You left your computer unguarded in a coffee shop

“A combination of leaving your computer unlocked in a public space and storing passwords in spreadsheets or documents on your computer can leave you very susceptible.” – Tom DeSot, chief information officer of Digital Defense, Inc.
You gave info to an unencrypted site

“Entering sensitive information – like your credit card number – on an unencrypted website is risky. When entering personal information online, ensure the site is encrypted. How? Browsers like Firefox and Chrome will put a lock icon next to the URL to signal if a site is encrypted. Or, check to ensure the URL is ‘https’ not just ‘http’.” – Ashley Boyd, vice president of Advocacy at Mozilla.
Here are some more useful tips on how to avoid online shopping scams.
You’re impatient

“Many people cannot be bothered with entering additional information to verify their identity. They want to access their accounts in the most efficient and quickest manner possible. Unfortunately, this comes at a potential increased risk. The typical manner to access an online account is a username and password. So if an attacker gains access to this password they have access to your account. Enabling MFA [multi-factor authentication] on critical accounts such as online banking or email helps to minimise this risk because the attacker now needs another piece of information to access your accounts. Not all MFA’s are created equal. A common choice is to receive a code via a text message (SMS). This is not the most secure manner to use MFA, as an attacker can port a phone and receive the verification pin to access your account (as mentioned above). The better option is to have an authentication application such as Google Authenticator which allows you to enter a pin directly from the application.” – Will Mendez, director of Friedman CyZen LLC, a cybersecurity consulting company.