Online sale events like Black Friday, Cyber Monday, Amazon Prime Day, etc. are usually highly anticipated by shoppers who want to take advantage of lucrative discounts and offers. However, with the pandemic, more shopping than ever is now taking place online. In previous years, it would be common to see shoppers lining up at large stores well before they opened for seasonal sales. Today, those crowds have largely moved online to scoop up products in limited availability or on sale at enticing discounts offered by e-commerce portals.
Retailers now need to be prepared to not only handle traffic surges during the sales season, but also protect their customers from cybercriminals that are always lurking around opportunities like this to defraud unsuspecting consumers.
How can merchants protect themselves and their customers from online fraud and ensure the most secure online shopping experience? Here are a few key recommendations:
- Cyber-Security Policies-Lack of awareness around best practices for cyber security is often the root cause for security breaches and attacks. Begin by educating your employees about how they can be exploited by phishing or similar social engineering tactics devised to implore their psychology. Get your website and mobile app fully audited by security teams who can conduct penetration testing and recommend optimal security measures.
- Zero-Trust architecture-In this time of remote work at premises such as homes, shared workspace, even cafes, simple ‘allow or block’ mechanisms can often be circumvented by attackers. Using a Zero-Trust architecture, you can take a ‘trust nothing, verify everything’ approach to grant and control access by employees and your affiliates.
- Customer Awareness-Prompt your customers to use stronger passwords and add MFA (Multi-Factor Authentication) that requires them to enter an additional code while logging in. Educate your customers to be suspicious of phishing campaigns that are run using your brand name, and to be careful about providing their personal or payment data and to verify that they are visiting your site and not a cunning lookalike with small variations in the spelling of your brand name (for example, “0nline.com” spelled with a zero and not the letter “O”, or even other top-level domains that seemingly appear to be your site but are operated by fraudsters (such as online.biz instead of your site at online.com).
- Software Update Audit-While this might seem to be a basic and logical step, it is still a crucial factor in protecting yourself against cyber-threats. Ensure that you use updated SSL certificates, use encrypted connections (indicated by “https” before your website address), and check to see that all your enterprise applications and operating systems have been updated to the latest versions. Also run a security audit on the APIs used by your digital infrastructure to be sure that they require authentication and are fully patched and secure from vulnerabilities. Carrying out regular risk audits of all third-party software that works with your site helps ascertain that they do not become a gateway for hackers to enter your network.
- Limited PII storage-E-commerce platforms are appealing to fraudsters because of the information they have on their customers. Protect your customers by collecting and storing minimal PII (Personally Identifiable Information) and always use encrypted storage for sensitive data such as customers’ credit card information to deter attackers from stealing data.
- Integrate Specialized Solutions to Mitigate Sophisticated Threats-Most e-commerce sites use a security solution to tackle any breach. However, with the evolving nature of fraudulent attacks, site owners can make use of specialized solutions like bot managers to keep sophisticated bots out of their networks.
- Visitor Intent-Dedicated bot management solutions like Radware Bot Manager study the intent of every visitor to allow only genuine visitors into your website and app, preventing bots from attacking them to carry out damaging account takeover (ATO) and distributed denial of service (DDoS) attacks as well as spamming, scalping, scraping, cart abandonment, denial of inventory, ad fraud, and other threats that can harm your customers and your brand.
- PCI-DSS Compliant-PCI-DSS (Payment Card Industry Data Security Standard) compliance is mandated by leading credit card issuing networks for organizations that accept and process credit card payments and cardholder data. Since its inception, PCI-DSS provides an annual compliance attestation as part of their security framework. Businesses should proactively comply with PCI Compliance to make sure that they and their customers are adequately protected.
Top bot attacks to be expected on e-commerce websites & apps this holiday season.
Customers expect online stores to provide them with a safe environment to conduct their transactions. Hence it becomes paramount for enterprises to protect their customers from any known and unknown threats. As we get ready for the peak shopping time of the year, do not let cybercriminals and fraudsters take advantage of your customers by hacking into their accounts to steal gift cards, reward points and discount codes, or extract personally-identifiable information (PII) that they can further abuse.