When the pandemic hit, ecommerce blew up.
With people locked down and with little to do, buying online seemed the only escape. The global ecommerce market jumped to $26.7 trillion. Customer habits, too, were changing. In one survey, 60% of respondents agreed that COVID-19 had changed their relationship with technology.
But it wasn’t just the sales that were soaring. And it wasn’t just the ecommerce industry’s businesses that were busy–but its fraudsters, too.
In just a single year (between 2020 and 2021), ecommerce fraud rose 18%: from $17.5 billion to $20 billion. One look at the similarly burgeoning ecommerce fraud prevention market–expected to hit a whopping $70 billion by 2025–and it’s clear this line of “work” is only rising in popularity.
The bottom line? Ecommerce fraud is something you can’t afford to turn a blind eye to. After all, it’s not just a threat to your profits but your brand image. If customers don’t feel they can pay securely through your website, they won’t trust you. Once you lose that consumer confidence, it’s extremely difficult to win back.
Below, we’ll unpack the state of payment security in 2022, starting with the most common types of ecommerce fraud. We’ll also offer actionable advice for protecting your customers, your website, and–ultimately–your bottom line. Read on!
Most Common Types of Ecommerce Fraud
As the world of ecommerce expands and evolves, so too do its villains. So over the last few years, it’s not only the number of fraudulent transactions–and the overall value of the stolen wares–that has risen. It’s the type of ecommerce fraud, too.
From pharming and account takeovers to “friendly” and “silent” fraud (not to mention straight-up identity theft), fraudsters’ methods are becoming increasingly dynamic and diverse. Let’s take a look at a few.
Pharming is a type of ecommerce fraud in which fraudsters redirect web users (without their knowledge or consent) to a fraudulent website. This website might look and feel like the one the customer intended to reach, but with a key difference–it’s completely fake.
Designed only to simulate the original website, its fake counterpart exists for one reason only–to trick the user into entering their personal information and credit card details. Fraudsters can then use this info to steal the individual’s money, or worse–their identity.
Also known as “friendly fraud,” chargeback fraud is when a customer fraudulently attempts to claim a refund by abusing the chargeback system.
A chargeback is a step introduced by banks way back in the ’70s to boost public confidence in the credit card (which, at that stage, was a new-fangled thing). It allows consumers to dispute a card payment, and after the bank sides with their case, claim a refund.
Let’s say you’re off to Santorini for a holiday, and your card is stolen at the airport. By the time you get to Greece, you realize the thief has made $700 in fraudulent purchases on your card. In this situation, you could (quite legitimately) request a chargeback.
The problem? When it’s not legitimate. Whether maliciously or “innocently” (customers forgetting about a transaction on their statement or a recurring billing cycle), fraudsters can take advantage of the chargeback process to claim money back on totally valid purchases.
The worst part? That, when a chargeback claim is upheld by the bank, the bank then claims the money (along with a fee on top, for their troubles!) back from you. Add that to the stock you’ve already lost to the fraudster, and chargebacks offer an all-too-real threat.
Because of popular movies dealing with the subject (The Talented Mr. Ripley, anyone?), identity theft is one of the more well-known types of ecommerce fraud. But that doesn’t make it any less dangerous.
Here, a fraudster falsely assumes another person’s identity: using their name, personal information, and documents to open credit cards, then hitting the high street.
Beyond the impact on the victim, why is this bad news for your online business? After all, you’re still selling…right?
Wrong. Think back, for a second, to our Santorini example above. Pretty soon, the person whose identity was stolen will become aware of the litany of fraudulent purchases made under their name and–you guessed it–raise a chargeback. When the bank upholds this, they’ll be claiming the money back–from you.
Making up 71% of all attacks, identity theft is by far the most common type of ecommerce fraud. Plus, fraudsters are also becoming more sophisticated, now using the personal devices, IP addresses, and user accounts of targets to assume their identities, which makes them a threat to be alert to.
At some stage or other while shopping online, all our customers have done it. Ticked that box that says “Save My Credit Card Details.” It’ll save them a minute the next time they come back to make a purchase, so it’s a no-brainer, right?
Right. Unless that is, a fraudster is able to get their sticky-fingered paws on that customer’s login details. Should that happen, the thief has easy access to their payment details. Meaning all they have to do is change the shipping address and start buying.
And when they do? Expect chargebacks from the real customer, leaving your business out of pocket.
Malware and Ransomware
Does your computer keep freezing up? Are there ads popping up everywhere? Do links take you to the wrong destination, or are new icons appearing on your desktop and browser?
If so, you may have inadvertently installed malware (mal = bad, ware = software…it’s bad software) on your device. Even the term “malware” itself includes a range of different malicious code types, each more nefarious than the last. These include spyware, “Trojan Horses,” and ransomware–code that locks you out of your system until you pay the hacker a “ransom” to get back in.
The problem for ecommerce store owners is that malware, whether on your system or that of your customers or admins, can steal sensitive data. That includes the names and address details of your customers, as well as their payment information. If any of that’s compromised, it won’t just be profits or data you’ll be losing, it’ll be your credibility.
What’s more, malware attacks pave the way for an emerging form of ecommerce deception called “silent” fraud. After using malware to illegally access a number of accounts, fraudsters, instead of snatching thousands, hundreds, tens, or even ones, swipe a few cents alone. Done at scale and with regularity, these thefts can total huge amounts of stolen funds. Not so “silent” after all!
Ways to Protect Your Customers
Knowing what the main types of ecommerce fraud in 2022 are is one thing. But being able to effectively insulate you and your customers from fraud’s ill effects is quite another.
Below, we’ve rounded up our top tips for helping you, your customer base, and your business remain beyond the covetous clutches of fraudsters.
Safeguard Customer Information
The first way you can protect your customers? Safeguarding their most important details. Here’s how:
By filtering and monitoring incoming (and outgoing) traffic, firewalls help maintain the security of your website, acting, basically, as a literal wall between your network and the wild, wild West of the internet at large.
Through this lens, firewalls are vital not only for securing your data systems but for maintaining PCI compliance. PCI DSS (Payments Card Industry Data Security Standards) is a set of regulations all businesses accepting credit and debit cards must follow. PCI compliance is a kind of “seal of approval” that shows your customers, regulators, and the wider market that you can be trusted to handle sensitive data.
If you sell online with Ecwid by Lightspeed, your store is already PCI DSS compliant. Ecwid by Lightspeed is a PCI DSS validated Level 1 Service Provider. This is the highest international standard for secure data exchanges for online stores and payment systems.
Enable Two-Factor Authentication (2FA)
Ensure 2FA is implemented, so anyone attempting to access your business’s backend platforms and processes will need to log in through two devices. If you or one of your team members is logging in from a desktop computer, for instance, you’ll also need to confirm the attempt on another device, such as your phone, to gain access.
Other variations include:
Two-step variation (2SV): involves receiving a one-time code or password via email, message, or phone call which you must enter to log in. Multi-factor authentication: a mix of multiple forms of authentication for one of the highest levels of security.
Business owners selling online with Ecwid by Lightspeed can use their Google or Facebook accounts to sign in to their Ecwid store. Enable two-factor authentication for your Google or Facebook account and thus protect your login information for Ecwid as well.
If you want to add other team members (like fulfillment staff or a designer) to your Ecwid store, never share your Ecwid login with them. Instead, create separate staff accounts for each user in your store. Staff accounts have separate logins and don’t have access to your profile and billing pages.
Use a Secure Payment Gateway
If you want to offer your customers the highest level of payment peace of mind possible, a secure payment gateway is a must.
A payment gateway is the tech merchants use to accept credit and debit card purchases: both in-person and online. But not all payment gateways are created equal, particularly when it comes to fees and payout times. So be sure to pick the right one for your business’s unique needs.
Ecwid by Lightspeed is integrated with dozens of secure payment gateways. You can choose a payment system that is convenient both for your business and your customers.
Share Advice and Info with Your Customers
One of the easiest ways to protect your customers? Informing them.
Whether through emails, texts, or dedicated sections on your website, let your customers know of the fraud that exists and how they can protect themselves from it. (And help you protect them from it!)
Be sure to clearly lay out:
How your business greets its customers (so they can spot discrepancies) How your business doesn’t greet its customers, and what it won’t request (i.e., their login details or to click a link to log in) Clear, actionable tips for customers to keep their account details safe (if your business keeps customer accounts) How to get in touch if something doesn’t look right or if the customer has questions What security checks you’re introducing, if any How the customer can safely update their details What to do if they receive a scam email (i.e., a fraudster posing as your business) and how to report the fraudulent communication
Needless to say, these kinds of comms are vital. Not only do they inspire trust and offer an excellent user experience, but they also help reduce the risk of your customers falling prey to ecommerce fraud.
Remember, too, to make this info as accessible as possible. Your customers might not read their emails or thoroughly read through your website. So the more channels you can publicize this advice on, the better!
Keep Your Site Updated and Conduct Regular Security Audit
Earlier, we analogized the wider internet as a kind of “Wild West”: a frontier state where bandits and lawlessness abound.
Now, while that might be a little on the harsh side, there are plenty of threats out there and myriad methods via which phishers, hackers, and fraudsters can derail your business:
DoS (Denial of Service) attacks: a hacker attempts to stop users from accessing your site’s services. DDoS (Distributed Denial of Service) attacks: the perpetrator doesn’t attack you directly but instead uses your site as a “zombie” with which to harm another site. In a DDoS attack, your servers are inundated by requests from a bunch of untraceable IP addresses, crashing your site, and stopping traffic and sales. Brute force attacks: here, hackers hit your website with thousands of different password combinations in an attempt to gain access. Man in the middle (MITM) attacks: if your customer is accessing your site via a vulnerable network (i.e., public WiFi), hackers can “listen in” to the transaction and use it to extract sensitive data. SQL injections and cross-site scriptings: these attacks exploit vulnerabilities in your site. In an SQL injection, hackers target your forms to gain access to, corrupt and steal information from your site’s backend. In cross-site scripting, hackers insert malicious snippets of code that steal your visitors’ information.
The fact that all these modes of attack exist? That’s the bad news. The good news, however, is that these hackers are opportunists. They’re looking for vulnerabilities in your site’s security and fraud prevention setup. That means, by keeping your site updated and regularly identifying, understanding, and plugging its vulnerabilities you can reduce the risk of a hacker targeting your website and business.
To do this, conduct regular security audits. Assess your site’s infrastructure for loopholes, exploring the backend and code (including extensions and themes) for anything hackers can exploit. Ensure:
Your passwords are strong Your software is up to date Your site’s SSL (Secure Sockets Layer) certificate is up to date
Speaking of SSL certificates, if you created your ecommerce website with Ecwid by Lightspeed, you already have an SSL certificate by default.
If you added your Ecwid store to an existing website, you already have the free SSL certificate for your store. However, the rest of the website is a separate matter. You need to purchase an SSL certificate to protect sensitive information. Learn how to do that in the Ecwid Help Center.
Another way to protect your website is to revise the list of your online store’s staff accounts and remove the staff members that you do not work with anymore. This way, you prevent hackers from taking advantage of these “back channels” to gain access to your site.
Key Times to Protect Your Website
So, now that we’ve explained what fraud to look for and how to protect your website from it, let’s look at the when–at the key times throughout the year when hackers are most active.
“The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends–when offices are normally closed–in the United States, as recently as the Fourth of July holiday in 2021.” — Ransomware Awareness for Holidays and Weekends, 2021.
Christmas, Easter, Memorial Day, Independence Day–though the rest of us are spending time with our families and unwinding, hackers are doing anything but relax.
Increased distraction on the part of the customer or end-user and less staff and resources on the business’s end means conditions are rife for hacking.
Against this backdrop, don’t let your business get caught out. Don’t wait until the next holiday to set your site’s security up for success, or find yourself scrambling to audit your site mere days before the long Mother’s Day weekend. Remember that old Chinese proverb?
The best time to plant a tree was 20 years ago. The second best time is today.
Hackers tend to target businesses when they’re most vulnerable and when they’re closed.
That’s why weekends, particularly long ones, where public holidays are involved, are ripe opportunities for hackers. Still, that doesn’t mean you should let your guard down during the rest of the week. Hackers, on average, attack a staggering 26,000 times per day, so you need to remain vigilant.
As the opportunities of ecommerce evolve, so do its threats.
With so many scaremongering statistics out there, it can be easy to want to put your fingers in your ears, turn a blind eye, and take an “ignorance is bliss” approach.
But this mentality doesn’t take into account that with those threats come even more exciting opportunities.
To make the payment process safer, easier, more convenient and more consistent than ever before. To build your brand, engender customer loyalty, and boost trust with your audience by showing them that you value their privacy and respect the sensitivity of their data. And, in the process, lay the foundations for your ecommerce business’s solid, sustainable success.