According to a report published by Webscale, 2020 was when eCommerce experienced a significant increase in cyber incidents.
About 70% of survey participants (online businesses) revealed that the uptick in cyber attack frequency grew by 20%.
The recent pandemic was one of the reasons behind the increase. As more people began shopping online, they encouraged the emergence of new businesses. The digital landscape shift also worked as an alarm for hackers.
It has been a couple of years now since 2020, but security threats remain a major havoc for online merchants.
Cybercriminals have a plethora of malicious techniques at their disposal, targeting not just the site admins and employees but also consumers.
Raising awareness about the most prominent cybersecurity threats is the first move to succeed in countering them. After that, it is up to the merchants which countermeasures they will incorporate into their stores.
Our focus for this piece is to unveil the most common cybersecurity threats businesses face and how to circumvent those threats.
Number 1: Spamming
Let's start with spamming. It is one of the easier-to-detect attempts to cause harm. Some hackers try to take advantage of social media and email inboxes by sending messages with infected links.
Leaving infected URLs under blog posts via a comment or masking the link and placing it in a product's review section can also work.
Clicking such links redirects you to shady websites, potentially making you a victim. On top of that, spammy links that are visible on a website leave a negative impression among visitors. Not to mention that they may also affect the website's speed.
Number 2: DDoS Attacks
DDoS attacks overwhelm a website with an endless amount of traffic coming from different sources.
Websites go down because they cannot handle the requests, and bringing it up proves a significant challenge if the site is missing the necessary security measures.
In some cases, DDoS attacks might be used as an aversion. The goal is to distract the staff rather than take down the website. The year 2021 saw a significant increase in the frequency and magnitude of these cyber attacks, reaching an all-time high. In November 2021, Microsoft countered a DDoS attack directed at an Azure customer. The attackers deployed a throughput of 3.45 Tbps and a packet rate of 340 million PPS. It was believed to be the most significant DDoS attack ever recorded.
Number 3: Malware
Spyware, viruses, trojans, and ransomware are the most common malware forms.
Whenever malware infects a device, there is a risk that whoever uses the device to connect to a website could indirectly steal sensitive data or infect the website itself. This is particularly the case for those who have access to backend databases.
Hackers corrupt the data with a code and collect the information they need. And they can wipe the trail to make tracking harder.
Number 4: Bots
Bots are a software application or script that performs specific tasks. In the context of eCommerce, bots usually have the goal to scrape valuable information from the website.
The information is then used by another party to gain an edge over the competition. It is a dirty trick, but one used nonetheless.
A case in point is from Data Dome, which reported a large-scale bot attack that leveraged BaaS (bots as a service) and lasted ~19h, comprising ~15.5M requests broadcasted from more than 500K residential proxies. On average, the large-scale scraping attack induced ~150K requests every 10 minutes on their customer’s servers.
Number 5: Financial Fraud
Credit card fraud is one of the standout examples of financial fraud. Stolen credit cards or stolen personal details to get a new credit card have been plaguing the ecommerce industry for years.
The Federal Trade Commission released a graph and revealed how the number of reported credit card fraud cases grew from 45 thousand in the first quarter of 2019 to 115 thousand in the first quarter of 2023.
Introducing address verification systems that flag discrepancies between the actual credit card owner and the delivery address helps address the issue. Nevertheless, the problem is still prominent and requires constant attention from online merchants.
Number 6: Phishing Scam
CISA reports that 9 out of 10 cyber incidents begin with phishing. It makes sense, given how the technique is a perfect first step to breach the line of defense.
Phishing starts with hackers impersonating legitimate store owners. They may send an email to your customer asking for login credentials.
More aggressive hackers also attempt to trick staff members. Someone working on the website and backend access is the perfect target for hackers.
Urgency, fear, and other forms of manipulation are common in phishing attacks. It is easier to trick a recipient when they receive a tough choice, such as a warning about how their account has been compromised and how they need to restore it by clicking a URL that is actually harmful.
Number 7: E-skimming
E-skimming exploits vulnerabilities on the website or the payment gateway, in particular. More rarely, hackers successfully add malware to existing third or fourth-party code.
Once e-skimming happens on a website, hackers intercept user information while consumers enter their credit card details, home addresses, login credentials, answers to security questions, etc.
From the user's point of view, there is no warning about someone skimming through the data. They realize it after the fact when hackers already used the information.
How to Deal With These Cybersecurity Threats?
Ecommerce security is complex, particularly given how many different threats there are. Nevertheless, there are tried and tested countermeasures to minimize the risks. Here are some useful recommendations:
1. Use Antivirus Software
Antivirus software should be mandatory. Anyone who uses a device to work on the website should protect their end.
It is up to the supervisors to ensure that every single staff member has antivirus software installed. A single person who is reluctant to do it might cause enough harm to affect everyone involved.
Antivirus tools should do the trick on their own if you leave them running in the background, but it is still recommended to run custom scans now and then.
If one suspects potential security breaches on the device, use antivirus software to check what it detects. If malware or another threat infects the device, you must get rid of corrupted data.
Sometimes, you may need to access system files manually to clear them yourself. Be sure to know how to access /usr/local/bin on macOS, for example, or System32 on MS Windows.
2. Encourage Smart Password Policy
A smart password policy is another example of a countermeasure that determines how secure your website is.
Many people neglect to create strong passwords. Instead, they use obvious choices like “1234567” or “password123,” making everything much easier for hackers.
Ideally, passwords should:
- Have upper and lower-case letters
- Include random symbols
- Be different for different accounts
- Be updated regularly
If memorizing multiple credentials is too tricky, use a password manager to store the details only you can access with a master password and two-factor authentication.
3. Manage User Permissions
Regulating user roles and permissions is a standard security audit practice. Whenever someone leaves or switches to a different role, their original access credentials should be modified accordingly.
Depending on the number of users working on a website, it could be tricky to keep track of everyone, especially if the site admin already has their hands full.
Someone should be in charge of it. Having said that, choosing the people you can trust is crucial. Going rogue is the last thing one would want to see from their staff.
4. Set Up the SSL Certificate
PCI compliance indicates that the SSL protocol is mandatory. Nevertheless, not all online merchants bother setting it up.
Missing the certificate is a significant red flag, identifiable by internet browsers and website visitors.
A proper SSL certificate is a security measure for the site and its visitors. Once the certificate is in place, the website's URL transforms from HTTP to HTTPS. The "S" stands for secure.
HTTPS encrypts the information that a website receives. Hackers have a much harder time trying to crack the data when it is encrypted. Most of them give up and look for new targets.
5. Find a Reliable and Secure Hosting Provider
Since hosting providers have your site in their hands, finding one that offers more than just a 99.9% uptime guarantee is crucial.
Pay attention to security features that come with the package, and do not be afraid to pay extra to benefit from the security measures.
Before you commit, thoroughly look for reviews to confirm that you have selected the right hosting provider. If possible, seek personal recommendations from people you know and trust. After all, online reviews from strangers can be iffy at times.
6. Automate Chargebacks
Software solutions offer businesses a lifeline, and Chargeflow’s chargeback automation software is a great example.
When the software analyzes a transaction and detects fraudulent activity patterns, it alerts the merchant, creates a chargeback response on the case, and presents an evidence response on their behalf.
Instead of waiting to be notified by your acquirer when cardholders file disputes, which often leads to running out of time to gather compelling evidence and respond effectively, businesses can always submit timely and comprehensive responses to chargeback claims and recover disputes on autopilot. Chargeflow’s success-based pricing also means you only pay for cases won.
All in all, cybercriminals continue to pose problems for online merchants. Ecommerce stores remain vulnerable to different threats.
It is up to the site admins to raise awareness about threats that present problems so that everyone involved knows what to do.
Taking proactive measures and keeping up with cybersecurity trends is also worthwhile. Anything that helps you fend off cybercriminals will save you money in the long run.
About the Author: Laura Alexander is a freelance digital content manager and copywriter. She specializes in tech, ecommerce, and educational content.