Online shopping is mature enough that most of the technology is safe by default — TLS is universal, fraud detection is decent, major card networks absorb fraudulent charges. The risk surface moved to behaviors: phishing emails, fake storefronts, reused passwords, oversharing of data. A few habits protect you without becoming paranoid.

The 90% rule: use credit cards, not debit

Credit card fraud protection is genuinely strong. Under Regulation Z, your liability for unauthorized credit card charges is $0-$50. Visa, Mastercard, Amex voluntarily waive even that. Disputed charges are investigated within days; funds are your money until they rule.

Debit card fraud is worse in three ways: (1) stolen funds come out of your checking account immediately, not a creditor's balance; (2) dispute timeline can take 10+ business days while money is unavailable; (3) Reg E liability can reach $500+ if you don't report quickly. Use credit for anything online.

Virtual card numbers

Virtual cards generate unique 16-digit numbers that can be locked to a single merchant, spending limit, or time window. They contain damage from breaches — if the merchant is hacked and the card number leaks, it doesn't expose your real card.

ServiceAvailabilityNotes
Privacy.comUS bank accountsLock per-merchant; monthly / per-transaction limits; pause or close anytime
Capital One EnoCapital One cardholdersBrowser extension generates virtual numbers
Citi Virtual Account NumbersCiti cardholdersSimilar to Eno
Apple Card (with Apple Pay)Apple CardDevice-account number; real number never transmitted
Revolut Disposable virtual cardsRevolut usersOne-time cards regenerate after each use

Phishing: the #1 real threat

Data breaches are industry problems; phishing is a you problem you can prevent.

  • Never click "shipment delayed" links from emails. Go to the retailer's website manually and check your orders.
  • USPS / UPS / FedEx never text "pay $1.99 for redelivery." If you get that text, it's phishing.
  • Emails about suspended accounts, verify your card, update payment: go to the retailer directly via their website.
  • Check sender email domain carefully. amazon.com is real; amaz0n-support.com is not.

Password discipline

  • Use a password manager (1Password, Bitwarden, iCloud Keychain). Full stop.
  • Every site gets a unique, generated password.
  • Enable two-factor authentication (2FA) everywhere — app-based (Authy, Google Authenticator, 1Password built-in) is stronger than SMS.
  • Review a password manager's "data leak" check quarterly. If your email appears in a breach, change that password.

Fake storefronts

Scammers set up fake versions of popular brands or run drop-ship storefronts advertising on Facebook and Instagram. Before buying from any unfamiliar site:

  1. Check the domain age — whois.com shows when registered. A "cozy home goods" site registered 3 months ago is suspicious.
  2. Search "[site name] review" and "[site name] scam" on Google.
  3. Look for physical address, phone number, support email. Missing any = walk away.
  4. Check Better Business Bureau and Trustpilot.
  5. If the prices are dramatically below other retailers, the item is likely counterfeit or won't arrive.
  6. Pay via PayPal or credit card for chargeback options. Never wire or Venmo a stranger.

Package theft

  • Use delivery lockers (Amazon Lockers, UPS Access Point, FedEx pickup).
  • Use delivery-to-work for high-value items.
  • Install a porch camera (Ring, Nest, Wyze).
  • Request signature confirmation for items over $200.
  • For recurring theft areas, use UPS MyChoice or Amazon Day to consolidate deliveries.

Data minimization at checkout

  • Skip optional fields: phone number, birthday. Most checkouts don't need them.
  • Use an email alias (Apple Hide My Email, Fastmail masked emails, SimpleLogin) so breaches don't connect accounts across merchants.
  • Don't save credit card info at minor merchants. Keep cards stored only at trusted frequent-use retailers (Amazon, big retailers).
  • Skip creating accounts where guest checkout is offered.

Read shipping / return policy before paying

  • Is there a return shipping fee?
  • Is the return window 14, 30, or 90 days?
  • Does the seller guarantee the item (or is it "final sale")?
  • Where does the item ship from (domestic vs international customs risk)?
  • Real-looking site, but all "contact us" links broken or pointing to a webform? Walk away.

If you get scammed

  1. Contact the merchant first — if a real merchant made a mistake, resolve via their support.
  2. If unresponsive or fraudulent, file a chargeback with your credit card issuer within 60 days.
  3. For marketplace purchases (Amazon, eBay, Etsy), file via their buyer protection program.
  4. If identity theft is suspected, freeze your credit at Equifax, Experian, TransUnion (free).
  5. File complaint with FTC (reportfraud.ftc.gov) and your state attorney general.

FAQ

Is Wi-Fi encryption enough for public-Wi-Fi shopping? TLS (https) protects transaction contents regardless of Wi-Fi. But phishing and session hijack risks exist on untrusted networks — use a VPN or cellular when shopping on public Wi-Fi.

Are browser autofill and saved cards safe? Modern browser credit card storage is encrypted locally. Safe on personal devices; risky on shared or public computers — never save cards there.

What about "shop anonymously"? True anonymity in commerce is hard (delivery addresses exist). Minimize data exposure instead: alias emails, virtual cards, no birth date sharing, minimal account creation.