As your e-commerce business grows, so does the risk of cybercrime. Protect your business with our comprehensive guide for all you need to know.
Cybercrime is a problem for all internet-based businesses, though each industry has its own threats, risks, and weaknesses.
That said, it’s unsurprising that e-commerce businesses are some of the most at-risk because they deal with transactions and sensitive personal data.
Data analysts at Zippia summarized that cyber-attacks happen every 39 seconds, 95% result from human error, and that cybercrime cost Americans $6.9 billion in 2021.
Unfortunately, cyber security can be overlooked by many companies that have quickly expanded into e-commerce, making them more at risk than most businesses.
The key lesson is that the more challenging e-commerce companies make it for cybercriminals to barge in and steal from them, the more likely they’ll give up and move on.
In this article, we’ll show you how to keep cybercriminals away, examine how cybercrime affects e-commerce, and discuss some common attacks to look out for so you can avoid them.
5 Ways E-commerce Sellers Can Prevent Cybercrime
Use these five strategies to reduce your business’s exposure to cybercrime. Here’s how to protect yourself from cybercrime.
1. Use Longer Passwords with MFA (Multi-Factor Authentication)
It may seem obvious to some, but plenty of people still have embarrassingly weak passwords. But there’s more to strong passwords than you may know.
Aside from the practice of adding a combination of numbers, letters, and special characters, you want to avoid easily guessable passwords and patterns as they’re easier for hackers to crack.
If you didn’t already know, password length really does matter! A password of six characters can be hacked in as little as eight seconds, while a password of 10 characters can take up to 21 years.
Alex Weinert, Director of Identity Security at Microsoft, explains, “each additional character takes 96 times longer” to be deciphered by a machine.
This is because each additional character adds thousands of more possible password variations.
Weinert recommends passwords of at least 12 characters long that have never been used before, though you usually need a password generator for this.
You also want to avoid using passwords that have appeared in past data breaches.
You can check this using services like Pwned Passwords, where you can check if the password you have been using has appeared in a data breach.
If it appears, you should change your password immediately.
It doesn’t mean that you have been hacked or that any of your data is freely available, but the fact that that password has appeared in breaches means hackers may reuse that password.
Multi-factor authentication (MFA) also makes a massive difference. It keeps your accounts way safer than just using a password, which machines can figure out.
Weinert adds, “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”
So, if you’re not using MFA yet, get onto it now.
Lastly, you can use mobile authenticators, which are similar to MFA—you log in with your credentials, then use an authentication app on your phone to generate a code and enter that into your device.
Google and Microsoft both offer authenticator apps.
2. Teach Employees How to Spot Cyber Scams (And to Be Careful With Sensitive Data)
Employees can make mistakes when not adequately trained on security and avoiding scams, which can be rather costly.
They can easily fall for phishing scams asking for sensitive data from someone pretending to be one of your partners, for example.
According to Verizon’s cybercrime statistics, 30% of data breaches involved ‘internal actors.’
Verizon explains that this is not so much that all employees are ‘bad actors’ but more so that they can make mistakes that can accidentally share sensitive information.
The lesson here is to have rules and best practices for sharing company data and to invest time in training your employees.
It’s important to teach your employees to question why someone is asking them to do something and to escalate the situation if they are unsure.
3. Regularly Monitor, Review, and Update Your Security
If you’re not doing this already, start now. During the pandemic, many retailers rushed into e-commerce which meant security was sacrificed in favor of getting online quickly.
When it comes to keeping your tech secure, there are quite a few risks and things to look out for, so it’s essential to test and patch vulnerabilities continuously.
You don’t want cybercriminals locating weaknesses before you do.
Another risk comes from using many third-party tools in your e-commerce service. Hackers can find a vulnerability in some of the services that your company uses and use that as a backdoor.
For example, sellers that use WordPress may be using outdated plugins which have become outdated and vulnerable to hackers.
Always keep an eye on the tools you use and any updates. Some tools can do this for you. You should also look out for release notes, particularly if they recommend an update for security reasons.
You should also adopt the latest industry-standard tech, such as a malware scanner, and use an e-commerce platform with built-in security features and SSL encryption.
The final point to make here, give your IT team time to focus on technical debt! Listen to them if they say something is important for security and must be fixed.
Never underestimate the importance of sealing off entry points for cybercriminals.
4. Avoid Collecting Unnecessary Data (And Get Rid of It When You Can)
Customer data is useful for e-commerce businesses because we can learn from our consumers and improve online shopping experiences.
However, it’s also highly risky to collect, and sellers are responsible for protecting this data.
According to IBM Security’s “Cost of a Data Breach Report 2020,” 80% of breaches included customer PII (personally identifiable information).
Of that data, emails and credit card information are often primary targets for cybercriminals.
In an article for TotalRetail, Mark Whitehead adds that 53% of cyberattacks on e-commerce seek to steal ‘card-not-present’ (CNP) data.
To reduce the fallout from a data breach, e-commerce companies should be selective about the customer data they collect and avoid collecting customer PII that they’ll never need.
Hackers can use PII to access customers’ finances and enable them to do other malicious activities, and the more they have, the easier it is for them.
And if that wasn’t reason enough to remove unnecessary PII, Varonis’s 2018 Global Data Risk Report states that “54% of data is stale,” meaning that it’s no longer usable.
5. Keep an Eye on E-commerce Cybercrime Trends
Security should be at the forefront of your mind and always be a part of your future e-commerce plans. The only way to do this is to keep a watchful eye on cybercrime trends.
E-commerce is constantly evolving, which means cybercriminals must continuously adapt to change.
Quite often, technology will change and put an end to one tactic, but there’s always another around the corner. When one door closes, another opens.
So, when adopting something new in your e-commerce business, you should first ask yourself where the potential vulnerabilities are and how to avoid them.
This also means watching out for when your partners and integrations are hacked and being prepared for such a scenario.
How Does Cybercrime Impact E-commerce?
Cybercrime can wreak enormous damage to e-commerce companies. If data is stolen or leaked, it can damage your reputation, which can negatively impact sales.
A research paper by Mansoura University on the impacts of cybercrime on e-commerce notes that it comes down to ‘trust.’
They explain that cybercrime can be one of the top reasons buyers avoid e-commerce and that when a store or platform is attacked, they can often take their business elsewhere.
So, it’s vital to ensure their safety and make buyers feel safe to continue coming back to you. In some cases, it can take companies years to earn back that trust after an attack.
Data breaches are also extensively time-consuming to deal with and perhaps more expensive than you’d think.
IBM Security’s Cost of a Data Breach Report 2020 says that it can take a company up to 207 days to identify a data breach and then another 73 days to contain that breach on average.
This means a data leak can be a massive headache for a long time. You may be dealing with the fallout from a data breach for well over a year.
IBM Security also added that the average total cost of a data breach in 2020 was approximately $3.86 million, a 10% increase since 2014.
Furthermore, there are costs associated with patching up vulnerabilities, and you may need to pay compensation to customers, and your company could even be litigated.
3 Famous Cybercrime Cases and What We Can Learn From Them
If we haven’t scared you enough yet into taking precautions to protect your e-commerce operations from cybercrime, we found some horror stories to share with you as a reminder.
eBay May Have Forgotten About MFA
In 2014, eBay’s corporate network was hacked, and 145 million customers had info stolen. The hackers used multiple techniques, but eBay’s biggest fault was supposedly not using MFA.
The same year, eBay lowered sales projections by $200 million due to the breach.
Carousell Didn’t Detect a Hack for Five Months
In 2022, Carousell, a highly popular Singaporean e-commerce platform, was hacked, and the emails and phone numbers of approximately 1.95 million users were leaked.
And if this wasn’t bad enough, Carousell was only made aware in October 2022, and the hackers claimed the hack took place in May, meaning it was undetected for five months.
Amazon Always Has a Target on Their Backs
As the largest e-commerce platform, it is perhaps unsurprising that Amazon has been attacked by cybercriminals a lot.
In fact, Amazon has been hacked so many times that Michael X. Heiligenstein of Firewall Times wrote a complete full timeline of Amazon attacks up until 2022.
However, Amazon has been smart enough to work with hackers instead of against them, paying out bounties to hackers for finding security vulnerabilities.
According to Forbes, in 2021, Amazon paid out $832,135 to hackers in a live hacking event for identifying vulnerabilities.
Common Cyber Attacks on E-commerce Sellers
There are a plethora of different attacks e-commerce sellers can expect, though cybercriminals can be creative and add their own twist to them to make them less detectable.
According to an article by Brad Liggett of TotalRetail, there are two primary cybercrime trends to look out for in e-commerce in 2023.
The first is ‘refunding,’ where scammers attempt to get refunds for products they didn’t buy, often exploring loopholes or attempting to emotionally manipulate customer support.
The biggest platforms are often the most common targets for this scam—Amazon, Apple, Target, and eBay.
Typically, scammers will claim that a product never arrived, the box was empty, or they received the wrong item. We recently covered how to prevent such scams in a blog post.
The second trend is phishing which has been around for decades.
Typically, a buyer receives an email saying their order is on the way (though they didn’t order anything), and they click on a link asking them to log in on a fake landing page.
Doing this gives the scammers the customer’s login details which they can then use to enter their account.
Liggett notes that investing in security tools won’t necessarily keep you safe from phishing. Often mitigating phishing comes down to knowing cybercriminals’ tactics.
One of the easiest ways to spot such email scams is unusual email addresses and spelling errors.
Phishing will likely continue to be a problem for sellers and consumers and will keep evolving.
All in all, e-commerce fraud is expected to exceed $48 billion globally in 2023, up 16% from $41 billion in 2022, according to an article by Velvet-Belle Templeman of Digital Nation.
This potential increase is tied to the risks associated with the rise of digital wallets and buy-now-pay-later.