FRESNO, Calif. (KFSN) -- Your holiday shopping could get you hacked.
Cybersecurity expert Matt McGuirk created a fake online vendor to show our sister ABC station in Chicago how criminals can steal your information as you shop.
"Silently in the background, my information has been stolen," he said. "This problem exists on virtually every website on the internet."
It's called cyber skimming and it's the online version of thieves getting your credit card information with physical skimmers.
FBI agents say people lost $1.8 billion to cyber skimming and similar online thefts last year.
A lot of shoppers told us they feel like they can't do anything about it.
"Online shopping, they don't really provide a whole lot of security when you're doing transactions and stuff, so I don't think there's a way to really securely buy something and know your stuff is going to be safe," sas Karina Villanueva.
Although the FBI has made some arrests, the hackers are mostly out of the country and hard to track down.
Local police investigators say it's hard to stop.
"If a website is compromised by malware or a virus, then there's nothing the user can do to detect that," says Clovis Police Digital Forensic Analyst Destin Watkins.
So how do you know if you've been hacked? You can use a website like haveibeenpwned, type in your email address, and it'll tell you.
In my case, I've had my personal information taken in eight different data breaches.
But you can avoid it.
Bryan Hamilton says he's a frequent online shopper, although hearing about data breaches and cyber skimming makes him hesitate.
"I have a software on my phone, so it pretty much blocks out scams and stuff like that, but they're still vulnerable to online websites," he said.
Watkins says most crooks prefer big data breaches to individual skimming.
The preventative measures are mostly the same.
Don't use a debit card because that gives thieves direct access to your bank account.
Stick to websites with secure addresses: A lock symbol or an "s" after "HTTP" in the web address tells you it's safer.
Use two-factor authentication when you can. Google and Microsoft will send codes to your phone so you can log in.
You can use a site like privacy.com to create individual digital cards for each website where you shop.
"The nice thing about these cards is they're merchant locked," Watkins said. "So if you make a purchase from say, sprinklerparts.com and they get breached, that credit card can only be used at sprinklerparts.com."
Forecasters at Adobe Analytics expect more than $200 billion in online sales this holiday season, with hackers and thieves hoping to find vulnerabilities the whole time.
"Don't take shortcuts," Watkins said. "Be sure of what you're doing. Have that safeguard of doing things the right way, of having a credit card you monitor, or using a privacy tool to make sure your accounts are all squared."
A few extra steps can make sure your holidays stay happy.