As online shopping continues to grow, many online sellers and buyers are at risk of becoming targets of cyber-attacks. While large victims like eBay and Home Depot take most of the limelight, small and medium-sized business owners are equally at risk and may not be able to recover from an attack.
A September 2018 report by Oracle found that cyber-attacks against small and medium-sized companies cost around $500,000. To make matters worse, the U.S. National Cyber Security Alliance calculates that 60% of small companies exposed to cyber-attacks go out of business within 6 months. Even if the impact of a data hack is negligible, the damage to your reputation resulting from a breach will be enough to sink many honest merchants.
Here are some of the main cyber security threats that you may face today as an online retailer and how you can protect yourself from them.
Common Types of Cyber Attacks
Distributed Denial of Service, or DDoS, involves bombarding targeted servers with traffic and information requests until websites crash. These attacks can be tough to detect because cyber criminals usually invade high capacity third party servers (think GoDaddy, AWS, or WPEngine) and use them to carry out their dirty work.
In May 2017, Neustar released a survey estimating that average DDoS costs for businesses had risen to $2.5 million per incident. The Department of Homeland Security’s DDoS Quick Guide lists different types of DDoS attacks and how to configure firewalls to prevent or mitigate them.
Firewall settings should be configured to filter for data flooding by monitoring connections for strange proxy requests from different DNS servers.
A TCP (transmission control protocol) connection is lingo for the action of connecting to a server and viewing a website. So, let’s break down the steps of making this connection:
- SYN (synchronize) packets – basically, when you try to access a site, your computer sends a message to the website’s server. This is called a SYN message. For example, let’s say you type in Google.com. You’re sending a message to Google.com’s server saying, “Hi, I’d love to check out your site.”
- From there, Google.com’s server sends a message back called a SYN-ACK which in laymen’s terms mean, “Hey, I heard you wanted to view my site. Is that true?”
- The connection is completed when you respond with ACK – and that means, “Yeah, I do want to view this website.”
So, the way a DDOS attack works is that a person(s) sends a lot of SYN messages to a server saying, “Hey, we want to check out your site.” When the server answers back with a SYN-ACK, the person(s) ghosts the server. The server sits there waiting to hear back, but never does. This causes a crash due to the excessive number of connection requests without a reply.
To prevent this, a solid firewall will limit the number of SYN’s per second (by IP address and destination), controlling inbound and outbound traffic and presenting a stricter barrier to any DDoS threat.
Social media has made it easier for businesses to reach out to their customers and potential partners, but hackers have also found it easier to glean data from online profiles – a process called social engineering.
Cyber criminals then send out credible-looking emails using personal information that entices victims to open them. These emails could be a PayPal suspension email or an important message for your bank. As soon as you click the compromised hyperlink, there are two scenarios that can happen:
- You may begin downloading a virus immediately.
- You may visit a site that looks credible, such as your bank, PayPal account, or your ecommerce site backend. Once you enter your credentials, you’ve basically handed that information over to the criminal.
It isn’t just emailing either. These criminals use text messages, phone calls, and social media messages. From there, the criminals have access to pertinent information. The obvious consequences include accessing your bank account or PayPal account and stealing money. Of course, these scammers have matured over the years and are now adding code to an ecommerce checkout page where they redirect your customers to a fake site.
The way to prevent this type of scam is to pay attention and move slow. Many sellers are busy and may be working on multiple tasks at once. This multi-tasking can cause you to miss key details that prove the email is compromised. Maybe the sent from email is a letter off or the tone of the message is different than you’re used to. Be overly-cautious!
Ransomware is a kind of malware that hackers use to breach and encrypt data, before demanding payment for decrypting it. These attacks are usually carried out using a Trojan Horse, a virus pretending to be legitimate software, and tend to be combined with phishing scams that convince unsuspecting victims to open them.
Many of these ransomware attacks go unreported because of fears over a negative PR backlash, and unfortunately, it’s often worth paying a ransom to keep the business alive. After all, customers don’t want to buy in an environment where their data has a good chance of being stolen.
Though much has been said and written in the ecommerce world about fraudulent online sellers taking money and not delivering goods to customers, online sellers can also fall prey to unscrupulous scamming from buyers.
This kind of fraud can happen in several ways:
- switching payment methods to avoid fees
- altered purchase orders
- fake returns
- fraudulent audits
- intentional overpayment (with fake payment option) so they can request money back
- using stolen PayPal accounts to purchase items
How to Protect Yourself Cyber Attacks
Use secure passwords
Having strong passwords – and encouraging subscribed customers to do the same, is the first step to securing your online workplace. Passwords should be changed regularly and should also include both numbers and symbols that combine capital and lowercase letters.
A lot of free password management software like LastPass provide double encryption and allow users to combine all of their different passwords under one encrypted master password that changes constantly (meaning you don’t have to go through the trouble of remembering all of these passwords!).
Regular system updates
Keeping software and operating systems up-to-date and having the latest security extensions and plugins can solve vulnerabilities from software bugs and security loopholes, leaving you less exposed to attacks.
Backup your data regularly
Regularly backing up your work and important information protects you from accidental data loss due to hardware malfunctions and human error. It also helps protect you against ransomware. If you leave your data safely stored, you won’t have to pay protection money to cyber criminals if you want to retrieve it later. Be sure to read up on ecommerce PCI compliance and follow it to a T.
Try Virtual Private Networks (VPN)
VPN’s help protect your business network regardless of where you’re working from. They do this by encrypting data being sent over the internet and using a different IP address, so hackers won’t be able to trace your location. When accessing unsecured networks without a VPN, make sure you clear the browser’s cache and delete cookies (a log of the websites you’ve visited) containing passwords and financial information. Don’t forget to disable file and network sharing!
Inform your workforce
If you have employees, they should be briefed on how to respond to security breaches and what to do in case a workstation or the entire office network is compromised.
If you work alone, be sure to keep an eye on the latests trends in cyber security and the different risks that online stores are facing. As your business grows, it might be a good idea to hire cyber security specialists to develop strategies for preventing and dealing with security breaches when they occur. Attendance at cybersecurity conferences and events would also increase awareness of potential threats and possible solutions.
Keep an eye out for scammers
When selling online, stick to tried and tested payment methods like PayPal, credit cards, direct transfers and money orders. Be suspicious when buyers ask you to accept payment or make returns through strange channels. Doing everything by the book when it comes to financial transactions will save you a lot of headaches in the future. Continue to monitor the forums so you’re up-to-date on the latest scams other sellers have noticed.
Separate your work and personal devices
Combining your personal phones, tablets, and computers with business activities increases the potential security threat in the workplace by exposing business networks to malware brought in from outside. Use work computers and email accounts exclusively for business-related activities, particularly if they handle sensitive information.
Ecommerce has created a wealth of opportunities for entrepreneurs who can identify market demands and find suppliers who can fill them. The online marketplace makes the buying and selling process more convenient but is also exposes incautious customers and businesses to fraud and data theft.
Though the cost in time, effort, and money may be high, making sure your business is well protected from this threat is well worth it in the long run.