/ Scams

How to stay cyber secure over Christmas

The National Cyber Security Centre (NCSC), together with the Cabinet Office, Home Office and DCMS, has relaunched its Cyber Aware campaign to cover the festive period. Our guest explains how they’re helping keep consumers safe online.

This is a guest post by Nicky Hudson of the National Cyber Security Centre. All views expressed are her own, and not necessarily shared by Which?. 

This year has been a strange and difficult year for many of us. Technology, however, has helped us adapt to a new kind of ‘normal’ as more aspects of our day-to-day lives move online.

As the festive period approaches, we will spend even more time online, shopping and socialising. However, this also provides more opportunities for fraudsters. 

The National Fraud Intelligence Bureau has estimated that cyber criminals stole an average of £775 from each online shopping victim over the same time last year.

With this in mind, our technical experts at the NCSC would like to reiterate the six steps we put together and discussed here back in May that will help people protect themselves from the majority of online crime.

Our NCSC tips for staying secure this Christmas

Use a strong and separate password for your email – Your email is the way into all your online accounts so keep it safe with a unique password.

Create strong passwords using 3 random words – The longer your password, the harder it is to hack. Long passwords can be difficult to remember. But using three random words will help you create passwords that are both long and strong.

Save your passwords in your browser – Remembering lots of passwords can be difficult, but if you save them in your browser you don’t have to and it’s safer than re-using the same password for all your accounts.

Turn on two-factor authentication (2 FA) – This free security feature adds an extra layer of protection online and stops cyber criminals getting into your accounts, even if they have your password.

Update your devices and apps – Using the latest software, apps and operating system can fix bugs and immediately improve your security.

Back up your data – If your device is compromised by a cyber criminal your sensitive personal data can be lost, damaged or stolen. Keep a copy of your important information by backing it up.

From today (4 December), you’ll see and hear more of these tips across TV and radio throughout December as we launch the government’s ‘Cyber Aware’ campaign.

Our campaign

With support from big names such as Microsoft, BT, ASOS and, of course, Which?, we want to equip you with the knowledge to keep you and your loved ones safe from cyber criminals.

It’s never been more important for us all to understand and follow cyber security best practices. 

We’ve launched a dedicated website to help you become Cyber Aware, with lots of advice on online safety. I would encourage everyone to visit cyberaware.gov.uk and read our guidance. 

Taking these essential steps to secure your data and online accounts won’t take much time and will greatly reduce the chances of hackers giving you a nasty surprise this festive period, into the New Year and beyond.

This was a guest post by Nicky Hudson of the National Cyber Security Centre. All views expressed were her own, and not necessarily shared by Which?. 


This is an updated version of the online shopping checklist I put together to help people shop more safely online and find out who they are buying from before getting scammed.

Before buying a product online, always check out the seller and the product. Even the most legitimate-looking websites can be fake so do your homework first.

Look for all the names, addresses and phone numbers associated with the website. The website name, the company name and the seller name can all be different. Beware if none of this information is available.

Can you find addresses for the seller? A seller might use several addresses – registered address, VAT, trading, website, check them all out. Are there other ‘sellers’ at the same address?

Search tip: Put phrases in “double quotes” to get an exact match. Works on Google but not all sites.
Removing the double quotes might also bring up some interesting results.

Here are a few sites you can use to check before you buy:

Search for businesses and people
Companies House
Addresses don’t work too well but single words do. There is now a search for officers by location that sort of works for other search terms e.g. John Smith location:”High Street, London”.


What you find is not necessarily the truth but can be a good indicator. Many of the reviews on are fake – a sure sign that something is amiss. Look to see what other reviews the reviewer has left.
I take more notice of bad reviews that often give further information on the seller or the product.

Check VAT numbers

Look up addresses Check the timeline to see how the building or area has changed. Scammers often use an address of a vacant building or one that has just been knocked down.
https://www.getmapping.com/ (limited but different timelines for free)

Search phone numbers
Put number in double quotes to move spaces around e.g.
“01234 567 890”
“+44 1234 567890”

Search product images
Reverse images (flip horizontally) and search again.

How long has the seller been trading?
Amazon and ebay both show this info. If the seller is new, be very careful.
Ask the seller a question just to get a reply. This could be just asking the weight or dimensions of the product.
Search the reply email address.

Search selected text in “double quotes” from advert or reviews: e.g. “left-handed screwdriver”

Search products on foreign eBay/Amazon sites
Put part of the description in double quotes “like this” with e.g. amazon.de or ebay.ca

Google translator (Chinese names & addresses can have interesting results)

It is almost impossible to check out sellers thoroughly especially with so many scammers on Facebook selling products that look to good to be true. My advice would be to only buy locally and arrange to meet the seller where you can examine the product and exchange product and cash in person.

Website Checkers
I don’t know very much about the following websites but Kaspersky rates them as safe. A good rating might mean they haven’t been found out yet especially if they are fairly new.

Check the safety of a website or email. No unsafe content found is only one indicator and should not be trusted on its own.


If anyone has anything to add or knows some useful sites please post them here. Putting a space after the http will stop them going into moderation.

Alfa, thanks very much for re-posting your online shopping safety guide. I do hope it will be widely read and acted upon.

Thanks for the information Alfa. Some of those suggestions I already follow especially when researching a company or business I might be having dealings with. With all the negative press over the years on facebook, ebay, google etc I avoid them like the plague as far as I possibly can and I would caveat emptor all of them. Too many fake reviews, dodgy sellers, poor refund policies and privacy issues for my liking!
I understand @crusader concerns with storing passwords anywhere except on paper, locked away. Surely the theft of any device using a password manager is a big worry & what if a hacker gets into your computer. Having said that it is mainly only financial websites where I am not using a password manager and even then the passwords are different and have their own code. I am not concerned about using a masked email/password manager for sites where I am only ever accessing information for example.
Additionally I use more than one browser i.e. Opera, Firefox or Brave and clear all cookies, history, browsing data etc. throughout the day. It means logging into websites every time I visit them but I dont find it onerous. I think it is good practice to log out of websites when finished using them.
This may sound a bit excessive to some but then I think you just cant be too careful using the internet.

Michael P says:
5 December 2020

ON CHECKING PHONE NUMBERS: I have received calls telling me that my internet will be disconnected in 24 to 48 hours. When I did answer the caller had an almost unintelligible Indian accent. Also, in a text (“BT here”) I am sent a one-off code. I find this very suspicious and have therefore checked the caller’s number. The numbers vary. They start with 0480, 0666, 0508, 0121. Laborious checking reveals that these numbers are starting numbers used on mobiles in India and Saudi Arabia. SO WHAT’S MY POINT? My point is that this proves that Caller Identification Numbers can be faked. You can’t rely on them 100%. WHAT HAVE I DONE ABOUT IT? I blocked these numbers on my phone and reported them as scam calls to BT.

I believe too much emphasis is given to supporting and reimbursing scam victims instead of giving them the knowledge to avoid scams in the first place. Why do people know they can get their money back if they are scammed but don’t know a few simple steps that could have prevented them from becoming scam victims in the first place. Just doing a few of my suggestions usually tells me whether a website is likely to be safe or not.

This is a a police alert I received for staying safe at Christmas. Although it contains some good advice, it is seriously lacking any real guidance on how to carry out those checks:

100% agree with logging out of websites and clearing out browsing data, as it ‘should’ stop you being tracked. A year or so ago, M&S removed their logout. I don’t know whether it was my notifying them or not, but it was soon reinstated. I also use several browsers but have almost given up on Opera, why is it so s-l-o-w?

My passwords will stay stored on paper for the time being. Password managers have never been hacked have they? ☹️

Patrick Taylor says:
5 December 2020

Excellent stuff Alfa.

The use of Companies House, Vat registration etc are all sensible extensions to a search on a supplier. Unfortunately there are people who are incapable of making good judgements or even of thinking through the potential problems.

How one deals with this is a puzzle. Should there be some proficiency level for online card use were we show we use most of the steps relevant to that type of purchase ? Or do we need regulated Web market sites run perhaps by the State [Trading Standards – if such a thing still existed] where only suitable UK businesses would be found.

In olden days markets were regulated to keep out rogues , perhaps there is a lesson there. Amazon can still be Amazon but many sellers might prefer not to be paying Amazon fees and then find Amazon are bringing out a competing product.

I totally disagree with storing passwords in the browser, or anywhere online, or on the computer or a phone. I keep mine written on cards which are then locked away, I don’t use password managers or anything similar and I NEVER store anything sensitive or private on my PC or my phone or anywhere online, that’s just asking for trouble. And you should always use top of the range full security programs with a safe pay feature and put any websites you intend to buy from in there first, that should give you an extra layer of protection. And if you use paypal then don’t use the friends and family feature to send money to strangers, always treat them as a merchant. And if you must store sensitive files, then store them on CD or DVD discs or a separate external hard drive which can be unplugged from the computer and locked away somewhere secure. And of course NEVER use the same password for two or more sites or accounts etc. or the same username. And keep passwords long and complex without any proper words or names or well known number combinations etc. but use combinations of upper and lower case letters, and numbers and symbols which can’t be so easily cracked with dictionary software which some fraudsters use. And of course always check the web address for the https feature, if the s isn’t there it’s not secure. Although some sites while not secure as a whole still have a secure payment page which must have the https feature so always check first before entering anything sensitive. And of course check to see if the padlock feature is there in the address bar which you can click on to check the site information to see if it has a valid certificate which it MUST have. A decent security program should warn you about invalid or expired certificates and block any sites which have one and it should also block any site which has other security failings or is infected with malware. And always clear cookies and other sensitive stuff after browsing.

Michael P says:
5 December 2020

In order to further improve security the files stored externally should be encrypted. I use BitLocker which comes with Windows 10 Pro for this. There are other apps.

I now store password in Apple’s Keychain on my Macs. This avoids the temptation to use the same. password for different purposes, or a weak one. I presume that Windows offers a similar system.

I don’t think W10 has a close equivalent to Mac Keychain. If it did, I expect NCSC would have recommended it instead of, or as an alternative, to the use of web browsers for password storage.

A cloud based Keychain is also available as a standard option for iPhones.

Some Linux desktop OSes also have keychain facilities built-in, but many do not.

Obviously, tech savvy users can always install suitable apps to add such facilities, but it nice that Apple have set things up so folk don’t need to do that.

Thanks Derek. I had not heard of an equivalent in W10, but Windows and MacOS now have many other features in common.

I think the NCSC recommendation for site-unique passwords to be stored in browsers is a good pragmatic choice, especially for anyone who wants to achieve good security without using difficult or complex arrangements.

I use it myself for “low risk” websites, but not for banks or important email accounts.

When securing an important email account, it also important to set up and maintain password recovery options. These can involve nominating a different email address or a mobile phone number. I’ve seen quite a few folk get into trouble when they have forgotten their passwords and also lost access to the specified back up email or phone number.

JonDoH says:
5 December 2020

I am not a security expert. However, all the good advice is great for tech savvy people – but not for most “ordinary” people on the Internet (better called Hacker’s Heaven!).
You have to be more blunt to help “ordinary” people. People think their email address is part of “security” – IT IS NOT! Users have but one level of security, their password. Your email address is all over the internet (the likes of Facebook, Google, etc help to make sure of that to earn their advertising money). You “give” your email address away every time they email someone.
Using your email address as an security identifier when logging on to anything is what makes is so easy for the bad guys (& gals) – they are 50% of the way there already. Log On screens should not require your email address (or any sub-part of it) – if your email supplier allows you to use something like a User Name, make one up and use that instead of your email address (that makes it a bit like what all the techies on here call “2FA” – two factor authentication)
Security on the internet is a misnomer, just look at the lengths the helpful comments on here advise you to do to keep safe. If you had to do all that in the High Street businesses would never sell anything!
Stay Safe, Best Wishes to you all. 🙂

I think the NCSC are the real security experts here.

As a training expert, I like the way their advice is structured to recommend six key actions, with the most important ones first.

I also like the way that those actions are presented in simple and clear language, backed up by detailed explanations, for those who want more in depth knowledge.

I agree. I particularly like the way people are slowly coming round to the realisation that using three words as a password is far more secure that simply inserting random ‘special’
characters. Last time I promoted that more than a year or so ago, it was roundly condemned by some. Hopefully, now the NCSC are suggesting it, folk will be more likely to follow the advice.

Sometimes the length of password is limited and using three words my not be possible. I’m not keen on using four-letter words. 🙂

I never liked using ‘special characters’ but have had to use them because with some systems there is no alternative. On one occasion I was not able to change to a more secure password and after a discussion with the company I learned that their software would not accept passwords containing special characters.

I hope that biometric security systems will replace passwords.

My passwords range from very simple where if they were hacked could do no harm, to more complex and 2 or 3 words. Depends what they are for.

Biometric would be interesting. My fingerprints have almost worn off making airport security fun when their scanners can’t read them.

I managed to wear out a fingerprint once but it started working again within a week. Retina scanning and Face ID are alternatives and combined biometric methods would offer more security with little inconvenience. We live in interesting times.

It is claimed that some people are still using the names of their pets or children as passwords.

I have never had any success with my fingerprint, due probably to my now somewhat dated and worn but still very active and working fingers. Numerous attempts to get the fingerprint to work hasn’t helped, so I now just ignore it and use the password first before it lets me type in my email address.

That’s disappointing. My laptop can be set up to recognise more than one finger and so could my old phone, although the new one uses Face ID. I expect that most people use an index finger but a little finger is less likely to become worn or damaged.

I had the same trouble on my last visit to the US. I didn’t think they would let me in at Chicago O’Hare International Airport until they were able to obtain a readable fingerprint which took a while.

I was under the impression (pardon the pun) that you only gave one fingerprint that was able to be used as a form of ID but was subject to change to another finger in the event of it becoming unrecognisable.

Apple allows users to set up fingerprint recognition for five fingers on their products, and I presume that other manufacturers also allow recognition of more than one finger too. Retina scanning is more secure but presumably there are only two options.

So can Apple sell you a new set of fingerprints, if your old ones become compromised?

I don’t think Apple will sell fingerprints but their products cost an arm and a leg.

It was a while ago we last went to the US so I can’t remember how many fingers had to be scanned.

US immigration told me a lot of women have the same problem, it’s because of all the cleaning we do apparently. 🤐

I believe iris recognition may be more used than retinal scanning. Hard contact lenses may well disrupt a positive identification.

The NCSC advises storing passwords in your browser – this is TERRIBLE advice!
Anyone else using your computer/iPad or whatever can then have access to all your passwords!
Ergo this is a pretty stupid suggestion.
They can do this pretty easily even if you have a password or PIN which you think is a protection – and a hacker can easily get around this too.
Passwords on most computers including Windows and Macs are easily by-passed if people even use them and very people use password protection on their browsers – so it is open season on your passwords!
Malware on your computer is another way someone could easily gain access to passwords on your browser too – storing them in this way is just asking for trouble.
The most secure method by far is using a password manager that encrypts the passwords and is itself protected by a very safe passphrase longer than at least 12 characters with a mix of upper and lower case letters and numbers and symbols and using multifactor authentication.

I find it astonishing that the NCSC would put out such astonishingly bad security advice.

If you set up a guest account in addition to your administrator account the guest will not be able to make use of passwords stored in browsers or alter important settings on the computer.

Hi John, I agree that using a password manager is more secure that storing passwords in a browser.

But the point of the NCSC advice is that anyone who uses the same password for all their different accounts needs to stop doing that. Asking them to use unique passwords for each account and store them in their browser is a good pragmatic choice.

If they act on that advice, then they will become much safer online.

Those who could take the extra step of using a password manager would end up by being even safer, but asking everyone to take that extra step could be counterproductive and might discourage some from following the advice at all.

I think this is a example of not letting the best become the enemy of the good.

Another example of ‘not letting the best become the enemy of the good’ is to back up the most important information, whereas it would be best to back up everything. Nicky. mentions this in her introduction.

Agreed. I suspect many people do not have the tools, skills and patience needed for full backups.

One of my friends recently suffered a total failure of the hard drive on her photography PC. Luckily, almost everything was backed up, so nothing irreplaceable was lost.

Another thing you can do is not keep too much cash in your current account, or whichever account you use for online purchases. But instead try and keep as much cash as possible in another account, like a savings account so it’s out of reach of thieving online scammers. It’s like the old saying which is now far more relevant, don’t put all your eggs in one basket.

I do this by online banking and money can be transferred from one account to another very quickly. At one time I transferred money to gain interest but at present it’s a matter of not keeping these eggs in one basket.