ITRC Fact Sheet 103
Online Shopping

This fact sheet offers recommendations on how to make your online experiences safe and enjoyable. The following subjects will be addressed:

In recent years, more people have found the Internet a convenient way to shop, pay bills and track banking activity. The world of electronic commerce, also known as e-commerce, has expanded our purchasing abilities from local retailers to world-wide companies and expedited our ability to shop while maintaining a busy schedule.

Unfortunately, things can go wrong while shopping in cyberspace. Sometimes it is simply a case of a computer glitch or poor customer service. Other times, shoppers are cheated by hackers and thieves.


Check the Authenticity of the Website Address or URL

Above the web site at the top of your screen is a rectangular window that contains the web site address (also called the URL or Uniform Resource Locator).  For example, see Trend Micro's free Website URL Checker link on the ITRC website. By checking that address, it can give you clues as to whether you are dealing with the correct company or a safe website.

Cyber-thieves have created web sites that look convincingly like the web sites of well known companies.  These sites will capture the credit card numbers of unwary shoppers when they attempt to purchase an item.  The thieves then use the stolen credit card numbers to make fraudulent purchases in the shopper’s name.  If these shoppers had checked the URL at the top of the screen, they could have noticed that it was not the same URL as the real company.


Secure Websites

Secure websites use security technology to transfer information from your computer to the online merchant’s computer.  This technology scrambles (encrypts) the information you send, such as your credit card number, in order to prevent computer hackers from obtaining it. 

The following items shown on your web browser will indicate a connection to a secure web site.

  • https:// The “s” that is displayed after “http” indicates that web site is secure.  Often, you do not see the “s” until you actually move to the order page on the web site.
  • A closed yellow padlock displayed at the bottom of your screen or next to your URL box.  If that lock is open, you should assume it is not a secure site.

 Research the Vendor or Website 

Do business with companies you already know.  If the company is unfamiliar, investigate their authenticity and credibility. Conduct an internet search (i.e. Google, Yahoo) for the company name. The results should usually provide both positive and negative comments about the company. If there are no results, be extremely wary. Reliable companies should advertise their business address and at least one phone number, either customer service or an order line. Call the phone number and ask questions to determine if the business is legitimate.  Ask how the merchant handles returned merchandise and complaints.  Find out if it offers full refunds or only store credits.

You can also research a company in the Internet yellow pages, through the Better Business Bureau (see listing below), or a government consumer protection agency including the district attorney’s office or the state Attorney General.  Perhaps friends or family members who live in the city listed can verify the validity of the company.  Remember, anyone can create a web site.

Try to shop on a website of a business that has locations within the U.S.  These stores must follow specific state and federal consumer laws.  You might not get the same protection if you place an order with a company located in another country.


Website Privacy and Security Policies

Every reputable e-commerce web site offers information about how it protects your personal information.  This information will be listed within their Privacy Policy.  You can find out if they intend to share your information with a third party or affiliate company.  Do they require these companies to refrain from marketing to their customers?  If not, you can expect to receive “spam” (unsolicited e-mail), mail or phone solicitations from these companies or others.

Look for online merchants who are members of a seal-of-approval program that sets voluntary guidelines for privacy-related practices.  TRUSTe (www.truste.com) and BBB online, www.bbbonline.org, are two such programs.

Be aware that a strong privacy policy and membership in a certification program do not guarantee that the web merchant will protect your privacy indefinitely.  Policies change or the company could go out of business. See ITRC Fact Sheet FS 102 - Consumer Risk Test.


Credit vs. Debit

The safest way to shop on the Internet is with a credit card.  (Please refer to ITRC Fact Sheet FS 131 – Credit Cards vs. Debit Cards.) In the event something goes wrong, you are protected under the federal Fair Credit Billing Act.  You have the right to dispute charges on your credit card, and you can withhold payments during a creditor investigation.  When it has been determined that your credit was used without authorization, you can only be held responsible for the first $50 in charges. We recommend that you obtain one credit card that you use only for online payments to make it easier to detect wrongful credit charges, and to keep your other cards from being exposed.

E-commerce shopping by check leaves you vulnerable to bank fraud. Make sure your credit card is a credit card only and not a debit card, or a check card. As with checks, a debit card exposes your bank account to thieves. Further, debit cards are not protected to the extent that credit cards are by federal law.


What Information to Provide

Disclose Only the Bare Facts When You Order. Never provide a Social Security Number to a vendor. When placing an order, there is certain information that you must provide to the web merchant such as your name and address.  Often, a merchant will try to obtain more information about you.  This information is used to target you for marketing purposes.  It can lead to “spam” or even direct mail and telephone solicitations.

Don’t answer any question you feel is not required to process your order.  Often, the web site will mark which questions are mandatory with an asterisk (*).  Should a company require information you are not comfortable sharing, leave the site and find a different company for the product you seek.


Confirmation of Order

After placing an order online, you should receive a confirmation page that reviews your entire order.  It should include the cost of your order, your customer information, product information, and the confirmation number.

Print at least one copy of the confirmation page and the web page(s) describing the item you ordered, as well as the page showing the company name, postal address, phone number, and legal terms, including return policy.  Keep it for your own records for at least the period covered by the return/warranty policy.

You will often also receive a confirmation message that is e-mailed to you by the merchant.  Be sure to save and/or print this message as well as any other e-mail correspondence with the company.


Shipping and Return Policies

A company must ship your order within the time frame stated.  If no time frame is stated, you should inquire how long the delivery will take.  This gives you an opportunity to cancel the order and receive a prompt refund or agree to any delay.

Here are key shipping considerations:

  • Does the site tell you if there are geographic or other restrictions for delivery?
  • Are there choices for shipping?
  • Who pays the shipping cost?
  • What does the site say about shipping insurance?
  • What are the shipping and handling fees, and are they reasonable?

Even under the best of circumstances, shoppers sometimes need to return merchandise.  Check the web site for cancellation and return policies.

  • Who pays for shipping?
  • Is there a time limit or other restrictions to the return or cancellation?
  • Is there a restocking charge if you need to cancel or return the order?
  • Do you get a store credit, or will the company fully refund your charges to your credit card?  If the merchant only offers store credits, find out the time restriction for using this credit.

Don’t expect less customer service just because a company operates over the Internet.  This is especially important if you are buying something that may need to be cleaned or serviced on occasion.

  • Does the merchant post a phone number and/or e-mail address for complaints?
  • How long has the company been in business?
  • Will they still be around when you need them?
  • Is there an easy, local way for you to get repairs or service?
  • Is there a warranty on the product, and who honors that guarantee?
  • What are the limits, and under what circumstances can you exercise your warranty rights?

 Use Shopper’s Intuition 

Heed the old adage, “If it looks too good to be true, it probably is.”

  • Are there extraordinary claims that you question?
  • Do the company’s prices seem unusually low?
  • Does the company’s phone go unanswered?
  • The use of a post office box might not send up a red flag, but a merchant who does not also provide the company’s physical address might be cause for concern.

If any of these questions trigger a warning, you will be wise to find another online merchant or buy the product in a store.

Be Wary of Identity Theft 

Identity thieves are increasingly using the web to scam you and gather credit card, checking account, debit card or Social Security Numbers.  Be aware of this trend.  Please refer to the ITRC Fact Sheet FS 123 – Scam Assistance.

Check your credit card bills carefully for several months after purchasing on the Internet.  Look for purchases you did not make.  If you find some, immediately contact the credit card company and file a dispute.

Order your credit reports at least once a year and check for accounts that have been opened without your permission. Please see the ITRC Fact Sheet 125 - How to Order Your Free Credit Report.


Electronic Signatures

Federal law enables shoppers to verify online purchases with merchants using an “electronic signature.” Usually, this process is nothing more than clicking on a box that says you accept the terms of the order. The Electronic Signatures in Global and National Commerce Act, also known as the E-Sign Act, is a complex law.  Read the Terms of Agreement carefully before completing the transaction.

 

Resources

Listed below are web sites that provide additional information about shopping online.  

The FBI’s Internet Fraud Complaint Center allows you to report suspected cases of Internet and e-commerce fraud. www.ic3.gov

The Better Business Bureau certifies web merchants with a privacy seal of approval.  You can research merchants through the BBB and also report e-commerce fraud problems at these sites. www.bbb.org and www.bbbonline.org  

The Federal Trade Commission’s online shopping advice. http://www.ftc.gov/bcp/menus/consumer/tech/online.shtm

Website created by the U.S. Food and Drug Administration to provide shopping tips for buying online prescriptions and over-the-counter drugs on the web. www.fda.gov/oc/buyonline  

 

This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..

ITRC Fact Sheet 102
Consumer Risk Test:  Are the Businesses You Frequent Exposing You to Identity Theft?

Do the businesses you frequent:

  • Conduct a criminal or civil background check before hiring employees who will have access to personal identifying information?
  • Provide cross-cut paper shredders at each workstation or cash register area or use a locked wastebasket and shredding company for the disposal of credit card slips, unwanted applications or documents, sensitive data or prescription forms?
  • Use an alternate number instead of Social Security Numbers (SSN) for employee, client and customer ID numbers?
  • Ever send out mail that includes your complete Social Security Number?
  • Require their health insurance providers to use an alternate number rather than the SSN for membership numbers on health insurance cards?
  • Have trained designated staff about security procedures in sending sensitive personal data by fax, email or telephone?
  • Keep sensitive information of consumers or employees on any item (timecards, badges, work schedules, licenses) out of view in public areas? This may include home addresses or phone numbers, SSN and driver’s license numbers.
  • Notify affected individuals in a timely manner in the event of a computer breach of a database that contains sensitive information?
  • Require any items for security (to get gaming equipment or a locker) that contain personal identifying information?  If the company does request a customer give them an item for security, is the item something other than a driver’s license, Social Security Card or other card with identifying information?
  • Place photos on employee identification cards or badges for better identification and security?
  • Keep all personal data about employees and customers in locked cabinets and out of public areas?
  • Encrypt or password protect all sensitive data stored on computers and allow access only on a “need-to-know” basis?
  • Train their employees in how to receive personal identifying information from customers and clients without jeopardizing client security?
  • Notify consumers and employees in advance as to the purposes of the data collection, to whom it will be distributed and the subsequent use after the fulfillment of the original purpose?
  • Ever ask for more data than absolutely necessary?  For example, a health club does not need a Social Security Number, nor does a veterinarian really need your driver’s license number.

Each item illustrates what businesses can do to reduce the risk of identity theft. It is your responsibility to be an aware consumer and select businesses according to how well they protect your identity.  The ITRC Center provides best practices consultations to companies upon request. Contact the ITRC at This email address is being protected from spambots. You need JavaScript enabled to view it..

 

This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..

ITRC Fact Sheet 101
Are You at Risk for Identity Theft?

DOCUMENT DISPOSAL:

  • I own a cross-cut shredder and use it regularly. (+8pts)
  • My shredder is near the trash can or in the office where most of my mail is sorted. (+5pts)
  • I shred all pre-approved credit offers I receive before putting them in the trash. (+5pts)
  • I shred all “convenience checks” or “balance forward checks” I receive from credit card companies before putting them in the trash. (+5pts)
  • I understand that thieves root around in my trash looking for credit/financial info. (+5pts)

SOCIAL SECURITY NUMBER PROTECTION:

  • I never carry my Social Security card in my wallet or purse. (+5pts)
  • I make sure that I have no other cards in my wallet or purse with my SSN on it. (+5pts)
  • I have a card with my SSN on it in my wallet or purse, but it is a copy and part of the SSN has been cut off. (+6pts)
  • I have my SSN or driver’s license number printed on my personal checks. (-7pts)
  • My SSN is my driver’s license number - I have made no effort to change that. (-8pts)
  • I make sure that my SSN is never publicly displayed or used at work or school, i.e. timecards, test scores, receipts, badges. (+5pts)

INFORMATION HANDLING:

  • I use a locked, secured mailbox or P.O. Box to receive mail. (+5pts)
  • I never leave mail for pickup in an unlocked location at home or at work. (+5pts)
  • I always watch my surroundings for people who might be listening when giving out SSN or financial information. (+5pts)
  • I keep personal identifying information in a locked or protected area of my home; one that visitors can’t access. (+5pts)
  • I have ordered a copy of my free annual credit reports during the last year. (+8pts)

SCAMS:

  • I keep an eye on my credit cards when they leave my hands to avoid skimming. (+5pts)
  • I do not respond to Internet scams and I also hang up on telephone solicitors. (+5pts)
  • Whenever I am asked to provide my SSN, I always ask how that information will be safeguarded and why it is necessary for them to have it in the first place. (+6pts)
  • I always use firewall(s) and current anti-virus software for any connection to the Internet. (+7pts)

RESULTS: 

Each one of these questions represents a possible risk factor or protection against ID theft.

Your score: ____________
Range: -15 to +100.

If you scored 85 – 100 consider yourself savvy about identity theft risks; continue your proactive steps.

If you scored 45 – 84 you need to consider your identity theft risk factors more closely and take some corrective actions.

If you scored below 45, you are at high risk of becoming this crime’s next victim! Please make the effort to become more informed about identity theft and the simple steps you can take to minimize your risk.

 

This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..

ITRC Fact Sheet 100A
More Complex Cases:  A supplement to ITRC Fact Sheet 100

This guide covers:

 

In addition to financial identity theft, there is also: criminal, governmental, medical and identity theft. Depending on the severity and complexity of your case there may be varying of difficulty in clearing your record. A stolen credit card is easier to resolve than clearing your name after someone fraudulently used your SSN to work and has filed for bankruptcy under your name. If at any time you need support or additional information, please contact the ITRC at 888-400-5530.

ITRC Fact Sheet 100A will give you a brief description and advice on the more difficult aspects of different types of identity theft. To read about each in more detail, please refer to the links under each category. We suggest you look over our victim assistance fact sheets and/or solutions for any that you may find helpful on other topics.

Someone Working Under Your Name: When someone is working as you, several types of problems may occur, on both the federal and state level. (Please see ITRC Solution 27). The first step is to contact the Social Security Administration and ask for a detailed non-certified copy of your work history. Click hereto download the application. Review the report carefully to see if there is anything suspicious such as work history in a state that you have never lived in.

Government Benefit Fraud: (this can be due to identity theft or simply clerical error)

  • Federal Benefit Fraud - This situation can occur due to clerical errors, stolen mail or identity theft. Speak to the duty agent of the Office of the Inspector General of the Social Security Administration. They will initiate an investigation. If you are aware of an older person, or someone who is deceased, having problems due the theft of Social Security benefits, the OIG will assist you. You may also talk with your elder abuse department of the local police department.
    • Benefit fraud has been growing in recent years. People believe they are applying for real grants or programs to receive funding and instead have given their information to a scam artist. Visit Benefits.gov to find out more about legitimate government benefits programs and how to identify scams. If you believe you have given your information to a scam artist read ITRC Fact Sheet 123.
  • State or County Benefit Fraud - Most of these agencies have a fraud investigation unit. Talk with your case manager for a referral.
  • VA Benefits Fraud – Report all fraudulent activity to the Office of Inspector General for the VA
    • http://www.va.gov/oig/hotline/default.asp
    • 1 (800) 488-8244 9am-4pm EST Monday - Friday
    • Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Unemployment – Each state has itsr own procedure for dealing with unemployment fraud. Speak with the unemployment office in question and report you are a victim of identity theft. You may need to submit to them documentation proving your identity such as a state ID or driver’s license. Make sure you include a copy of your police report in your package. Send all documents Certified Mail Return Receipt.
    • Some unemployment cases come from the thief obtaining a job using the victims information and they now wish to collect unemployment on that job. Please see ITRC Solution 27
  • Welfware/EBT - Each state has its own procedure for dealing with welfare fraud. Speak with the welfare/EBT office in question and report you are a victim of identity theft. You may need to submit to them documentation proving your identity such as a state ID or driver’s license. Make sure you include a copy of your police report in your packet. Send all documents Certified Mail Return Receipt.
    • If your benefits debit card is lost or stolen, report it to the welfare office immediatelyif funds are missing from your card. File a police report and report it to the welfare office immediately. If your deposit account is changed at all without your permission, report it to the welfare office immediately and file a police report.  Some states will refund some or all of any funds stolen if you report it in a timely manner. Others may not.
  • Social Security Benefits – File a police report for the fraudulent activity. Report fraud and identity theft to the Social Security Administration’s hotline at 800-269-0271 between 10am and 4pm EST or call their general line 800-772-1213. You can also fill out their online form at https://www.socialsecurity.gov/fraudreport/oig/public_fraud_reporting/form.htm
  • Child Support – If you receive notice that you owe child support for a child who  is not yours, you need to act quickly. File a police report with your local police department. Contact the Child Support Office in question and/or the family court. Inform them you are a victim of identity theft . Insist on a DNA test to prove you are not the biological parent of the child. Submit to them, and any court involved, your police report along with your state ID or driver’s license and any other documentation you can produce. They may ask you  to show you are not the parent (medical records, state of residence, etc). Send all documents Certified Mail Return Receipt. You may need to go to court. 

IRS issues: (Please see ITRC Solution 27) Some victims find out about an identity theft case when the following issues occur. In all of these situations, the initial step is to contact the IRS Identity Protection Specialized Unit, toll-free at 800-908-4490.

You also may contact the IRS Taxpayer Advocate if you have an unresolved issue related to identity theft, or you have suffered, or are about to suffer a significant hardship as a result of the administration of the tax laws, i.e. wage garnishment.  Visit the IRS Taxpayer Advocate Service (TAS)
Identity Theft webpage. Additional information is also available on the IRS website.

Examples of IRS issues include:

  • Child support payments are deducted from your paycheck (in this case you may need to contact the county or state that is garnishing payments).
  • The IRS contacts you about taxes owned due to an additional source of income not reported by you, such as a second job.
  • The IRS says that your child’s SSN is already listed as a dependent on another tax return.

Debt Collection: Never pay a bill that you don’t owe. See ITRC Fact Sheet 116 for complete details.

Bankruptcy Issues: All bankruptcies need to be addressed by the Office of the Trustee of the U.S. Bankruptcy Court. Under federal law, bankruptcies declared by an imposter can be reversed. This is a situation in which you may wish to consult an attorney to make sure the paperwork is filed correctly. For more information read “Fresh Start or False Start - Identity Theft and Bankruptcy Cases” by the Office for U.S. Trustees
http://www.justice.gov/ust/eo/public_affairs/articles/docs/idtheftfinal.htm

·         If you are planning on filing fbankruptcy yourself, but are experiencing identity theft, make sure you do not include any of the fraudulently opened accounts in your bankruptcy. Including them means you take responsibility for them and they can no longer be considered identity theft. Read ITRC Fact Sheet 100 for instructions on how to clear these accounts. 

·         If you have already filed for bankruptcy, and have included accounts that are part of your identity theft into your petition for bankruptcy, there is not much that can be done. Including accounts in a bankruptcy means you take full responsibility for them and any debt you may be held responsible for on them in the future. If you know who the thief is you may be able to civilly sue them for the amount owed. Speak to the Office of the Trustee of the U.S. Bankruptcy Court. Speak to an attorney about your rights.

Fraudulent Change of Address: If you suspect mail theft or mail fraud, contact the U.S. Postal Inspectors (USPIS) at 800-275-8777. When you move, a “change address form” is sent to both the new address and old address. Should you receive a notification and you haven’t moved, this is a warning to contact the USPIS immediately. A contact phone number is provided on the form you receive.

Student Loans: If it appears that someone has applied for and received a student loan in your name without your approval, you need to take action quickly.  If you already have proof of a problem, call the U.S. Dept. of Education Inspector General’s Hotline: (800) MIS-USED (800-647-8733). Also, contact the three Credit Reporting Agencies (See
ITRC Solution 3) and order copies of all three of your credit reports.

Report any fraudulent activity to the police by filing a police report. A police report will help you to establish your status as a victim and provides you specific rights under state and federal laws.

In some cases,  parents apply for student loans under their children’s names and the police mistakenly believe that since the victim benefited from the loan, it is not a crime. That is not true. Any use of your information without your consent is fraud and a crime. If you are unsure of how to proceed due to family issues, contact the ITRC toll-free at 888-400-5530.

DMV issues: When you become aware that someone else may have a driver’s license with your information, you need to speak with the DMV fraud investigator or Department of Public Safety in your state, or in the state where the problem is occurring. This action will start an investigation to determine the real license holder.  Should you lose your driver’s license, you will need to go back into your local office and have it replaced. Bring identifying information with you so that they can ensure you are the true licensee and not an imposter.

Property Deeds: Lost/Stolen property deeds should be reported to the County Register’s office. Fraud involving a property deed should be reported to the County Register’s Office in the state where the property is located as well as the victim’s local police department.

US Savings Bonds: If your US Saving’s bond is lost, stolen, or destroyed, you will need to report it to the US Department of Treasury. Form PD P 0107 will guide you through the process. If the bond was stolen, file a police report for the theft.

Identity Theft in Domestic Situations: (Please refer to ITRC Fact Sheets 115When you personally know the identity thief and ITRC Fact Sheet 115A if it is a spouse.)  Each case is unique.  Identity theft in a domestic situation has a varied emotional and financial impact on the victim. This requires the assistance of a specially trained advocate.  Please contact the ITRC toll-free at 888-400-5530.

Medical Identity Theft: You might find this has occurred if you receive a bill for medical or pharmacy services, or you have been alerted, via an Explanation of Benefits, from your health insurance company of the use of your health insurance information.  Refer to
ITRC Fact Sheet 130 and ITRC Fact Sheet 130A for this type of case.

Checking Accounts: Please refer to ITRC Fact Sheet 126, which goes through this issue in detail. You should file a police report in any of the following situations and send a copy of the police report to any creditors affected by the identity theft.

There are several types of checking account issues, including:

  • Checking account takeover
  • Stolen, washed or duplicated checks (refer to ITRC Solution 21)
  • Synthesized checks - With a good computer and printer anyone can put your name on a check and create a bank account number. 
  • Cashing a stolen or counterfeit check - In this situation, someone asks you to cash a check they write to you or endorse to you. This is most likely a scam.

In some states, a bounced check may eventually result in a warrant for your arrest. You need to clear the account problem with the bank and merchant, and also have that bank or merchant contact law enforcement to drop all charges. You will need to follow-up with the issuer of the warrant (usually the District Attorney’s Office) to be assured that the warrant is withdrawn. Don’t forget to get a “Letter of Clearance” that you will keep permanently.

RESOURCES

  • Reduce Stress - See ITRC Fact Sheet 108Identity Theft – Overcoming the Emotional Impact. Please note that cleaning up the mess may take time. It will not be resolved overnight and you must be mentally prepared to attack your case with the least amount of stress. Find a healthy stress reducing activity and build a support team to help you during this period of your life.
  • Federal Trade Commission - https://www.identitytheft.gov/
    Their publication is titled Taking Charge. You can get a copy sent to you or you may download it from:
    http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm. You may also call them at 877-IDTHEFT (877-438-4338). Additional information is available on their website: www.ftc.gov/bcp/edu/microsites/idtheft

 

This solution sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed toThis email address is being protected from spambots. You need JavaScript enabled to view it..

 

ITRC Sponsors and Supporters 

 

 

 

 

Go to top

 

The TMI Weekly

Breaches here, identity theft there and invasions of privacy everywhere... Should you be worried and, if so, how can you protect yourself? Sign up now to receive The TMI Weekly and get the latest hot topics in identity theft, data breaches and privacy and helpful information on how to protect your information.