Online shopping is reaching new heights in Canada. According to the most recent Canadian Internet Use Survey from Statistics Canada, nearly four out of five Canadians buy goods and services online, up from 56 per cent in 2012. While filling your virtual cart can save time and money, it can also cost hours of investigation and some serious coin if your data falls into criminal hands.

When hackers steal information from retail databases, it routinely makes headlines. In the last few years, companies like Giant Tiger, IKEA Canada, LCBO and Running Room have been affected. Estimates suggest a recent data breach at the online ticket retailer Ticketmaster affected a whopping 560 million people worldwide.

In 2023, the Canadian Anti-Fraud Centre said victims reported a shocking $567 million in losses, and that’s only a pittance given an estimated five to 10 per cent of them contact the centre about scams and identity theft, partly due to embarrassment. 

Canadians reported nearly $11 million in merchandise fraud in 2023, according to the centre, which is run by the Competition Bureau Canada, the RCMP and the Ontario Provincial Police. That includes orders that never show up, arrive damaged or are illegal knock-offs of brand-name wares.

What’s more concerning is when fraudsters take your credit or debit card on a shopping spree, or harvest personal information like your birth date and social insurance number to sell on the dark web. Even worse, they may use your identification to obtain a credit card, loan or even a mortgage in your name.

For tips on shopping online safely, Zoomer spoke to David Maimon, a criminology professor and director of the Evidence-Based Cybersecurity Research Group at Georgia State University in Atlanta, and Ken Whitehurst, the executive director of the Toronto-based Consumers Council of Canada, to find out how Canadians can prevent online bargains from turning into more than they bargained for.

Dead Giveaways

“No regulatory or law-enforcement efforts are likely to be expended on individual consumer problems,” Whitehurst says. That means it’s up to you to protect yourself online by playing spot the difference.

In phishing scams, fraudsters send emails, texts or voice messages to direct you to fake websites that resemble real ones. Look at the webpage address, or URL, carefully. Avoid shopping on sites that start with “http.” A secure site will start with “https” and include a padlock icon, which means information you send from your computer to the company’s server is encrypted, and can’t be read by others.

Other red flags include URLs with slightly altered or misspelled brand or domain names. Fake websites may also feature poorly written copy, low-quality images and unusually low prices. To avoid these pages, Maimon advises visiting company websites directly, instead of clicking on links in emails, social-media posts or banner ads.

Card Protection

Use only one credit or debit card for online shopping and check out as a guest so your card information isn’t stored on the company’s server, where it is vulnerable to hackers. If you shop online using your phone or tablet, consider adding an extra layer of security, like Apple’s Face ID or Touch ID. If you lose your device or it gets stolen, no one can use it to shop until they drop.

It’s important to check your credit card and debit balances frequently, especially if you hear about data breaches at places you shop online. If you see a charge you don’t recognize, try disputing the charge with the business first, and document the interaction. If it won’t issue a refund, then contact your bank, which may ask for email correspondence or details of your attempt to get reimbursed. But make sure you act fast: Banks, which identify fraudulent charges in part by comparing them to the frequency, amount and locations of your typical transactions, often have a 30-day limit to dispute a charge. 

You should also check credit reports from Equifax and TransUnion, the two main companies in Canada that create your credit score, which helps determine whether you get credit or loans. “Sometimes folks are not even aware that their identity has been stolen,” says Maimon. It can take several weeks or months for fraudulent activity to appear on credit reports, so check them periodically.

Maimon recommends paying for a credit and identity fraud monitoring service that alert you to changes. Both major credit reporting companies offer subscription plans, but a no-cost option is to sign up for free fraud alerts at the five big Canadian banks.

Trust Factor

Whitehurst says there are few simple methods to authenticate online sellers, which creates a “critical deficit” of knowledge. “Consumers are pretty much stuck with reliance on trial and error, word of mouth and painstaking personal research efforts to discern safe online sellers.”

He suggests researching unfamiliar companies, looking for a physical address and contact information, and checking online forums (like Reddit and Google reviews) to help determine if a business is real or fake. “Consumers should not transact with parties online, over the telephone or on their doorstep that they cannot thoroughly authenticate as real businesses or public institutions,” Whitehurst says.

Take Action

If an online retailer you frequent has a data breach, don’t panic. Notify your bank, get a new credit or debit card and watch for and delete emails or texts from the company in question. Change your password on the affected website and any other sites where you use the same one, especially if it’s used for online banking or email.

Saving passwords in a browser linked to your email makes them vulnerable to data breaches. Password manager tools, which can alert you to breaches, use zero-knowledge encryption, so the company can’t access your stored passwords. But these aren’t immune to hacking either.

“There’s really no magic tool I can recommend, unfortunately,” says Maimon, “just awareness and education.” 

A version of this article appeared in the August/September 2024 issue with the headline ‘Online Buyers Beware,’ p. 30.