    2. deliberate spelling mistakes in the URL e.g., that you might not spot if you only looked quickly.   Before you question whether I’m calling Just Giving  out on this, I’m not but as one of the largest fundraising websites they are likely to be a big target for on line fraudsters.
    3. subdomains e,g. This is nothing to do with the JustGiving website but a subdomain of a website called  Scammers are ingenious in how they mask the identity of the site you are going to, scrutinise everything to assure yourself that you are where you expect to be.
  • Requests for you to use bank transfers rather than credit card or PayPal type legitimate payment gateways transactions should have alarm bells ringing loudly. No legitimate fundraising site would ask for payment to be made this way.
  • If using PayPal, when you get to the stage of confirming the transaction, check to see who the payee will be, if it is not who you expect, and you may be able to confirm this by referring to a previous credit card statement, then something is wrong. Stop and only proceed with caution.

Scammers and cyber criminals are becoming increasingly competent at building websites that aim to steal either your money or your personal information.  Whilst HTTPS is a good sign that the connection between you and the website is secure, it does not mean the website itself should automatically be trusted.  Before giving a website any information or donating money, verify for yourself that the site is legitimate and that you are not being taken for a ride.

What Facebook knows about you

What Facebook Knows About You

The recent BBC Panorama programme on “What Facebook Knows About You” seems to have taken many people by surprise.  If you are active on Facebook and the Web, you are leaving a ‘digital breadcrumb’ trail behind you.  Every ‘like’ you make, every post you share, every place you check into in Facebook, all gets logged and used to create a profile about you.  This profile is used to serve up adverts to your Facebook page that best fit your interests and lifestyle.   This is the price we pay to use this “free” service.

Many of the people featured in the programme last night were surprised at what Facebook knew about them and what Facebook perceived as their interests, hobbies and preferences.

You can easily see what Facebook knows about you.  And, if it is not to your liking, make some changes to it.  Here’s how…..

1. Assuming you are on a computer rather than mobile device, in Facebook go to the little down arrow on the far right of the blue bar at the top of the screen (next to the question mark that goes to the help info).  On a mobile go to the three horizontal lines and scroll down to Adverts.

How to find out what information Facebook holds on you

2. Choose settings from the drop down list

3. From the list on the left hand side, choose Adverts. You might also want to try the Download a copy of your Information though this can be pretty vast if you are a prolific poster. This gives you a zip file on your computer of everything you have ever posted on Facebook (text, images, videos) as well as any events you have attended or shown an interest in.

4. From the Adverts link you will see the following. Each of the rows – Your Interests, Adverts You Have Interacted With can be expanded to show more information. This is what Facebook uses to build your profile. Most of it shouldn’t be a surprise as it is you that caused it to be logged.

However there may be the odd anomaly that you can’t explain. No, I’ve no idea why I ‘Entre Rios Province’ is listed as a place I am interested in either!

5. Every one of these snippets of information can be edited and removed. The X button will remove it from your list of places, list of hobbies, list of advertisers with who you have interacted.

One important point to note is that you are never going to get rid of Facebook Ads entirely. That is what keeps it free to use.

Advert settings in Facebook

However, using these tools you can fine tune the ads you see so that embarrassing one for ‘ointment’ doesn’t appear.  If you turn off the Interest Based Adverts feature completely, then you will see any old advert that Facebook deems to put in front of you.  Leaving it on means there is a chance the Ads you see ‘might’ be relevant to you.

If you don’t like what Facebook knows about you, then the choice is simple. Delete your Facebook account, stop using the web on any device, sell your house, buy a tent, move to the woods and hide. OK, this last advice is purely tongue in cheek, you don’t necessarily need to buy a tent, you might be lucky and find a cave to sleep in!

Seriously, should you worry about the information Facebook knows about you?   Probably not.  Between Facebook, Google, your Internet Service Provider and your mobile provider, there is little these people don’t know about you.  Add in your local supermarket where you use a loyalty card, other websites where you check in or use a service e.g. your fitness tracker, and almost your entire waking day is logged or mapped.  If you are doing nothing you are ashamed of or nothing that you shouldn’t be doing, then you have little to worry about!

Scam Alert! Domain SEO Services

If you own or manage a domain you need to read this.

I manage quite a few domains and, as such, see a fair number of domain communications each month.  One recent e mail stood out.  There was something about it that wasn’t quite right.

  1. It had no letter head or logo and the sender was not who I have my domains registered with.  In fact the layout and style of the message is deliberately ‘vanilla’.
  2. Whilst this domain is up for renewal this year, I knew it was in October and not the Spring when the renewal was due.
  3. The wording was both very lengthy and hard to understand.  Again a deliberate ploy to confuse anyone that receives such a mail that it really needs to be acted upon.
  4. The incentive to “Buy Now” seemed just a bit too forceful and smacked of a con.

So what is it?

Well it isn’t a domain renewal notice even though it has a domain name, a duration of service and even a start date.  It is an offer to buy “Domain SEO Service” and  “to purchase a search engine traffic generator”.

No clear details are given on what these products will do for your website.  The one thing that is clear is that Google takes an incredibly dim view of attempts to artificially increase a sites ranking in the search results.  So much so, that sites have been penalised and in some cases banned when it has been discovered they have tried to manipulate the Google search results.

It is not worth the risk.

You do not need to pay to have your domain name submitted to and indexed by the search engines.  This could be the worst $75 you might ever spend.

You DO need to engage someone to help you optimse the content of your site and effectively focus it around your chosen keyword(s).  Your web designer should be able to advise on how best to go about doing this.

This Domain SEO Service Expiration Notice is a very clever and cynical scam.  It deliberately creates a sense of apparent urgency around the renewal of a service and hopes that the recipient either is in too much of a hurry to read it or not knowledgeable enough to know that it is unnecessary.  The originators know that in many small and medium sized businesses, the staff are working flat out and spending 5 – 10 minutes trying to work out whether something is genuine, is time they simply do not have.

If / when you get your domain renewal notice in the mail, or something that looks like one; read it very carefully before acting upon it.  It may not be quite what it seems.

Shopping Safely Online

According to the Centre for Retail Research in the run up to Christmas 2014, on line shopping in the UK comprised very nearly 25% of all sales made.  This was up a whopping 19% on the year before.  We spent over £17bn on-line in the six weeks before Christmas 2014.

As the BBC reported Scammers, hackers, thieves and crooks of all persuasions are gearing up to take advantage of our increasing adoption of online purchasing and are planning even more cunning ways to part us from our money.

Here are 10 ways to shop safely on line….

  1. Visit familiar websites that you know and trust; if you find a site offering incredible deals way down on page eight of a Google search , there is likely to be something awry.  If the deal was that good, it should have appeared on the first page or two.
  2. Be aware of ‘look-alike’ sites that either use a misspelling of a real business name (e.g. or a different ending to an existing web address (for example .net rather than .com or instead of ‘look-alikes’ are sometimes all but identical to the real sites since the crooks have simply cloned the site they are pretending to be.  Always check in the address bar of your browser to make sure you really are where you think you are.
  3. Look for the lock icon.When sending details of your credit card always look to see if Secure Socket Layer encryption has been enable.  This is shown by the web address changing from https://www.. to https://www.. (the all important ‘s’ indicating that it is a secure connection).Depending on your browser you should also have visible confirmation that a secure connection is now in use.  A padlock is added either in the status bar or right next to the site address in Chrome.  If you are being asked for your card details and there is no padlock the absence of the lock icon should have alarm bells ringing immediately.You wouldn’t stand in the middle of the street shouting out the details of your credit card, so why do the equivalent on line!
  4. Keep your browser and computer operating systems up to date.  Same goes for your anti-virus and other security programs.  Hackers in particular, attempt to exploit known weaknesses in programs.  Omitting to update key software is like leaving a window open in your house.  You are making it easy for the crooks to gain entry.
  5. Consider using a browser with the Safe Browsing function installed.  Browsers that incorporate Safe Browsing include Google Chrome, Firefox & Safari.Safe Browsing warns the user when they are about to access a site that may have potential threats.  More than 5 million warnings per day for all sorts of malicious sites and unwanted software are provided by Safe Browsing.
  6. Credit rather than debit.  The payment protection afforded by using a credit card rather than a debit card is usually greater.  Whilst no one ever wants anything to go wrong, at least this might offer a little more peace of mind.  Even better than that, try switching to a payment service such as PayPal.
    These services never reveal your credit card to the online merchant meaning that if you do inadvertently fall foul of a look-alike site, then at least your card details are still secure.
  7. Exercise caution when downloading new apps.  Only download apps from trusted sources such as Google Play (for Android) or the Apple App Store (for Apple devices).  Cyber-thieves have deliberately made similar looking apps to existing ones that can harvest sensitive information.If in doubt, thoroughly read the reviews of the app before installing it to see what other users have to say about that app.
  8. If something seems to be “too good to be true”, it probably is.  Unsolicited email containing details of incredible bargains are almost always bait to get you to access a site that cyber-crooks will use to steal data, information or money from you.A common ploy to encourage people to click a link in an email is to make the offer time sensitive, “Hurry, only available for 24 hours“, or saying it is for the “first 200 customers only“.   Even if the mail comes from a friend you should still exercise great caution; it is easy to ‘spoof’ an email message so that it appears to come from someone other than the true sender.
  9. This is a good time to check that you are using strong, unique passwords for all of the sites where you have set up an account. Using weak, easily guessed passwords or using the same password across multiple sites is simply making it easy for the cyber-thieves should your details fall into their hands. If you are not sure what makes a good password, here are some great password tips from Google.
  10. Finally, once you have those strong secure and unique passwords in place, you don’t want to forget them (which let’s face it, is easily done when you have tens of sites where you have an account). Password vaults such as Keepass or LastPass are an excellent way of managing numerous passwords.

Shopping on line is convenient and brings a world of choice and convenience to your front room.  Done with a reasonable amount of caution, it is no less risky than shopping on the high street.  Done with less awareness and a degree of carelessness or naivety, and you face a chance of getting scammed, fooled or sadly robbed.

Take care and above all, stay safe.