Skip to content
Breachroad
Back to the blog
Guide

Safe online shopping: how not to lose money

Fake shops, spoofed payments and intercepted cards. A practical guide to spotting a fraudulent store and paying safely online.

KR
Karol Rapacz
28 May 2026 · 9 min read
Safe online shopping: how not to lose money

Online shopping is convenient, but every year millions of people lose money to it — not through sophisticated hacks, but through ordinary scams: fake shops, spoofed payment gateways and intercepted card data. Sale seasons and “deals” only intensify it. The good news is that most of these losses are avoidable with a few simple habits. Here’s a practical guide to shopping online safely.

How to recognise a fake shop

Fraudulent shops look better and better, but a few signals usually give them away:

  • Prices too good to be true. Brand-name gear at a fraction of the price is the most common bait. If an offer beats the market by 70%, it’s almost certainly a trap.
  • Only unusual payment methods. A shop demanding a transfer to a private account, or a payment to a phone number — with no normal gateway — is a serious warning sign.
  • No company details. A real shop has a registration number, address, terms and real contact info. Their absence (or copied terms full of typos) is a red flag.
  • A fresh domain and time pressure. “Last items”, “sale ends in 10 minutes” plus a domain registered a week ago = a classic scam.
  • Fake reviews and stolen photos. Reviews that are all enthusiastic, undated, and product photos lifted straight from other shops.

Before paying at an unknown shop: search its name with “reviews” and “scam”, check the domain registration date, and look for the shop on your national CERT’s warning list.

Safe payments — the golden rules

Pay by card or a trusted gateway, not by transfer to a private account. Card payments and intermediaries (e.g. PayPal, escrow systems) give real protection: in a fraud you can request a chargeback and recover your money. A traditional transfer to a private account gives no such protection.

Consider a virtual or limited card. Many banks let you generate a one-time virtual card or set a low limit for online purchases. Even if the data leaks, losses are limited.

Beware of fake payment gateways. The classic scam (which we described for marketplaces) is a link to a “secure payment” that leads to a spoofed bank panel and captures your login. A real payment never starts from a link sent by the seller in a message.

Check the payment page address. Before entering card details or logging into your bank, make sure you’re on the real domain (the bank’s or a known gateway’s) and the connection is encrypted (HTTPS).

Secure your accounts and card

  • Enable notifications and 3D Secure. Confirming payments in your banking app (3DS) blocks a fraudster from using card data alone.
  • Separate, strong passwords for shop accounts — ideally from a password manager. A shop account with a saved card is a tempting target.
  • MFA on your email and bank — the foundation we cover in our authentication article.
  • Don’t save card data in shops you don’t have to trust.

Watch out for sale seasons and fake texts

Sale periods are harvest time for fraudsters. The most common scenarios are fake parcel-surcharge texts (“Your parcel is waiting, pay a small fee”) and impersonating a courier or shop. The rule is simple: don’t click links in texts about parcels and payments. Check delivery status by going to the carrier’s site manually, not via a link in the message.

What to do if you’ve been a victim

  1. Contact your bank immediately — block the card and report the unauthorised transaction; for a card, ask about a chargeback.
  2. Change passwords for the shop account, email and bank (from a trusted device).
  3. Report the fraud to the police and your national CERT — you help warn others too.
  4. Collect evidence: screenshots, the shop address, payment confirmations.

Frequently asked questions (FAQ)

Is paying by card safer than a transfer? Usually yes — with a card you have the chargeback mechanism, which lets you recover money in a fraud or non-delivery. A traditional transfer to a private account is a payment with practically no protection, which is why fraudsters ask for it so eagerly.

How do I quickly check whether a shop is trustworthy? Search the shop name with “reviews” and “scam”, check the domain registration date (a fresh domain for a “well-known brand” is a signal), look for company details (registration number, address) and check your national CERT’s warning list. A few minutes of checking saves a lot of trouble.

I got a text saying I must pay a parcel surcharge. What now? Don’t click the link. It’s almost certainly smishing. Check the parcel status by going to the carrier’s site manually and entering the tracking number. Real surcharges don’t happen via a text link leading to a bank panel.

Does a virtual card really help? Yes — a one-time or limited virtual card caps losses if the data leaks or you hit a fake shop. It’s one of the simplest and most effective protections when buying from less-known places.

I run an online shop — how do I protect customers? Customer security is also your reputation. Enforce HTTPS, keep updates and platform security in order, secure payments and data per GDPR, and at larger scale order a security test. A cloned shop or a card-data leak hits customer trust directly. Let’s talk.

Summary

Safe online shopping is mostly common sense and a few habits: don’t trust prices too good to be true, pay by card or a trusted gateway (not a transfer to a private account), use a virtual card and 3D Secure, protect accounts with strong passwords and MFA, and ignore links in parcel texts. These simple rules close the door to the vast majority of scams — and if something goes wrong, a card gives you a chance to recover your money.


Sources and further reading: CISA, FTC — online shopping.

Share this article

Services Book a consultation