ITRC Fact Sheet 103
This fact sheet offers recommendations on how to make your online experiences safe and enjoyable. The following subjects will be addressed:
- Check the authenticity of the web address or URL
- Secure websites
- Research the vendor or website
- Website privacy and security policies
- Credit vs. Debit
- What information to provide
- Confirmation of order
- Shipping and return policies
- Use Shopper’s Intuition
- Secure Payment Agents
- Be Wary of Identity Theft
- Electronic signatures
In recent years, more people have found the Internet a convenient way to shop, pay bills and track banking activity. The world of electronic commerce, also known as e-commerce, has expanded our purchasing abilities from local retailers to world-wide companies and expedited our ability to shop while maintaining a busy schedule.
Unfortunately, things can go wrong while shopping in cyberspace. Sometimes it is simply a case of a computer glitch or poor customer service. Other times, shoppers are cheated by hackers and thieves.
Above the web site at the top of your screen is a rectangular window that contains the web site address (also called the URL or Uniform Resource Locator). Please see the Trend Micro Website URL Checker link on the ITRC website. By checking that address, it can give you clues as to whether you are dealing with the correct company or a safe website.
Cyber-thieves have created web sites that look convincingly like the web sites of well known companies. These sites will capture the credit card numbers of unwary shoppers when they attempt to purchase an item. The thieves then use the stolen credit card numbers to make fraudulent purchases in the shopper’s name. If these shoppers had checked the URL at the top of the screen, they could have noticed that it was not the same URL as the real company.
Secure websites use security technology to transfer information from your computer to the online merchant’s computer. This technology scrambles (encrypts) the information you send, such as your credit card number, in order to prevent computer hackers from obtaining it.
The following items shown on your web browser will indicate a connection to a secure web site.
- https:// The “s” that is displayed after “http” indicates that web site is secure. Often, you do not see the “s” until you actually move to the order page on the web site.
- A closed yellow padlock displayed at the bottom of your screen or next to your URL box. If that lock is open, you should assume it is not a secure site.
Do business with companies you already know. If the company is unfamiliar, investigate their authenticity and credibility. Conduct an internet search (i.e. Google, Yahoo) for the company name. The results should usually provide both positive and negative comments about the company. If there are no results, be extremely wary. Reliable companies should advertise their business address and at least one phone number, either customer service or an order line. Call the phone number and ask questions to determine if the business is legitimate. Ask how the merchant handles returned merchandise and complaints. Find out if it offers full refunds or only store credits.
You can also research a company in the Internet yellow pages, through the Better Business Bureau (see listing below), or a government consumer protection agency including the district attorney’s office or the state Attorney General. Perhaps friends or family members who live in the city listed can verify the validity of the company. Remember, anyone can create a web site.
Try to shop on a website of a business that has locations within the U.S. These stores must follow specific state and federal consumer laws. You might not get the same protection if you place an order with a company located in another country.
Look for online merchants who are members of a seal-of-approval program that sets voluntary guidelines for privacy-related practices. TRUSTe (www.truste.com) and BBB online, www.bbbonline.org, are two such programs.
The safest way to shop on the Internet is with a credit card. (Please refer to ITRC Fact Sheet FS 131 – Credit Cards vs. Debit Cards.) In the event something goes wrong, you are protected under the federal Fair Credit Billing Act. You have the right to dispute charges on your credit card, and you can withhold payments during a creditor investigation. When it has been determined that your credit was used without authorization, you can only be held responsible for the first $50 in charges. We recommend that you obtain one credit card that you use only for online payments to make it easier to detect wrongful credit charges, and to keep your other cards from being exposed.
E-commerce shopping by check leaves you vulnerable to bank fraud. Make sure your credit card is a credit card only and not a debit card, or a check card. As with checks, a debit card exposes your bank account to thieves. Further, debit cards are not protected to the extent that credit cards are by federal law.
Disclose Only the Bare Facts When You Order. Never provide a Social Security Number to a vendor. When placing an order, there is certain information that you must provide to the web merchant such as your name and address. Often, a merchant will try to obtain more information about you. This information is used to target you for marketing purposes. It can lead to “spam” or even direct mail and telephone solicitations.
Don’t answer any question you feel is not required to process your order. Often, the web site will mark which questions are mandatory with an asterisk (*). Should a company require information you are not comfortable sharing, leave the site and find a different company for the product you seek.
After placing an order online, you should receive a confirmation page that reviews your entire order. It should include the cost of your order, your customer information, product information, and the confirmation number.
Print at least one copy of the confirmation page and the web page(s) describing the item you ordered, as well as the page showing the company name, postal address, phone number, and legal terms, including return policy. Keep it for your own records for at least the period covered by the return/warranty policy.
You will often also receive a confirmation message that is e-mailed to you by the merchant. Be sure to save and/or print this message as well as any other e-mail correspondence with the company.
A company must ship your order within the time frame stated. If no time frame is stated, you should inquire how long the delivery will take. This gives you an opportunity to cancel the order and receive a prompt refund or agree to any delay.
Here are key shipping considerations:
- Does the site tell you if there are geographic or other restrictions for delivery?
- Are there choices for shipping?
- Who pays the shipping cost?
- What does the site say about shipping insurance?
- What are the shipping and handling fees, and are they reasonable?
Even under the best of circumstances, shoppers sometimes need to return merchandise. Check the web site for cancellation and return policies.
- Who pays for shipping?
- Is there a time limit or other restrictions to the return or cancellation?
- Is there a restocking charge if you need to cancel or return the order?
- Do you get a store credit, or will the company fully refund your charges to your credit card? If the merchant only offers store credits, find out the time restriction for using this credit.
Don’t expect less customer service just because a company operates over the Internet. This is especially important if you are buying something that may need to be cleaned or serviced on occasion.
- Does the merchant post a phone number and/or e-mail address for complaints?
- How long has the company been in business?
- Will they still be around when you need them?
- Is there an easy, local way for you to get repairs or service?
- Is there a warranty on the product, and who honors that guarantee?
- What are the limits, and under what circumstances can you exercise your warranty rights?
Heed the old adage, “If it looks too good to be true, it probably is.”
- Are there extraordinary claims that you question?
- Do the company’s prices seem unusually low?
- Does the company’s phone go unanswered?
- The use of a post office box might not send up a red flag, but a merchant who does not also provide the company’s physical address might be cause for concern.
If any of these questions trigger a warning, you will be wise to find another online merchant or buy the product in a store.
A “Secure Payment Agent”, as defined by ITRC, allows the consumer to control the use of all their sensitive personal information whether shopping, paying bills online, or registering at websites. An SPA has the ability to replace all of the user’s real personal information with anonymous data that becomes useless after a transaction and cannot be tracked back to the user. The following list includes items that ITRC has identified as some of the prerequisites SPAs should include:
- Replaces the consumer’s real personal identifying and financial information with anonymous data that is untraceable back to the consumer
- Eliminates phishing both when visiting websites and receiving incoming email
- Verifies both consumer and device before allowing access to or use of the SPA
- Stores user data in such a way that it becomes useless if the SPA’s data base storage system is breached
- Merchants must be able to send, and consumers to receive, purchase/shipment confirmations without delay, extra steps or the use of supplemental devices.
- Authentication method must be “Multi-Authentication” using attributes of:
- Who You Are
- What You Have
- What You Know
Identity thieves are increasingly using the web to scam you and gather credit card, checking account, debit card or Social Security Numbers. Be aware of this trend. Please refer to the ITRC Fact Sheet FS 123 – Scam Assistance.
Check your credit card bills carefully for several months after purchasing on the Internet. Look for purchases you did not make. If you find some, immediately contact the credit card company and file a dispute.
Order your credit reports at least once a year and check for accounts that have been opened without your permission. Please see the ITRC Fact Sheet 125 - How to Order Your Free Credit Report.
Federal law enables shoppers to verify online purchases with merchants using an “electronic signature.” Usually, this process is nothing more than clicking on a box that says you accept the terms of the order. The Electronic Signatures in Global and National Commerce Act, also known as the E-Sign Act, is a complex law. Read the Terms of Agreement carefully before completing the transaction.
Listed below are web sites that provide additional information about shopping online.
The FBI’s Internet Fraud Complaint Center allows you to report suspected cases of Internet and e-commerce fraud. www.ic3.gov
The Better Business Bureau certifies web merchants with a privacy seal of approval. You can research merchants through the BBB and also report e-commerce fraud problems at these sites. www.bbb.org and www.bbbonline.org
The Federal Trade Commission’s online shopping advice. http://www.ftc.gov/bcp/menus/consumer/tech/online.shtm
Website created by the U.S. Food and Drug Administration to provide shopping tips for buying online prescriptions and over-the-counter drugs on the web. www.fda.gov/oc/buyonline