Security Awareness

Online marketplaces have transformed over the past decade. While it’s never been easier to buy or sell, it’s also never been riskier. Artificial intelligence, mobile-first commerce, and peer-to-peer platforms have created new opportunities and new threats. Whether you’re an occasional user or an online trader, staying safe in 2025 means understanding modern risks and adopting secure behaviours. This article highlights some of the essential areas for both buyers and sellers. I also refer to some older security awareness articles that are still relevant today.

How online threats have evolved

Online scams have evolved far beyond basic phishing and fake listings. Fraudsters now use AI-generated content to impersonate people, automate conversations, and create fake websites that closely mimic trusted brands. At the same time, there are many new entries to the market. Amazon and eBay were the pioneers, but they no longer dominate the marketplace.

• Threat actors use AI to create convincing fake profiles, listings, and customer service chats. It is harder to spot fakes because tell-tale signs such as poor spelling and grammar are becoming a thing of the past.

• Traditional auction sites are now part of a much larger, more fragmented ecosystem.

• Email protection and spam filtering have evolved, but so have fraudsters with more convincing emails, social media profiles, text messages, instant messaging, and in-app messages.

• Scammers now behave like real users, mimicking platform language, branding, and interfaces with ease, making scams harder to spot than ever.

• The Website Credibility Test (5^th March 2018) – Not all websites deserve your trust, even if they look professional. This article explores how poor design choices, such as fake search boxes (containing links), pop-ups, and sneaky opt-out purchases, often indicate dishonest business practices. It reminds readers that site behaviour directly reflects the people behind it, and you may be unable to trust it with your payment information.

Staying safe as a buyer

Buyers today must navigate deals across dozens of platforms, some offering little or no protection. Many scams involve off-platform communication or payment, which can void any dispute rights. Even when a transaction appears secure, scammers may attempt to use urgency or fear to push buyers into quick, irreversible decisions.

• Stick to platforms with formal buyer protection and avoid off-platform transactions.

• Use credit cards where possible, as they offer the strongest consumer protection.

• Enable Multi-Factor Authentication (MFA) on shopping and payment accounts.

• Be cautious with deals that seem urgent, emotional, or unusually cheap.

• Always double-check the seller ratings, the age of the account, and listing consistency.

• Confirm shipping costs and return policies before you buy. Consider the item’s location carefully as returning a low-cost item from overseas may cost more than the item itself.

• Deviation from the Norm (29^th June 2019) – Scammers don’t always ask for your money directly. They often ask you to behave in ways that feel unusual. This article highlights how fraudsters push victims into unorthodox payment methods like cash or bank transfers, offering excuses that sound urgent, emotional, or even official. Deviating from established norms, like not using a credit card, removes your safety net. The key message is simple: if the process feels off, it probably is.

Protecting yourself as a seller

Sellers face increasing pressure to provide a fast, friendly, and reliable service but also face rising risks from fraudulent buyers and chargebacks. Verifying payment, understanding platform rules, and setting boundaries are key to staying protected.

• Never dispatch items until you’ve confirmed cleared payment.

• Avoid off-platform messages that could void your ability to raise a dispute.

• Watch for overpayment scams and never refund a mistake before verifying the original payment in cleared funds.

• Understand how your platform handles refunds, chargebacks, and seller disputes.

• If in doubt, cancel the sale and report the user.

• Document what is available for the transactions, such as photographs, messages, proof of postage, and receipts.

• Unsafe financial transactions (16^th July 2019) – Despite years of warnings, unsafe transactions are still commonplace. This article explains why bank transfers, upfront fees, and cheques expose buyers and sellers to avoidable risk. It also describes how fraudsters manipulate trust by creating fake emergencies, fake job offers, and fake loans to trigger emotional decisions. Recovery is difficult or impossible once money is sent, especially outside of regulated systems.

• Reducing fraud with virtual cards (6^th March 2022) – Virtual cards act like a firewall between your real bank details and the internet. This article introduces how they work, why they matter, and where they’re most effective, especially against subscription traps, stealth auto-renewals, and websites that refuse to remove your card details. By generating a disposable card number for each transaction, you can cancel future payments instantly without exposing your real account details. It’s an innovative process in today’s risk-heavy digital economy.

Trust and transparency

Trust still matters, but it is getting harder to gauge. Reviews, profiles, and trust signals are now easily faked. Scammers often impersonate legitimate businesses or flood their accounts with fake reviews to seem credible.

• Look for account age, detailed feedback, and a history of similar transactions.

• Check for signs of review manipulation, such as the same comments across multiple sellers, and be suspicious of vague or overly glowing feedback.

• Use official company registers to validate business identities.

• Providing visible contact details and policies demonstrates transparency and builds trust.

Modern Security Hygiene

Cyber hygiene has become a baseline expectation for all users. Relying solely on strong passwords isn’t enough. Buyers and sellers must adopt multi-layered security measures to protect their money and personal information.

• Use a password manager to create and store strong, unique passwords. Don’t reuse passwords across multiple sites.

• Enable Multi-Factor Authentication (MFA) on every account that supports it.

• Avoid clicking on links in unsolicited emails or instant messages and go directly to the platform.

• Keep mobile apps updated and install only from trusted sources.

• Log out of platforms after transactions. Don’t rely on closing the browser tab.

• Time for some digital housekeeping (25^th February 2024) – The sheer number of online accounts we create has grown beyond what most people can realistically manage. This article looks at the long-term risks of account proliferation, from weak password habits to privacy exposure and an ever-expanding attack surface. It also critiques common website behaviours like blocking password managers (preventing the cut and paste of complex passwords) and unnecessarily requiring logins. With practical advice on using password vaults, enabling MFA, and deleting old accounts, it serves as a modern guide to cleaning up your digital footprint and regaining control.

• More on passwords (21^st January 2019) – This article revisits the basics of password security and why those basics still matter. It covers weak PINs, social media oversharing, and the risk of password reuse across multiple sites. It also touches on modern hacking tools that guess passwords based on personal information. Strong, unique credentials remain part of a solid defence.

What to do when something goes wrong

Even when you’re careful, things can still go wrong. Acting quickly and documenting everything improves your chances of recovering lost money or resolving disputes successfully.

• Save all messages, screenshots, emails, receipts, and postage confirmations.

• Report issues directly through the dispute resolution process.

• Understand payment protection options like PayPal Buyer Protection or credit card chargebacks.

• Monitor your financial accounts for unauthorised transactions after purchases.

• File complaints within the time limits mandated within the platforms.

• If necessary, escalate to consumer protection bodies or regulators.

Concluding thoughts

Online marketplaces are no longer just the domain of digital natives. While younger generations have grown up with e-commerce, many people who previously avoided online transactions are venturing into digital marketplaces for the first time. Whether out of necessity, convenience, or curiosity, this growing wave of new participants includes individuals who may be less familiar with the risks. That’s why messages around online safety, fraud awareness, and secure practices need to keep circulating.

The technology may change, but the underlying tactics of scammers remain the same. To paraphrase P.T. Barnum, “There is a victim born every minute”. Here are a couple more articles that remain relevant today.

• Caught in the Net (29^th January 2019) – Phishing is still a leading cause of online fraud, and it’s not going away. This article explains how phishing emails work, why they’re effective, and how they prey on urgency, fear, or empathy to trick people into clicking links or sharing sensitive data. It also explains how even experienced users can fall for realistic scams and why a cautious, verification-first approach to email is essential in today’s environment.

• Hit with the Spear (22^nd July 2019) – Spear phishing is phishing with precision. This article explains how scammers gather personal details from social media, CVs, and online profiles to craft highly believable messages. Unlike random spam, these messages are tailored to the recipient and often bypass spam filters entirely. The article breaks down the process, from initial research to final action, and shows why oversharing online can open the door to persuasive attacks.

Black Friday is approaching again, and while it promises incredible deals, it’s also a time to exercise caution. Cybercriminals see this as an opportunity to prey on unsuspecting shoppers who may let their guard down in pursuit of huge discounts.

• Stick to trusted retailers – it can be tempting to explore unfamiliar websites offering huge discounts, but this is where the risk of scams is highest.
  • Stick with the businesses you know and trust, especially those you have successfully shopped with before.
  • If you are curious about a new retailer, search for reviews and verify their legitimacy before purchasing.

• Avoid clicking links in emails – phishing scams are rampant during shopping seasons, with fraudulent emails disguised as offers from popular brands.
  • Go directly to the retailer’s official website through your browser.
  • Scammers often use addresses that look similar to legitimate companies but include subtle differences.

• Beware of unnecessary software and apps – installing unfamiliar software or apps to access discounts is a significant red flag.
  • Avoid downloading new apps unless they are from familiar and trusted retailers and official app stores.
  • Avoid apps that request excessive access to your device or personal data.

• Watch out for hidden memberships – special deals may sometimes come with strings attached, such as hidden memberships that require regular full-price purchases.
  • Before completing a transaction, ensure you’re not unwittingly subscribing to a recurring service.
  • Avoid deals that feel overly complicated.
  • Genuine bargains don’t require convoluted commitments.
  • Avoid paying for access to discounts.

• Use secure payment methods – protect your financial information by choosing safer payment options when shopping online.
  • Use credit cards or payment services such as PayPal or Apple Pay, which often provide buyer protection in case of fraud.
  • Avoid direct bank transfers.
  • Avoid payment methods that don’t offer recourse if something goes wrong.

• Look for HTTPS and Security Indicators – before entering any personal or payment information online, ensure the website is secure.
  • A secure website address will have “https://” at the beginning of the URL, along with a padlock icon in the address bar.
  • Be cautious and avoid unsecured websites.

• Monitor your bank statements – fraudulent transactions can go unnoticed if you don’t keep an eye on your bank accounts.
  • Check your bank statements regularly to spot any unauthorised transactions.
  • Report suspicious activity immediately to your bank or card provider.

• Avoid public Wi-Fi for online shopping – shopping on public Wi-Fi networks can leave you vulnerable to hackers.
  • Make purchases using private, password-protected Wi-Fi connections.
  • Virtual Private Networks (VPNs) add an extra layer of security, making your online activity harder to intercept.

• Think before you buy – impulse purchases often lead to regret, especially for items you wouldn’t normally consider buying.
  • Be realistic about the product’s value.
  • Pause before purchasing. If something seems worthless or unnecessary at the recommended retail price, it’s likely not worth buying with a 90% discount.

Although this article is about Black Friday, adopting these practices all year round is wise to ensure safe and secure online shopping. Generally speaking, it is good practice to avoid buying in a way that doesn’t align with societal norms; being asked to do so should be considered a huge red flag.

As the internet evolved, so did the growing need for user accounts to access online information and services. Consequently, we have hundreds of accounts, each requiring separate login credentials. This proliferation of digital accounts has led to significant issues and risks:

• Unnecessary requirement for login credentials – not every site needs login credentials, yet we are often still required to create an account. I thought about writing this article many times, and then recently, I needed to sign up to 3 separate sites to benefit from the service offered by a single business. In this case, one use account should have been sufficient. Many sites and services shouldn’t need an account at all.

• Remembering numerous passwords – It is inconvenient and introduces security risks – to remember login credentials, people often resort to using simple passwords, repeating the same password for different accounts, or creating lots of slightly different passwords based on a theme. If a hacker compromises one of your passwords, they could easily compromise many.

• Password vaults – there are many different password management solutions, but these are not always foolproof and often require trust and dependence on third-party services. Password vaults do make the use of long, complex passwords viable.

• Risk exposure – the more accounts you have, the more personal information is stored online, which increases the risk of sensitive data exposure in a breach. Also, more accounts mean more emails and communications from online services, and more time and effort are required to distinguish between legitimate messages and phishing attempts from scammers impersonating services to steal login credentials.

• Privacy – each account will collect and store personal information. The more accounts you have, the more places your data is stored, increasing the risk that site owners will misuse or sell your data or track online behaviour, preferences, and interactions, leading to privacy concerns.

• Attack surface – each account is a potential entry point for cybercriminals. The more accounts you have, the larger the attack surface.

• Time-consuming – managing so many accounts can become time-consuming and distract from more productive activities.

• Blocking cut and paste – storing passwords in a vault makes using long, complex passwords convenient. It is not helpful if site owners block cut and paste and require users to type passwords manually. A more recent change is to measure the time it takes to type a password and reject login attempts that are too quick. This blocks pasted passwords and passwords automatically filled from browser-based password vaults. It is well-intentioned but risks replacing complex passwords with simple passwords.

Practicing good cyber hygiene is essential:

• Use a password vault so you don’t need to remember every password – this makes using strong passwords for each account easy. Be careful whose solution you choose. Make sure you select a reputable vendor.

• Establish an inventory of sites where you have online accounts – using a password vault makes this much more manageable.

• Delete accounts that you no longer need. You will still have an account even if you signed up for an online service using Google, Apple, Microsoft, Facebook, or LinkedIn credentials. In addition to deleting the account, it is also necessary to revoke access to the credentials, i.e., remove the service from the list of third-party sites in  Google or other login services.

• Don’t repeat passwords – use a different password for each user account.

• Use Multi-Factor Authentication (MFA) to add security to your online account.The long-term effectiveness of MFA is the subject of much debate, given rapid technological changes and adaptability in cybercrime. The use of MFA is still better than not using it.

• Don’t store credit card details on the sites unless absolutely necessary.

• Avoid using immutable facts for authentication purposes. For example, your mother’s maiden name or the name of your first school will remain the same. Immutable facts are wrong for security, but websites and service providers still use them.

In a nutshell, ransomware is malicious software designed to encrypt data. Threat actors then demand a ransom in exchange for decryption keys and deletion of stolen data. In practice, paying a ransom to unencrypt data or to prevent the release of sensitive information to the public can be highly problematic:

• No guarantee – Paying the ransom does not guarantee that the attackers will provide the decryption key or that they will not release the data. Once you make the payment, you don’t have any control over the attacker’s actions. There is no enforceable contract in place. Someone has committed a serious crime, yet they expect you to trust them. Hope is not a viable strategy.

• Encourages future attacks – Paying the ransom encourages cybercriminals by giving them a highly lucrative incentive to continue their malicious activities. It also signals to other potential attackers that ransomware is a profitable business model. Attackers will add details of businesses willing to pay to a list and sell it to other cyber criminals.

• Deprived of vital resources to improve security posture – Paying the ransom does not address the underlying security vulnerabilities that enabled the breach. In addition, paying the ransom deprives businesses of funding to address such vulnerabilities, leaving businesses susceptible to further attacks.

• Funds illegal activities – The funds obtained through ransom payments can finance further criminal activities, including additional cyberattacks, organized crime, and terrorism.

• Legal and regulatory implications – Knowingly paying the ransom to cybercriminals in countries subject to government financial sanctions is illegal. Many countries have regulations prohibiting financial transactions with individuals and businesses in sanctioned countries, and sending money violates the sanctions. Paying a ransom is not an exception to this rule.

• Payment can lead to a subscription model – Ransoms can be very high, and no guarantee paying once will prevent future demands. Cybercriminals can easily make repeated financial demands to prevent sensitive data from being released and keep demanding more.

If an attack occurs, work with law enforcement, information security professionals, and insurance providers to respond to the incident. There may be a tendency to fear authorities or regulators and choose to deal with cyber criminals rather than face the consequences of allowing an attack. In practice, dealing openly and honestly with authorities and regulators is more appropriate and viable.