Cybersecurity attacks cost the global economy hundreds of billions of dollars annually, and the damages continue to mount. Retailers are a primary target for cybercriminals because they process and store high-value payment data and personal customer information – and e-commerce merchants are especially vulnerable.
Most merchants take these security threats seriously, of course, and are aware of the importance of cybersecurity, but e-commerce companies find that they should constantly fine-tune their security controls to keep up with new criminal tactics. Thus, it’s critical for online retailers to understand the types of cyberthreats they’re likely to encounter, as well as the best-practice security solutions they can adopt to help defend themselves and their customers.
Types of Cybersecurity Attacks in E-Commerce
Cyberattacks on e-commerce retailers come in many guises, any one of which might disrupt a company’s e-commerce platform, expose customer data, and require significant remediation efforts. Mitigating these risks is essential to earning and keeping customer trust. But that requires e-commerce retailers to remain aware of the evolving types of fraud and cybersecurity threats. Only by preparing in this way can e-commerce retailers ensure that they have implemented effective security solutions and best practices to defend against cyberthreats across their sales funnel, from online shopping to the checkout process to fulfillment – and even throughout the returns process.
Transaction Fraud
Transaction fraud can take many forms, but it generally refers to any false, illegal, or illegitimate transaction made online. Typically, criminals may impersonate a legitimate customer, using the customer’s login credentials or payment information to make purchases from an e-commerce store. The customer’s credentials may have been purchased on the dark web or stolen from your own system or that of another business.
Phishing
An e-commerce retailer’s customers may be targeted in a phishing scam, but, in such cases, the damage typically extends to the business, as well. This is because cybercriminals pose as the retailer in a phishing attack, potentially harming brand reputation. For example, bad actors may send emails, text messages, or similar communications using a merchant’s logo, URL, or other information to make the request seem legitimate. Then, they may ask customers to verify their login credentials, credit card number, or other high-value data, getting easy access to personal information in the process.
Malware and Malicious Code
Malware refers to malicious software programs – such as spyware, viruses, trojan horses, and ransomware – that cybercriminals install on networks and devices. Once onboard, malware can spread to customers or system administrators, giving the bad guys access to high-value data.
Similarly, malicious code can be embedded into systems to enable the data theft. E-commerce merchants should be especially aware that cybercriminals are always eager to embed malicious code within the retail website’s payment processing page. When the cybercriminals are successful, they can quickly and quietly gather all the payment data that customers enter on the site, without setting off any big alarms.
Spam Emails
Spam emails – those unsolicited communiques sent in bulk to giant lists of recipients – remain a tried-and-true weapon in the cybercriminal’s toolbox. The bad guys can use spam to help them carry out phishing or malware attacks. They might embed links in the messages that take the recipient to a phishing site, or use the email to deliver malware to a device or network.
Distributed Denial-of-Service (DDoS) Attacks
Distributed denial-of-service attacks (DDoS) are actually one of the oldest varieties of cyberattack, and they remain a persistent threat to companies of all sizes. In a DDoS attack, an e-commerce company’s servers are hit with an overwhelming number of requests from usually untraceable IP addresses, causing its servers to crash. When networks, and the e-commerce platforms that rely on them, become unavailable, e-commerce merchants are essentially closed for business until the situation is remediated. But the damage can extend beyond any short-term server outage to include financial losses, disgruntled customers and partners, and lasting brand damage.
Bad Bots
Most of us are familiar with today’s mostly benevolent bots that power many consumer tech tools, like our smartphones and home assistants. In fact, many e-commerce companies rely on bots for a variety of functions, whether it’s answering customer questions or tracking visitors to their online stores. But there are malevolent bots at work, too. Cybercriminals can program bots or larger networks of bots (“botnets”) to help them carry out their phishing or DDoS attacks. E-commerce competitors can deploy bots to gather information about their rivals’ inventory or pricing strategy, and use the information to win customers away from them. Cyberthieves can even send malicious bots to e-commerce checkout pages in order to buy large amounts of a product, which they then resell at a premium.
Fake Returns and Refund Fraud
Another avenue for fraudsters to make money off of unsuspecting e-commerce firms is by submitting illegitimate return requests for refunds. There are multiple methods to accomplish this. Some cybercriminals will use a stolen credit card to purchase merchandise, then claim that the card has been closed and request a refund to another card. Others may use counterfeit receipts to request refunds for items they never purchased.
Man-in-the-Middle Attacks
As technology evolves, so do cybercriminals’ schemes. Man-in-the-middle attacks involve intercepting communication between two parties – say, an online retailer and its customer. In the middle sits the bad actor, intercepting and collecting valuable information, like passwords and payment data. Man-in-the-middle attacks are particularly dangerous because they are easy to implement and hard to detect.
E-commerce merchants should be especially aware that cybercriminals are always eager to embed malicious code within the retail website’s payment processing page.
E-Commerce Security Solutions and Best Practices
Although the wide array of damaging e-commerce security threats laid out above can seem overwhelming, there are security solutions and best practices that can help minimize the likelihood that they may disrupt an e-commerce marketplace. Some of these tools and tactics are relatively cheap and easy to implement, while others require additional investment in more robust cybersecurity software. All of them, however, are worth their time and cost in order to not only keep an e-commerce store up and running, but also protect customer data.
The following are some smart steps to consider:
Use Address Verification Systems
One of the more simple and straightforward tools to put in place, an address verification system compares the customer’s billing address against the credit card issuer’s information on file. If the addresses don’t match, the system prevents the transaction from going through.
Employ Password Best Practices
Many e-commerce businesses fail to require their customers to provide strong passwords, making client accounts easier to exploit. Implementing a system that requires customers to use strong passwords (with letters, numbers, and symbols) is a good first step. Try to make sure employees and system admins also have strong passwords, while you’re at it, as this can help prevent unauthorized access.
Consider Multifactor Authentication (MFA)
A step beyond good password hygiene is MFA, which cybersecurity experts recommend to help neutralize the vast majority of common cyberthreats that begin with unauthorized system access. With MFA, customers and employees authenticate themselves by providing an additional piece of identifying information beyond a username and password, such as their fingerprint or a one-time passcode sent to their personal device.
Exercise Tight Access Controls
User access management can go a long way toward controlling the blast radius of a cybersecurity attack. Restricting systems access and permissions to only those who need it is a best practice, as is immediately revoking access and associated permissions when employees leave or are terminated.
Use Payment Gateways
Rather than being responsible for storing and securing customer information, e-commerce companies can use a third-party payment vendor, such as PayPal, Apple Pay, or Stripe, to handle payment transactions separately from their website. These payment gateways, which have a variety of security controls in place, then authorize credit card transactions, collect the funds, and deposit the money into the business’s account. This not only better protects customers’ information, but it can also ultimately make an e-commerce site less attractive to cybercriminals.
Switch to an HTTPS Protocol
Many e-commerce businesses still use HTTP protocols to send information between web browsers and their websites, but this procedure is more vulnerable to cyberattacks. HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP; it is supported by Transport Layer Security (TLS) or a Secure Sockets Layer (SSL), which encrypt the connection between the merchant’s server and the customer’s browser to protect personal user data, like credit card numbers, passwords, and addresses. Before switching to HTTPS, a business should need current TSL or SSL certification from its hosting company. This step is worth it, though, as it can give customers peace of mind that you are protecting their information – and your business.
Patch Regularly
The software that runs an e-commerce website should be regularly updated to patch vulnerabilities that may leave it open to attack. Online retailers should consider turning on automatic updates to keep up with these fixes.
Layer on Security
E-commerce sites can beef up their own website security by putting in place layers of cybersecurity tools, such as readily available security plug-ins, antivirus scanning, secure email gateways, and anti-malware software.
The Bottom Line
Cyber risk management is a must for any business. For e-commerce companies, establishing sound security measures and implementing best-in-class security solutions can be vital to both helping to ensure that your customers’ information is kept safe and helping to prevent attacks against your business. Taking steps to safeguard sensitive data and critical networks and assets can save an e-commerce business untold amounts of money, time, and energy in the long run – and help safeguard its reputation at the same time.
Photo: Getty Images
