Holiday shopping season is also hacker season. Scammers create fake shopping sites, send phishing emails, and exploit the rush of deal-hunting shoppers. The FTC has warned that these attacks spike every November and December.

Two tools can dramatically reduce your risk: password managers and virtual cards. Here's what they do and how to verify you're actually protected.

Why These Two Tools Matter

Password Managers

Most people reuse passwords across multiple sites. When one site gets breached (and they do, constantly), attackers try those stolen credentials everywhere else. One weak link compromises everything.

Password managers solve this by:

  • Generating unique, complex passwords for every site
  • Storing them securely so you don't have to remember them
  • Auto-filling credentials so you're not typing passwords that can be captured
  • Warning you when saved credentials appear in known breaches

CISA recommends password managers as a fundamental security practice.

Virtual Cards

Every time you enter your real credit card number on a website, you're trusting that site with your financial data. Virtual cards add a layer between merchants and your actual account:

  • Generate unique card numbers for each merchant
  • Set spending limits per card
  • Disable cards instantly if compromised
  • Merchants never see your real card number

If a merchant gets breached, attackers get a useless virtual card number--not your real financial information.

What You Should Be Able to Verify

  • Which sites have your saved credentials (in your password manager)
  • Which passwords are weak or reused
  • Which credentials appeared in known breaches
  • Active virtual cards and their spending limits

If you can't check these things, you don't have enough visibility into your security.

Setting Up a Password Manager

Popular options include 1Password, Bitwarden, and Dashlane. Here's what to look for:

  1. Cross-device sync -- Your passwords should be available on phone, laptop, and tablet
  2. Browser extension -- Automatic filling means you're not typing passwords
  3. Security alerts -- Notifications when your credentials appear in breaches
  4. Password generator -- Built-in tool for creating strong, unique passwords

Once set up, go through your accounts and update passwords--especially financial accounts, email, and any site that has payment information.

Setting Up Virtual Cards

Many banks now offer virtual card features. Standalone services like Privacy.com also provide this capability. When setting up:

  1. Create merchant-specific cards -- One virtual card per retailer
  2. Set appropriate limits -- Cap spending to slightly above your expected purchase
  3. Enable notifications -- Get alerts for any charges
  4. Pause unused cards -- Disable cards after purchases complete

Red Flags When Shopping Online

Even with these tools, stay alert for:

  • Deals that seem too good to be true (they usually are)
  • Sites without HTTPS (padlock icon in browser)
  • Pressure tactics ("Only 2 left!" or countdown timers)
  • Payment methods outside the site (wire transfers, gift cards)
  • Unfamiliar checkout processes or payment pages

Questions to Ask Yourself

  • "Am I using unique passwords for each shopping site?"
  • "Would I know if my credentials were in a data breach?"
  • "Could a compromised retailer access my real card number?"
  • "Can I quickly disable a compromised payment method?"

The Bottom Line

Holiday hackers count on rushed, distracted shoppers using the same passwords everywhere and handing their real credit card numbers to every site. Password managers and virtual cards break both of those attack paths.

The goal isn't to avoid online shopping--it's to shop with visibility and control. Know what credentials are exposed. Know where your card numbers are stored. If something goes wrong, you can see it and respond fast.