Online security is a must for all ecommerce websites. Big businesses are no longer the only ones that deal with ecommerce security threats: small and medium enterprises (SMEs) inevitably face security issues as well.
When the COVID-19 pandemic hit, businesses worldwide were forced to accelerate their digitization. They hurriedly created websites and online businesses to accommodate the rapidly-changing needs of today’s consumers.
As a result, many successfully opened ecommerce sites but failed to give them ample protection.
Last year, the Philippine Institute of Cyber Security Professionals Chairman and Founding President, Angel Redoble, warned that cybercriminals are using more sophisticated methods of scamming consumers and phishing for personal information.
A recent study confirms this: 57 percent of SMEs in the Philippines experienced cyberattacks from 2020 to 2021; and among them, 73 percent had customer data stolen.
Thus, there is a need for ecommerce websites to strengthen their defences against hackers not only from within the country but also abroad.
Online Security Threats Against Ecommerce Sites and Consumers
Below are the biggest internet threats that target ecommerce websites and customers:
Phishing
Phishing creates an online encounter that persuades victims to reveal personal information or allow attackers entry into their IT infrastructure.
Malicious emails and text messages fool victims into clicking an unsecured URL or replying with their personal information (i.e., usernames and passwords, banking information, full name, home address).
Those who fall for these fraudulent messages could end up losing control of their accounts, losing money, or becoming victims of stolen identities.
Phishing scams often target consumers and prey on the gullibility of people who are new to digital services. Businesses, however, can also become victims of phishing.
Employees can be fooled into clicking phishing emails or giving sensitive business information without verifying the source. If successful, scammers can steal money or commit other crimes while pretending to be the company’s representatives.
Malware
Malware is software designed to spread and “infect” IT systems (hardware or software). Common examples of malware are viruses, spyware and worms. They can destroy IT infrastructure, delete or copy databases, and transmit information without detection.
One type of malware is particularly damaging to businesses: ransomware. With it, hackers can hold data or entire computing systems hostage until the victim pays a ransom.
The most expensive ransomware payouts in history were in 2021 when Colonial Pipeline paid the hacking group, DrakSide $4.4 million, and in 2020 when the global travel agency CWT paid hackers $4.5 million.
Distributed Denial of Service (DDoS)
A denial of service is a malicious attack against a website wherein the hacker attempts to overwhelm the system with high traffic. The website becomes unable to receive legitimate requests from real clients or users as a result.
In November 2021, the web security provider Cloudflare recorded the biggest ever DDoS attack they had observed and blocked: nearly two terabytes of data per second was launched from 15,000 botnet-compromised devices for about one minute. Cloudflare did not expound on the source or target of the attack.
Big-time hacking organizations are suspected to have large networks of hacked devices in different geographic regions. They use DDoS to threaten organizations or to hide other attacks, so if your firewalls detect a heavy DDoS onslaught, make sure to keep an eye out for the other vulnerable points in your system.
What’s worrisome is that hackers can use computer networks for DDoS attacks without their owners’ knowledge. Always update the security patches of your computer hardware and software programs.
SQL Injection
Any website that allows users to fill out and submit a form can be vulnerable to SQL injection. This method takes advantage of web form applications with weak security.
Instead of providing the data requested in the form (i.e., username, password, address, inquiry), hackers type malicious code into the entry field, which bypasses the web form’s data filtering protocol. In other words, the web form accepts the submission without recognizing that its contents are invalid.
Through SQL injection, a hacker can command a website to reveal, copy, or wipe its entire database.
Ways to Secure Your Ecommerce Site
What hackers decide to do and who they pick to attack is beyond your control. This doesn’t mean, however, that you can only pray your business stays under their radar.
Here are six things you need to do to protect your site from ecommerce cyber threats:
1. Secure your ecommerce site with an SSL certificate. SSL or secure sockets layer is a security protocol that encrypts the data transmitted between a visitor’s web browser and a website’s server. This prevents hackers from “eavesdropping” and obtaining information that users send to websites, like personal information and credit card details.
2. Use a secure and regulated payment gateway for your ecommerce site. As a business owner, it’s your responsibility to ensure that payment methods are safe and reliable. Examples of widely-used and trusted online payment gateways in the Philippines are Gcash, PayMaya, Dragonpay, Nextpay and Paypal.
Alternatively, you can send your customers directly to their bank website for payment, then redirect them back to your merchant site once the transaction is done.
3. Install firewall software and hardware, and back it up with antivirus. A firewall detects and blocks unsolicited traffic and unauthorized users from accessing your private network. Cisco, Palo Alto, Sophos, and Checkpoint are examples of firewall providers.
Antivirus software, meanwhile, protects computer and data systems from internal and external malware attacks. Firewalls sometimes cannot protect against viruses that corrupt the system itself, so you need to have antivirus software to cover this gap in security.
4. Authorize your web developer to enable end-to-end encryption. This is different from SSL encryption, which encrypts data as it is transmitted over the Internet. With end-to-end encryption, data is encrypted from the moment it is uploaded on one device (point A), sent through a server, and viewed by the intended recipient on their computer (point B). The data is only decrypted when it arrives at the destination device.
5. Implement multi-factor authentication for web users and employees. Besides their username and password, you can install an algorithm that generates a one-time password (OTP) and sends it to a user’s mobile phone number.
Sending the secondary authentication code to another device is extra protection that can deter hackers.
6. Educate your team and customers about cyber hygiene. Stolen and weak passwords are some of the most common causes of successful breaches. In 2018, Verizon’s Data Breach Investigations Report revealed that 81 percent of company data breaches were due to poor passwords.
To mitigate password-related incidents, remind your employees and customers about the importance of using complex passwords (use numbers and special characters) and changing them regularly. You can also enforce a password reset every three or more months.
Make Cybersecurity a Priority
It was inevitable that online threats would increase along with the global ecommerce industry. All it takes is one oversight, one successful breach, and hackers can destroy everything you’ve worked hard to build.
Your best recourse is to strengthen your online security and protect your data and network from known threats. Once you have that covered, it will be easier to scale up and implement more stringent security measures as your business grows.
Don’t delay, use the tips above and prevent these ecommerce security threats from harming your business and customers.
Featured image by Oscar Wong via Getty Images