Marlon Buchanan is a best-selling author, IT Director, and founder of HomeTechHacker.com, a website with free resources to help you make the most of your home technology.
Listen to the full episode
Key takeaways
This episode is all about the risks associated with online shopping, such as fake online stores, phishing attempts, and data breaches. Marlon emphasizes the importance of due diligence when shopping online, including verifying the website’s security, privacy policy, and customer reviews. He also recommends using secure payment methods like digital wallets and credit cards, and advises against using debit cards.
- The conversation then shifts to recognizing scams, with Marlon highlighting phishing attempts and fake merchandise scams that are common during the holiday season. He advises caution when receiving emails or calls claiming to be from retailers and emphasizes the need to verify the legitimacy of websites and sellers.
- The discussion also covers the role of VPNs in protecting privacy, precautions for using social media, and steps to take if personal data is part of a data breach. Marlon recommends changing passwords, monitoring financial accounts, and taking advantage of free credit monitoring services.
- He also emphasizes the importance of using password managers and being cautious of phishing attempts. The episode concludes with a discussion on emerging technologies, such as biometrics, that can enhance cybersecurity in the future.
Here’s a full transcript of the episode
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide podcast. My name is Steve Bowcut. I’m a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening
Today. Our guest is Marlon Buchanan. Marlon is a bestselling author, creator, and home technology enthusiast. Our topic today is, we’re going to be talking about cybersecurity specifically during the holidays. Before I bring him in, let me tell you a little bit more about our guest.
Marlon Buchanan is a seasoned cybersecurity expert and technology strategist with over 25 years of experience in the IT industry. He holds a BS in computer science from MIT, and an MBA and a master’s of software engineering from Seattle University. His diverse roles have included director, supervisor, software developer, and college instructor.
Marlon is also an accomplished author, writing extensively on home technology. His unique strength is bridging the gap between technical and non-technical parties, ensuring effective communication, and aligning technology solutions with business and consumer needs.
Marlon is the founder of hometechhacker.com, a site designed to help people navigate their IT issues and stay safe from cyber threats. With that, welcome Marlon. Thank you for joining me today.
Marlon Buchanan:
Thank you very much for having me, Steven. I’m very happy to be here.
Yeah, I’m happy to have you. This is going to be a fun and interesting conversation. The holidays are right around the corner, whether we like it or not. In fact, I think my wife was saying just the other day that she has started purchasing Christmas presents, which is not something that I like to hear, but it happens every year. So we’re starting into that season.
So let’s start with maybe an introduction to online security risk. Maybe you could highlight for us some of the cybersecurity risks associated with online shopping. And if any of those are specific to the holidays, we can point that out as well.
Sure. The online risks associated with holiday shopping or online shopping in general are similar to any of the online risks you have at all when you’re out on the web or out in cyberspace. And that’s really what you have to protect yourself from is identity theft and fraud.
So specifically with online shopping, you have to worry about fake online stores, fake apps, fake sellers, even getting counterfeit or misrepresented merchandise. Then there’s also the phishing attempts, and some of those are specific to online shopping, where you get emails and phone calls that claim they’re from stores or customer service.
And then you also have to worry about data breaches. So you have to worry about whether the companies that you’re giving your data to are able to purchase things, whether they’re protecting your data, your personal information well.
So those are the dangers of online shopping. I know everybody loves it, but those are the dangers.
Yeah, that’s true. And I think there is probably still a need for people to recognize the value of their personal data. I know over the years, I’ve seen the awareness of that grow, but I think there’s still room for people to be more aware. Kind of tongue in cheek, I would always say, well, if someone steals my identity, I’m sure they’ll bring it back. They won’t want it. But our identity is what people want. And it’s not just your credit card number, it could be any of the pieces that they put together, and then they build kind of a profile. And maybe you’ll get into that. But maybe you could talk to us about some of the essential steps that people should take to protect their personal information while they’re shopping online.
Marlon Buchanan:
Well, I think there’s a few different steps you should take, but they really boil down to doing your due diligence, and making sure you’re shopping and working with a trusted online retailer.
So one of the things you want to do to make sure is just real quickly is after you go browse the online retailer’s website, make sure that whatever browser you’re using, usually you’ll see a padlock symbol up in the top left in the address bar, or something that’s telling you that you’re browsing a secure site, which means that the information you’re transferring back and forth is encrypted and harder for hackers to get at.
I like to verify a website that has some contact information or that it has a physical address. There’s some way to actually verify this place really exists and not just in cyberspace to get your information.
I like to look to see if a website has a privacy policy. Then you at least have a good idea of what they’re going to do with your data. Because like you mentioned before, a site can be perfectly legitimate, but you may not be okay with what they’re going to do with all the data that you give them. So you should at least know what they’re doing with your data.
And if they don’t have a privacy policy, they’re probably not a legitimate site, at least not in the United States, because it’s required to be an online retailer to have a privacy policy.
The same thing you’re doing when you’re looking for what you’re going to buy. You are looking at customer reviews, and ratings, and trust ratings. You want to do the same thing for a store. There are places online where you can check how trustworthy a site is. You can look for reviews of the site.
I’d be wary of shopping at a site where you can’t find any other information about it that other people have shopped there. Make sure there’s a customer support number. And if you’re really worried about your merchandise, maybe look for their shipping policies to make sure they have some tracking information that they’ll send you, and make sure that you understand the website’s refund and return policies as well.
Okay, excellent. So a couple of things there that we’ve covered then. And the first one is that little lock symbol or making sure that the URL starts with HTTPS protects you from, offers a layer of protection, I guess I should say, against hackers being a man in the middle and getting that information, right? Getting the information. And maybe a legitimate vendor that you’re dealing with, but a hacker could get in there and get that information that you’re sending back and forth. So you want that to be encrypted and protected. So that’s one thing.
And then the other thing that you talked about there is that just because the hacker’s not getting the information, doesn’t mean that that’s a legitimate site. So you have to take some precautions to make sure that it’s a legitimate vendor. And some of us get lazy, and I guess that’s probably why, this is my personal opinion, but that’s probably why companies like Amazon do so well and have such a customer base. Because of the big recognizable names, you don’t have to do any due diligence. Yes, I’m on the Amazon site. At least I’m not worried about the vendor being flaky, although I have found that sometimes, the third parties Amazon sellers are a little bit flaky. So there is some due diligence we should probably do there as well, even on the major sites.
But a lot of people like to shop on smaller sites. My wife is like that. She loves the smaller boutique kind of sites, and always makes me nervous. That’s not where I prefer to shop. But I think you’ve given us some great advice, so I appreciate that.
So that’s protecting our personal information. So let’s kind of pivot a little bit and talk about recognizing some scams. What can you tell us about some of the scams that are common, particularly during the holidays? But they’re common all around? During the holidays, there’s probably just more of them, or you’re more likely to see them because you’re spending more time online, but they’re usually there all the time. So can you talk to us about that a little bit?
Marlon Buchanan:
Sure. I think around the holiday time, you’ll get a lot more phishing and fake merchandise or phantom merchandise scams. So let’s start with some of the phishing.
You’ll get retailers possibly calling you or emailing you saying that your order has been held up, and it may look somewhat familiar. And so you bought so many things you maybe can’t remember, and you actually called the number back. Or you click on a link in the email or you respond to the email, and they’re going to ask you for some information to verify your order or something like that.
And that is one way of phishing, that’s one way of them getting your information. You’re more likely to get that kind of attack during the holiday season, but you can get it anytime during the year.
With the fake merchandise, actually, this came up from something you just mentioned when you talked about there are more small stores pop up and other places. But even at established places, or you mentioned third party sellers like Amazon and eBay, you have to look at the trust ratings, the ratings of the individual sellers on those sites too, on whether they show up.
Amazon and eBay can’t protect you from everyone. They’ll usually recognize a bad seller eventually, but that doesn’t mean it’s before you found them. So you have to do your own due diligence.
Exactly. I thought that was interesting. Not a week goes by I am sure that I don’t get one of those that you just talked about. Somebody said, “Your package been held up, click here and we’ll figure out how we can get your package to you.” And a lot of them come on your cellular phone, so it’s a text message. You also get emails the same way either, your package is held up.
So I guess the point I wanted to make is if you go back a decade or so, these phishing attempts were fairly obvious. There would be misspelled words and it just wouldn’t look right. Or you could hover over the address of the sender and you could see that it was just a bunch of characters that didn’t look legit at all if you knew what to look for.
But that’s not the case anymore. I do this for a living, so I watch this closely. And I see that sometimes, they look pretty legitimate. You really got to look hard to pick out the phishing scams or just live by that mantra that you just don’t click on a link from an email that you’re getting. Go directly to the site if that’s what you want to do. All right, well this is good stuff. This is very useful.
Let’s talk about secure payment methods. Are there some ways safer than others? If I’m going to pay online using a credit card, are there some ways that are safer? What should I watch for?
Marlon Buchanan:
Yeah, I kind of think of it, there’s kind of a hierarchy of safety. Nothing is 100% safe, but some things are safer than others or some things at least have more mechanisms for fixing something if something goes awry.
So I really like digital wallets. So PayPal, Google Pay, Apple Pay. And this is because not only do they often come with buyer protections when you’re buying them in case something goes wrong, but they don’t actually transmit your bank information or your credit card information to the seller. They usually transmit a token or a virtual credit card number. And so your information stays a little bit safer that way. So I really like digital wallets. There is a downside to them, but I like them a lot, and I can talk about the downside a little bit later.
Credit cards are still great because you’re not liable for fraud with credit cards. You just have to report it and you won’t be liable for the fraud. And a lot of the credit card companies now, I won’t say a lot, but there’s a few credit card companies that will also automatically generate a virtual credit card number and virtual security code, so that you’re not actually sending your real credit card information. It’s a one-time use virtual credit card that you can send to an online retailer to buy things.
And so it’s worth checking to see if your credit card company does that, or if you’re looking to get new credit, to find a credit card company that will do that. It keeps your information that much safer.
You still have to send your name, and your email address, and possibly your phone number, but at least your credit card number itself stays protected and not sent to the retailer, especially if it’s one you’re not 100% sure about.
Yeah, I like that. I really like the idea of using the wallet, the digital wallet, which is something that I don’t do nearly as much as I should, but I can certainly see the benefits of that. So now, I’m not sending my credit card and the code that goes with it to all these different vendors, some whom I may not be that familiar with. I’m just giving it once to the wallet, and they take it from there. So that’s excellent. I appreciate that.
And it just comes to my mind, and I’m sure it’s different with each bank. But is there an advantage of using a credit card over a debit card, or are they pretty much the same now because a debit card is offered by a credit card company? What’s your thoughts about that?
Marlon Buchanan:
My thought is that if you have a credit card, never use a debit card.
Steve Bowcut:
Never use a debit card.
Marlon Buchanan:
Debit cards. So if we’re talking in the United States, their federal protection is a little different. You are still liable for the first $50 of a fraud charge, and you can be liable for the whole charge if you don’t report it in a timely fashion.
The other issue is debit cards go directly to your bank account. And that’s usually a bigger issue, because that money is immediately gone. Whereas with the credit card, it’s not immediately gone. You have at least to the next statement before you even have to do anything. But your bank account, that money’s gone until you get it back.
Now, most banks are really good about refunding it quickly, but you can’t count on that. You also can’t count on the $50 that you’re liable for. And so to me, cash is a bit more important. And so I highly recommend not to use debit cards, and I would not call them equivalent at all.
So let’s talk just a bit. We probably don’t need to spend a lot of time on this, but I would like to touch on the role of VPNs. There again, if you go back a few decades, VPNs were probably very best and the only way to assure some security for your communications that you’re sending across the open web. But with encryption now quite common in browsers, do you recommend them to your clients and your customers?
Marlon Buchanan:
Steven, that’s an excellent question, but I was hoping I could go and answer one thing that I said I was going to say, but I didn’t get to about digital wallets.
Steve Bowcut:
Please do, please do. That would be great.
Marlon Buchanan:
I said there was a downside to digital wallets. And again, you actually alluded to this in your response to that, and that’s that you have to give all of your information to this one place. And so while most of these places, it’s their job to do cybersecurity, it’s their job to keep all your information secure, the problem is that since they have all of it, if they get hacked, it’s possible that all your information’s gone there. But again, these places, they can’t stay in business unless they’re good at this.
So I did want to mention that about digital wallets before going further. I still think they’re the best way to pay. In addition to the things I mentioned before, they also all usually use some type of two-factor authentication when you’re paying, either a biometric or a pin code. But I did want to answer that since I said I would say that.
I appreciate that. And I think that goes back to something that you alluded to earlier, and that is it’s all about reducing risk. There is no 100% you’re going to be fine no matter what the solution. It’s all about reducing the risk.
And so sending your credit card information to an organization whose sole purpose is to protect that as opposed to sending it to lots of different websites, and that’s not really their sole purpose. Their sole purpose is to sell you stuff. And so your risk is less sending it to a digital wallet, in my opinion.
All right, now let’s talk about VPNs. How do you feel about them?
Marlon Buchanan:
Well, I think they have their purpose, but it’s not usually the purpose people think of them for. So most people tend to think of VPNs as, “I’m going to make everything safer. I’m going to make everything I do on the internet more safe and harder for people to crack.”
Well, most of the time when you’re shopping with an online retailer, all of your communications with them are already encrypted, and the VPN’s just adding another layer of encryption on top of that. But you really, most cases don’t need that for safety.
What VPNs are great at is privacy. So maybe you don’t want your ISP to know all the places that you’re shopping at, because even if you’re using HTTPS sites, that information, where you’re going, and all that stuff is still being logged by your ISP. Or maybe you’re on public wifi, and this is the time when I really recommend you use VPN, if you’re at a coffee shop, or you’re in a hotel or something like that.
There could be somebody who’s in the hotel. You don’t know how well the hotel’s wifi or the coffee shop’s wifi is configured. You don’t know if they have some security holes.
So somebody could be watching what you’re doing. Again, if you are transacting with a secure site, HTTPS site, they can’t really see the transaction coming forth. But they can see what sites you’re going to and they can see what kind of activities you’re doing on the internet. And possibly, you go to an unsecured site later and they can actually find out who you are. And that’s going to lead to you having more phishing attempts from a cyber attacker, because they’re going to know what sites you shopped at. They might know your name, might get your email.
And so I think VPNs are best for privacy, especially when you’re on networks where you don’t know how good the security is, which is pretty much any network but your home.
Yeah, exactly. Very good. Thank you. Again, valuable information. I appreciate that. All right, Marlon, let’s turn our attention toward social media. A lot of us spend too much time on social media, and they’ve become shopping platforms as well as platforms for communicating one with another. So give us your perceptions on what precautions that we should be taking about the advertising that happens there, links that we may or may not be clicking on. Let’s talk about social media.
Marlon Buchanan:
Sure. Yeah. Social media’s a hot topic. And there’s really a lot of things to be worried about with social media. I’m not saying no one should ever use social media, but there are some things you need to look out for.
Because the way that these social media companies make money is they’re using you as the product. The information they find out about you, what topics you’re interested in on their platforms. And they use that information to help advertisers target you.
Well, not all those advertisers are good actors. Some of them are trying to phish you, some of them are trying to trick you. Some of them are trying to get you to go to their counterfeit store.
So what social media does is allows people, even phishing people to target you better. And all of that other information that you share on social media about what vacations you’ve taken, what your family members are doing, all of that stuff is also available on social media. And oftentimes, depending on your setting, it’s pretty easy for anyone to get.
And then that’s another way for cyber criminals to use that information and maybe send you a phishing email or send a phishing post. Or even sometimes, people don’t even realize they have their phone numbers published on their social media profiles or even to call you.
Another way that cyber criminals can get to you from using social media is taking all that information, and creating a fake profile, and then reaching out to you. This is especially an issue for older adults who have lots of kids and grandkids, who have larger families. Maybe they can’t keep track of everyone, and their grandson Jim sends them an email saying, “Hey, can you check out this link? I’d really like you to go there so you can look at the kinds of presents I’d like for Christmas.” And that link leads you to ransomware or malware.
And you don’t remember what his Facebook handle or Twitter handle was. So you just think that’s the person. Maybe they use some information to authenticate themselves [inaudible 00:21:25]. That information can be used to get you to trust what scammers and cyber criminals are sending you even more.
So those are some of the problems that social media can present, and it just means you need to be more diligent about what you’re clicking on, and what you’re trusting, and which advertisements you’re going to.
Yeah. Excellent. Thank you. I know that one happens a lot. Anybody that uses Facebook in particular has seen that. A lot of times, you get a friend request from somebody, you think, “Well, I thought we were already friends, but oh well, I guess not.” And now you’re friends with somebody else, and they’re using a picture that maybe you recognize. “Oh yeah, that is my cousin’s picture.” Well, it’s easy to get your cousin’s picture if they have a Facebook account.
Marlon Buchanan:
That’s right.
Steve Bowcut:
That’s really good advice. Thank you for that. So we use our mobile devices a lot more now than we used to use, our desktops or our laptops. And so are there other precautions or security considerations that we need to think about when we’re using our smartphones or our tablets?
Marlon Buchanan:
I think a couple of considerations, specifically when you’re using a mobile device is never enter payment information in a public location. If you’re on the bus, I don’t care if you’re in a movie theater, on the subway, you never know who’s looking. You actually don’t even know where the cameras are located in the public places that could be recording you, and you don’t want to enter credit card and other information, passwords that are public. You want to make sure you’re at least hiding that in some way.
And so that’s another good reason to use digital wallets to pay for things, because really not entering a password or a credit card when you’re paying for something with a digital wallet. And that’s why digital wallets first came to mobile, because it’s made for mobile.
And just like anything else, you want to verify the sites you’re going to. And as we mentioned earlier, if you’re on a mobile device and you’re on a wifi network you’re not aware of or don’t know much about publicly, then you probably want to use a VPN if you have access to one.
Yeah, good point. I guess that’s the thing about mobile devices. They’re mobile, right? And that can be a problem. So you don’t know how you’re connected necessarily. All right, very good.
I wanted to touch on what we should do if we find… And I won’t say if, but when you find that your data has been part of a data breach. It’s probably happened to most of us. And if it hasn’t happened to us, I’m sure that it will. But what should we do when we realize that somebody has gathered and then sold our information?
Marlon Buchanan:
Yeah, I think there’s really three types of people when it comes to data breaches. Those who have had their data leaked, those who are going to have their data leaked, and those who don’t know their data has already been leaked.
Steve Bowcut:
Don’t know, exactly. Very good. I like that.
Marlon Buchanan:
So it’s really just something to get prepared for, and you really should just presume it’s going to happen or it’s already happened. So if you get a notification that a company has been breached that has your private information, the first thing you want to do, and the company’s going to make you do it is change your password. The next thing you want to do if you’re using that password at multiple sites, is go change all of those passwords too. Because cyber criminals will try those user credentials at multiple sites, because they know a lot of people just use the same password over and over again.
If your financial information is involved, or even if it’s not, if it’s anything that’s actually personally identifying, your name, your address, maybe a social security number, I’d recommend if you’re in the US that you put a fraud alert on your credit report. That will at least notify anyone who’s trying to open up an account in your name and even for you, that they should look a little bit more closely at the file and the person who’s applying for credit to make sure that’s you. It doesn’t stop you from getting credit, but it will make them look at things a little bit more carefully. It basically puts a flag on your credit record.
I would monitor your financial account. So check your credit card statements, check your bank statements. People use this information basically to start identity theft.
I would also take advantage of any free credit monitoring that the institution that got breached will offer you, because most likely, they will offer you free credit monitoring. You should take them up on that. And then I would raise your antennas up even higher for any phishing attempts. Because again, if your information’s more out there, one way that scammers make money is just selling that information, and then they sell it to people who want to phish you or commit identity theft. So just be more aware of potential phishing attempts that may come your way.
Excellent. And when you were talking about passwords, it made me think now there again, if you go back a decade or two, we used to tell people we’ll just have a different password for every site. Well, most of us have literally hundreds of different sites that we log into. You could never remember that many passwords. That would be impossible. So how do you feel about password managers? Is that something that you recommend?
Marlon Buchanan:
Yes, it’s definitely something I recommend. It’s one of the first things I recommend people do when I’m talking about cybersecurity. I don’t know how we went this far, this conversation without-
Steve Bowcut:
I know, without talking about it. Right?
Marlon Buchanan:
It’s almost like, yeah, you definitely should be using a password manager. So you can’t remember all those passwords, so you’re going to repeat them. And if you can remember them all, I bet they’re not hard to guess. So the best thing to do is to use a password manager, and have that be the thing that generates your passwords, and keeps all your passwords, and makes it so you’re using unique passwords at all the sites that you’re shopping at or logging into.
Yeah. Yeah. Okay. All right, so we’re about out of time. I do want to ask you, if there’s anything about the holiday season, what are some specific threats or things that people should be doing? Either one. And we’ve touched on a few and maybe we’ve covered them all, but is there anything else that’s unique about the holiday season that people should be aware of?
Marlon Buchanan:
I don’t know if there’s anything unique. There’s just a lot more cyber attacks and a lot more phishing attempts, a lot more vectors for you to be attacked out there. The only advice I would give is just if it seems too good to be true, it probably is. That’s your basic advice. Be very aware of fraudulent sites.
I think the one thing that may be really different or really heightened in the holiday time is, we talked about fake profiles earlier. Are people tugging at your heartstrings? People asking you to click on this site or get this for me, and it’s not even the person you think it is.
So just be really aware that phishing attempts are going to probably be even more emotional. People know you’re overwhelmed at the holiday time. So I would just recommend people, even though you’re overwhelmed, just take your time to do your due diligence, and make sure that the person that’s asking you for information is the right person, the right company, and that they’re only asking for the information that they need.
Yeah, no, I agree. Not only are most of us more overwhelmed, but we’re also feeling a little more generous. Right? It’s the season of giving, and there are unfortunately people out there who will prey on that combination of overwhelmed people that are feeling generous that makes you a target. So thank you. I appreciate that.
So lastly, before we close here, if you look into the future a little bit, are there any emerging technologies or things that you’re aware of that you’ve seen that you hope will be developed, or adopted better, or more in the future?
Marlon Buchanan:
I think biometrics is one, is a technology that we have, that I hope can help make things even more secure for us in the future. A lot of the times, the mobile payments that you use, those digital wallets, you can use your fingerprint to verify yourself. You can use Face ID if you’re using an iPhone to verify your identity as well. I think having more and more of that, being able to do that more on your desktop, those things are built into a lot of the phones, but there’s not as much of that built into desktops and laptops. It’s possible, but it’s not built into a lot of them. And a lot of the sites don’t support it that way.
So I’m hoping we get more and more biometrics, because having something that’s just you to help with anything that gets compromised will keep your information more safe. I’m actually more worried about the technologies that will help cyber criminals than-
Steve Bowcut:
AI and some things that make it easier.
Marlon Buchanan:
AI, even quantum computing with being able to crack a lot of the encryptions that we’re using now. But that’s where biometrics helps, because you are a lot harder to fake than your password, or your username, or any of those things.
Steve Bowcut:
Yeah. Excellent. Okay. Well, we’re out of time now. So Marlon, thank you so much. This has been a lot of fun. You brought a wealth of expertise, and I’m sure our audience is going to enjoy it. So thank you so much for spending some time with us.
Marlon Buchanan:
Thank you, Steven. I’ve enjoyed this conversation, and I hope it’s helpful to your audience.
Steve Bowcut:
I’m sure that it will be. And a big thanks to our listeners for being with us. And please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide podcast.