Staying safe online this holiday shopping season: Five tips to improve your security habits

shopping online with credit card

Americans spent over 200 billion dollars online during the 2022 holiday shopping season, making 2023 a record year for online retailers. This year, 97% of people recently surveyed said they plan to shop online. As holiday revenues grow, so does the temptation for criminals to take a part of the action for themselves – over 300 million dollars were lost to scammers in 2022 according to the FBI’s IC3 report for 2022. As we head into the holiday months, online consumers may be asking themselves what they can do to keep themselves safe online. 

A new survey Yubico conducted with OnePoll indicates that online users continue to be concerned with their security. This survey examined how people adjusted their cybersecurity habits in a growing era of sophisticated phishing attacks and found that while 80% of survey respondents are concerned about cybersecurity when it comes to their online accounts, a surprising 39% admitted to using the same password for multiple accounts.

In addition to securing your online credentials, below are some top tips to ensure you’re staying safe from increased attacks not only during the holidays, but throughout the year.

  1. Continue to be mindful of where you send your information

While cyber criminals tend to aim at your wallet, they also attempt to use your personal information to gain access to other online accounts and assets – most frequently collected through attacks like phishing. Effectively safeguarding personal and financial information and placing trust in an online retailer can be challenging to many consumers. In fact, Yubico’s survey found that about one third of respondents (32%) are not confident that they could spot a fraudulent or fake online retailer. As phishing attacks become harder to identify, your defenses to protect against them need to also improve.

With this in mind, be cautious when you see the following:

  • Websites asking for too much information 

If what’s being asked feels completely unrelated to your purchase, then consider another vendor that won’t require as much information. 

  • Odd websites or requests for odd methods of payment 

Asking for abnormal payment types is a red flag that warrants additional investigation. Consider another vendor. 

  • Coupon apps and websites

Everyone loves a discount, but beware of coupon apps or browser plugins that offer these deals automatically. Remember that if you’re not paying for a service, then one way that service continues to exist is through monetizing your browser history, product usage, or personal information.

  1. Beware of the latest scams such as tracking information scams

Some of the latest scams involve requests to disclose additional personal information to “fill in the gaps” for an unexpected delivery. It’s best to ignore these messages and go straight to the source to check your package status. 

  • Sign up for tracking notifications 

Most major providers offer email based tracking notifications that can notify you when packages should be arriving. Enroll in free notification services such as UPS My Choice and FedEx Delivery Manager.

  • Investigate by going straight to the source 

If an email or text is offering you an easy way to “click here!” to get your information, ignore that suggested “easy button” and instead go straight to the vendor’s site. For example, if an email purporting to be your credit card provider indicates an issue, directly call the number on the back of your card, or access the website address directly. Don’t click on links sent over SMS or in email.

  1. Use protected methods of payment

Not all payment methods are protected equally, and some standard payment methods for day-to-day business may be tempting to use for online shopping.

  • Use a credit card or a trusted broker such as PayPal to protect your purchases 

Many credit card providers offer consumer protections on purchases, and also allow you to dispute charges that don’t result in your product or service. 

  • Avoid debit cards and never give out banking information or send wire transfers to pay for online retail 

Some common scams involve using banking information to create the appearance of “pay us back” errors, or directly extract funds from your bank account.

  1. Protect your login credentials

Passwords are no longer enough to protect your accounts and most consumers are not modernizing their authentication methods to match newer methods of attack. Yubico’s survey found that approximately one out of two (49%) respondents stated that they do not use MFA, don’t know what it is, or are not sure if they have MFA enabled.

Consider the following tips to increase the security of your online presence:

  • Use strong, phishing-resistant MFA

Not all MFA methods are created equally. Instead of SMS text message based codes that must be manually entered, or app-based push notifications that are easy to mistakenly approve, secure your accounts using phishing-resistant multi-factor authentication (MFA) methods, such as passkeys and security keys like the YubiKey, which have had passkeys since 2018. Passkeys seamlessly authenticate users by using cryptographic security “keys” stored on their computer or device (i.e. a YubiKey), and are considered a superior alternative to passwords since users are not required to recall or manually enter long sequences of characters which can be forgotten, stolen or intercepted.

The YubiKey works with hundreds of services that support passkeys to reduce the possibility that you mistakenly enter your credentials into a malicious site. The YubiKey is supported for use on services like 1Password, WhatsApp, Amazon, Apple, Google, and social media platforms such as X (formerly Twitter) and Meta. 

  • Use a password manager to cover the gaps 

For those sites that don’t yet support phishing-resistant methods, use a reputable password manager, such as 1Password, to generate unique credentials per-site, make logins easier between devices, and watch for known breaches that may have affected your credentials. YubiKeys support the most popular password managers and adds an additional layer of security for your login credentials.

  1. Ensure the highest level of protection for your most valuable assets

Most services offer a password reset pathway, allowing users to reset their accounts using a link sent to email or a text message. In some cases, this reset method may be the easiest way for attackers to gain access to your accounts. Ensure that your most prized accounts are protected with the highest level of authentication.

  • Protect your mobile ecosystem

Our mobile devices are a key tool used for our online accounts. Ensure that you’ve protected your mobile’s ecosystem by configuring hardware-backed security keys, such as YubiKeys, to protect the ecosystem that controls your mobile device. (For instance, your Apple ID account or Google Account). 

  • Protect your email

Many email providers also allow users to configure phishing resistant methods such as PassKeys. Ensure that you have the highest level of protection for the one place that allows you to reset most of the other accounts that you want to protect. 

  • Protect your core identity providers

If you use “Sign in with ___” options for online activities, ensure that you have protected those services with strong MFA as well. Most major providers support methods such as the YubiKey (for instance, your Amazon, Meta and X accounts). Also be certain to include protecting your password manager from unauthorized access.

Consider all of the tips above to stay secure this holiday season and beyond, and upgrade your online security to use phishing-resistant, hardware backed, and universally adaptable authenticators, such as the YubiKey. For a unique look inside the mind of a hacker and the importance of understanding human-based attacks like phishing, watch our video below with ethical hacker Rachel Tobac.

For more information, check out the full survey results here as well as in our infographic. Join us in an upcoming webinar and hear from our security experts to better understand the current cyber threat landscape, and learn best practices to stay secure online through the holiday season and beyond – register here

Talk to our teamTalk to our team

Share this article:


  • Introducing new features for Yubico Authenticator for iOSWe’re excited to share the new features now available for Yubico Authenticator for iOS in the latest app update on the App Store. Many of these improvements aim to address frequently requested features from our customers, while providing additional new functionalities for a seamless authentication experience on iOS.  With increased interest in going passwordless and […]Read moreiOSYubico Authenticator
  • Platform independent digital identity for all Many are understandably concerned that the great invention called the Internet, initially created by researchers for sharing information, has become a major threat to democracy, security and trust. The majority of these challenges are caused by stolen, misused or fake identities. To mitigate these risks, some claim that we have to choose between security, usability […]Read moreDigital IdentityEUDIFounderStina Ehrensvard
  • Q&A with Yubico’s CEO: Our move to the main Nasdaq market in StockholmAs 2024 draws to a close, it’s the perfect time to reflect on the incredible journey we’ve had this year and how it has shaped where we stand today as a company. To mark this moment, I sat down with our CEO, Mattias Danielsson, to look back on the milestones and achievements of 2024—culminating in […]Read moreCEOMattias Danielsson
  • Exploring DORA: A look at the next major EU mandateFinancial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the […]Read moreDORAEU