When the pandemic hit, ecommerce blew up.
With people locked down and with little to do, buying online seemed the only escape. The global ecommerce market jumped to $26.7 trillion. Customer habits, too, were changing. In one survey, 60% of respondents agreed that
But it wasn’t just the sales that were soaring. And it wasn’t just the ecommerce industry’s businesses that were
In just a single year (between 2020 and 2021), ecommerce fraud rose 18%: from $17.5 billion to $20 billion. One look at the similarly burgeoning ecommerce fraud prevention market
The bottom line? Ecommerce fraud is something you can’t afford to turn a blind eye to. After all, it’s not just a threat to your profits but your brand image. If customers don’t feel they can pay securely through your website, they won’t trust you. Once you lose that consumer confidence, it’s extremely difficult to win back.
Below, we’ll unpack the state of payment security in 2022, starting with the most common types of ecommerce fraud. We’ll also offer actionable advice for protecting your customers, your website,
Most Common Types of Ecommerce Fraud
As the world of ecommerce expands and evolves, so too do its villains. So over the last few years, it’s not only the number of fraudulent
From pharming and account takeovers to friendly and silent fraud (not to mention
Pharming is a type of ecommerce fraud in which fraudsters redirect web users (without their knowledge or consent) to a fraudulent website. This website might look and feel like the one the customer intended to reach, but with a key
Designed only to simulate the original website, its fake counterpart exists for one reason
Also known as friendly fraud, chargeback fraud is when a customer fraudulently attempts to claim a refund by abusing the chargeback system.
A chargeback is a step introduced by banks way back in the ’70s to boost public confidence in the credit card (which, at that stage, was a
Let’s say you’re off to Santorini for a holiday, and your card is stolen at the airport. By the time you get to Greece, you realize the thief has made $700 in fraudulent purchases on your card. In this situation, you could (quite legitimately) request a chargeback.
The problem? When it’s not legitimate. Whether maliciously or innocently (customers forgetting about a transaction on their statement or a recurring billing cycle), fraudsters can take advantage of the chargeback process to claim money back on totally valid purchases.
The worst part? That, when a chargeback claim is upheld by the bank, the bank then claims the money (along with a fee on top, for their troubles!) back from you. Add that to the stock you’ve already lost to the fraudster, and chargebacks offer an
Because of popular movies dealing with the subject (The Talented Mr. Ripley, anyone?), identity theft is one of the more
Here, a fraudster falsely assumes another person’s identity: using their name, personal information, and documents to open credit cards, then hitting the high street.
Beyond the impact on the victim, why is this bad news for your online business? After all, you’re still selling…right?
Wrong. Think back, for a second, to our Santorini example above. Pretty soon, the person whose identity was stolen will become aware of the litany of fraudulent purchases made under their name
Making up 71% of all attacks, identity theft is by far the most common type of ecommerce fraud. Plus, fraudsters are also becoming more sophisticated, now using the personal devices, IP addresses, and user accounts of targets to assume their identities, which makes them a threat to be alert to.
At some stage or other while shopping online, all our customers have done it. Ticked that box that says Save My Credit Card Details. It’ll save them a minute the next time they come back to make a purchase, so it’s a
Right. Unless that is, a fraudster is able to get their
And when they do? Expect chargebacks from the real customer, leaving your business out of pocket.
Malware and Ransomware
Does your computer keep freezing up? Are there ads popping up everywhere? Do links take you to the wrong destination, or are new icons appearing on your desktop and browser?
If so, you may have inadvertently installed malware (mal = bad, ware = software…it’s bad software) on your device. Even the term malware itself includes a range of different malicious code types, each more nefarious than the last. These include spyware, Trojan Horses, and
The problem for ecommerce store owners is that malware, whether on your system or that of your customers or admins, can steal sensitive data. That includes the names and address details of your customers, as well as their payment information. If any of that’s compromised, it won’t just be profits or data you’ll be losing, it’ll be your credibility.
What’s more, malware attacks pave the way for an emerging form of ecommerce deception called silent fraud. After using malware to illegally access a number of accounts, fraudsters, instead of snatching thousands, hundreds, tens, or even ones, swipe a few cents alone. Done at scale and with regularity, these thefts can total huge amounts of stolen funds. Not so silent after all!
Ways to Protect Your Customers
Knowing what the main types of ecommerce fraud in 2022 are is one thing. But being able to effectively insulate you and your customers from fraud’s ill effects is quite another.
Below, we’ve rounded up our top tips for helping you, your customer base, and your business remain beyond the covetous clutches of fraudsters.
Safeguard Customer Information
The first way you can protect your customers? Safeguarding their most important details. Here’s how:
By filtering and monitoring incoming (and outgoing) traffic, firewalls help maintain the security of your website, acting, basically, as a literal wall between your network and the wild, wild West of the internet at large.
Through this lens, firewalls are vital not only for securing your data systems but for maintaining PCI compliance. PCI DSS (Payments Card Industry Data Security Standards) is a set of regulations all businesses accepting credit and debit cards must follow. PCI compliance is a kind of seal of approval that shows your customers, regulators, and the wider market that you can be trusted to handle sensitive data.
If you sell online with Ecwid by Lightspeed, your store is already PCI DSS compliant. Ecwid by Lightspeed is a PCI DSS validated Level 1 Service Provider. This is the highest international standard for secure data exchanges for online stores and payment systems.
Two-Factor Authentication (2FA)
Ensure 2FA is implemented, so anyone attempting to access your business’s backend platforms and processes will need to log in through two devices. If you or one of your team members is logging in from a desktop computer, for instance, you’ll also need to confirm the attempt on another device, such as your phone, to gain access.
Other variations include:
Two-stepvariation (2SV): involves receiving a one-timecode or password via email, message, or phone call which you must enter to log in. Multi-factorauthentication: a mix of multiple forms of authentication for one of the highest levels of security.
Business owners selling online with Ecwid by Lightspeed can use their Google or Facebook accounts to sign in to their Ecwid store. Enable
If you want to add other team members (like fulfillment staff or a designer) to your Ecwid store, never share your Ecwid login with them. Instead, create separate staff accounts for each user in your store. Staff accounts have separate logins and don’t have access to your profile and billing pages.
Use a Secure Payment Gateway
If you want to offer your customers the highest level of payment peace of mind possible, a secure payment gateway is a must.
A payment gateway is the tech merchants use to accept credit and debit card purchases: both
Ecwid by Lightspeed is integrated with dozens of secure payment gateways. You can choose a payment system that is convenient both for your business and your customers.
Share Advice and Info with Your Customers
One of the easiest ways to protect your customers? Informing them.
Whether through emails, texts, or dedicated sections on your website, let your customers know of the fraud that exists and how they can protect themselves from it. (And help you protect them from it!)
Be sure to clearly lay out:
- How your business greets its customers (so they can spot discrepancies)
- How your business doesn’t greet its customers, and what it won’t request (i.e., their login details or to click a link to log in)
- Clear, actionable tips for customers to keep their account details safe (if your business keeps customer accounts)
- How to get in touch if something doesn’t look right or if the customer has questions
- What security checks you’re introducing, if any
- How the customer can safely update their details
- What to do if they receive a scam email (i.e., a fraudster posing as your business) and how to report the fraudulent communication
Needless to say, these kinds of comms are vital. Not only do they inspire trust and offer an excellent user experience, but they also help reduce the risk of your customers falling prey to ecommerce fraud.
Remember, too, to make this info as accessible as possible. Your customers might not read their emails or thoroughly read through your website. So the more channels you can publicize this advice on, the better!
Keep Your Site Updated and Conduct Regular Security Audit
Earlier, we analogized the wider internet as a kind of Wild West: a frontier state where bandits and lawlessness abound.
Now, while that might be a little on the harsh side, there are plenty of threats out there and myriad methods via which phishers, hackers, and fraudsters can derail your business:
- DoS (Denial of Service) attacks: a hacker attempts to stop users from accessing your site’s services.
- DDoS (Distributed Denial of Service) attacks: the perpetrator doesn’t attack you directly but instead uses your site as a zombie with which to harm another site. In a DDoS attack, your servers are inundated by requests from a bunch of untraceable IP addresses, crashing your site, and stopping traffic and sales.
- Brute force attacks: here, hackers hit your website with thousands of different password combinations in an attempt to gain access.
- Man in the middle (MITM) attacks: if your customer is accessing your site via a vulnerable network (i.e., public WiFi), hackers can listen in to the transaction and use it to extract sensitive data.
- SQL injections and
cross-sitescriptings: these attacks exploit vulnerabilities in your site. In an SQL injection, hackers target your forms to gain access to, corrupt and steal information from your site’s backend. In cross-sitescripting, hackers insert malicious snippets of code that steal your visitors’ information.
The fact that all these modes of attack exist? That’s the bad news. The good news, however, is that these hackers are opportunists. They’re looking for vulnerabilities in your site’s security and fraud prevention setup. That means, by keeping your site updated and regularly identifying, understanding, and plugging its vulnerabilities you can reduce the risk of a hacker targeting your website and business.
To do this, conduct regular security audits. Assess your site’s infrastructure for loopholes, exploring the backend and code (including extensions and themes) for anything hackers can exploit. Ensure:
- Your passwords are strong
- Your software is up to date
- Your site’s SSL (Secure Sockets Layer) certificate is up to date
Speaking of SSL certificates, if you created your ecommerce website with Ecwid by Lightspeed, you already have an SSL certificate by default.
If you added your Ecwid store to an existing website, you already have the free SSL certificate for your store. However, the rest of the website is a separate matter. You need to purchase an SSL certificate to protect sensitive information. Learn how to do that in the Ecwid Help Center.
Another way to protect your website is to revise the list of your online store’s staff accounts and remove the staff members that you do not work with anymore. This way, you prevent hackers from taking advantage of these back channels to gain access to your site.
Key Times to Protect Your Website
So, now that we’ve explained what fraud to look for and how to protect your website from it, let’s look at the
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and
Christmas, Easter, Memorial Day, Independence
Increased distraction on the part of the customer or
Against this backdrop, don’t let your business get caught out. Don’t wait until the next holiday to set your site’s security up for success, or find yourself scrambling to audit your site mere days before the long Mother’s Day weekend. Remember that old Chinese proverb?
The best time to plant a tree was 20 years ago. The second best time is today.
Hackers tend to target businesses when they’re most vulnerable and when they’re closed.
That’s why weekends, particularly long ones, where public holidays are involved, are ripe opportunities for hackers. Still, that doesn’t mean you should let your guard down during the rest of the week. Hackers, on average, attack a staggering 26,000 times per day, so you need to remain vigilant.
As the opportunities of ecommerce evolve, so do its threats.
With so many scaremongering statistics out there, it can be easy to want to put your fingers in your ears, turn a blind eye, and take an ignorance is bliss approach.
But this mentality doesn’t take into account that with those threats come even more exciting opportunities.
To make the payment process safer, easier, more convenient and more consistent than ever before. To build your brand, engender customer loyalty, and boost trust with your audience by showing them that you value their privacy and respect the sensitivity of their data. And, in the process, lay the foundations for your ecommerce business’s solid, sustainable success.