Anything involving the wide open spaces of the Internet evokes the question of security. Hackers stop at nothing, so is my information safe, and are my passwords being leaked? Is my activity monitored? Will I be put in a compromising situation? If these concerns regarding personal Internet use are grave enough, how much more expansive do these concerns become when you’re running an ecommerce business?
The widespread WannaCry ransomware attacks are still fresh in memory. It held many commercial and personal computer owners at ransom, with a message like the one below:
(Img source: https://www.zdnet.com/article/ransomware-attack-may-have-a-north-korean-link-say-security-researchers/)
The ransomware encrypts the files of systems, making them unusable. The user is forced to make the demanded payment in bitcoins to get the files decrypted.
The Ecommerce Industry Is a Prime Fishing Target
Ecommerce sites aren’t safe. While the finance field is the main target of phishing attacks, as the graphic below mentioned by Infosec Institute shows, ecommerce sites are also among the targets.
(Img source: https://resources.infosecinstitute.com/category/enterprise/phishing/the-phishing-landscape/phishing-attacks-by-demographic/#gref)
Here’s PhishLabs’ diagram showing the distribution of phishing attacks across industries in 2015.
(Img source: https://www.cutimes.com/2016/03/17/financial-institutions-phishers-favorite-targets/?slreturn=20180630061419)
Since the ecommerce market keeps growing and winning more consumer confidence, Symantec Corp researchers say that there has been a surge in attacks particularly on email platforms dealing with retail engagements and payments.
Fake communication such as emails and phone calls are the common phishing techniques practiced.
We have fraudsters posing as your ecommerce business and contacting your customers. They contact via email or phone calls and get your customers to reveal their account numbers and passwords.
The dangerous aspect here is that these communications appear totally legitimate and will even contain your logo and other technical elements. That makes it really difficult for your customers to distinguish between the real email communication you send and the fake one.
The attack in 2014 against customers of JP Morgan Chase is an example. It started with a fake email leading users to click a link. Customers fell for that and the fraudsters not only secured the credentials of the customers but also sent malware to the computers of the victims.
(Img source: http://blog.urlvoid.com/1333/how-to-identify-fake-shopping-websites/)
Trouble is, customers, don’t usually realize they’ve landed on a fake checkout page since they may not always check the address bar at the top of the page. Since the page looks like a checkout page, they enter their credit card information to the fraudster.
So you not only lose the sale but also your reputation (since the customer believes they have paid, but don’t get either any confirmation or the product from you), and the fraudsters end up stealing their credit card information.
We just talked about customers not necessarily checking the address bar once they get to, what’s supposed to be, a checkout page. But even if they check, there are fraudsters who modify the URL to make it appear secure and nearly similar to the original URL. There would just be some minute changes that are barely noticeable, which even hawk-eyed customers wouldn’t realize, and they’ll click on them.
Fake warnings to ecommerce business owners stating that their PayPal account is suspended are another tactic employed by fraudsters. While some merchants could identify the emails as scams, not all are able to do so.
With PayPal being such an integral part of the checkout process, merchants are perturbed when they receive any notification warning them of an issue with their account.
There are some countries where PayPal is unavailable, but they're good alternatives which you can depend upon.
They immediately do what it says without realizing if the email is fake or not. They enter the information required of them including passwords and usernames on some fake page. Or they may download, complete and submit some attachment. That would give the fraudsters complete access to your PayPal account.
(Img source: https://www.enigmasoftware.com/fake-account-notification-phishing-email-malicious-attachment/)
Installing dangerous software or malware is another target of these phishing fraudsters. They send documents looking like bills, proposals and invoices as email attachments. On opening the attachment, malware is automatically installed.
There are some steps you can do to prevent your ecommerce business and its customers from falling prey to these phishing attacks, causing you harm and disrepute.
A secure ecommerce platform can go a long way in preventing attacks. Platforms such as WordPress, Magento and WooCommerce do have advanced security features.
And your server should also maintain the requirements for PCI compliance. Run PCI scans to ensure your compliance. Make sure you have the software’s latest version, and get any updates installed.
It is important to get all your vendor account numbers in a single document. Then, before any emailed invoice is opened, your employees can easily find out if the account number given in the email matches the number in their list. If it doesn’t, they can delete the email immediately.
Instruct your employees to always check the email address of the sender closely, since fraudsters make mild changes to email IDs that are not noticeable at first glance. For example, PaulVanDerZande@yourcompany.com could be changed to PaulVanDerZade@yourcompany.com.
At first glance you don’t notice any change, but on closer look you notice the absence of “n” in “Zande” in the final part of the name. Close observation can prevent a lot of troubles. As soon as your employees notice such changes in the email IDs, they can delete the email even before opening it.
Also, check the tone of the email. Fraudsters will take care to ensure the email sounds as formal as possible. But they needn’t get it right all the time. There could be grammatical and syntax errors, and even if they’re perfect, the tone of the email could be odd, something out of the usual.
If that’s the case, you or your employees shouldn’t risk responding to it or opening any attachments coming with it. Just delete the mail.
You also need to implement SSL certificates on your ecommerce website. SSL is the effective standard for secure online transactions. The SSL certificate ensures authentication of user identity.
It also encrypts the data at a store as well as in transit. Potential customers need to have the feeling that your ecommerce business is doing everything it can to protect their information.
The HTTPS with padlock icon in the address bar is what cautious and technologically well-versed customers look for.
Two-factor authentication (2FA) can help provide more security for your online stores. As per 2FA, the user needs to give two kinds of identification, the usual password – username combination and then the real-time generated code that is sent to the user’s verified phone numbers.
While hackers could have the ability to crack the password, the code cannot be stolen and it usually expires in a few hours.
Public networks are risky, and data transferred through them can quite easily be intercepted by others. Using the Virtual Private Network (VPN) is, therefore, the preferred option for ecommerce websites.
A VPN service can connect you to a secured offsite service through an encrypted connection. It prevents third parties from interfering. There are different kinds of VPN. SSL-based VPN service is cheaper than the conventional one. OpenVPN is based on open-source community and is therefore free.
Make Your Employees Fully Aware of Phishing Threats
Training employees are one of the most important ways to prevent phishing attacks against your business. You may not be opening all the emails; your employees would be doing it. They need to be cautious. You must keep them updated on the latest phishing and fraud techniques.
You can also test how gullible your employees are by sending them emails appearing to be from co-workers or vendors and then document who all actually opened. You can then give them focused training.
The most important aspect is to acknowledge the fact that your ecommerce site could be hacked, which could not only result in the loss of business and reputation but also invite legal action and fines particularly when your customers’ financial information has been compromised.
Acknowledging the danger can help you secure the site right from when you’re building it. If your site is already established, there are still some of the above-mentioned steps you can implement. Get started now or seek ecommerce security experts to do it for you.