This holiday season, eCommerce retailers are expected to generate sales reaching up to $218 billion in the United States alone, according to Deloitte. Globally, Adobe Analytics projects the eCommerce sector to generate revenue of up to $910 billion, an increase of 11 percent compared to the same period in 2020.
Numbers like this are great news for cybercriminals - when there is money changing hands, there is an opportunity for malicious actors to profit. Cybersecurity researchers predict that online fraud attempts spike by up to 60% during the holiday shopping period.
The lack of cybersecurity awareness on the consumer’s side is one of the top ways criminals pull in profits. Survey data suggest that a whopping 84% of consumers would risk giving away their personal information in exchange for bargain deals, and only 25% are aware that scams increase in frequency during holiday shopping periods.
“During the holiday shopping period, both eCommerce vendors and online shoppers are being increasingly targeted by threat actors,” says Juta Gurinaviciute, Chief Technical Officer at NordLayer, a cybersecurity provider. “The chaotic nature of these few months creates the perfect conditions for criminals to succeed, too. Vendors are looking to take full advantage of the opportunities, and customers are willing to give up their data for a sizable discount - regrettably, cybersecurity is often all but ignored.”
Threats for online retailers to watch out for
1. E-skimming (or Magecart). A growing threat for eCommerce vendors, e-skimming targets the checkout page of an online store to steal the credit card information shoppers fill in. Attackers can inject a malicious skimming code by gaining access via phishing, XSS (cross-site scripting), brute force attack, or compromising a third-party vendor the target uses.
To avoid falling prey to e-skimming, vendors should regularly update their payment software, install the newest patches, monitor and analyze weblogs, carry out code integrity checks, and follow general cybersecurity guidelines.
2. Phishing. A prevalent attack type in which an attacker pretends to be a trusted entity to lure the victim into clicking on nefarious links or downloading infected files.
The outcomes of such attacks can be devastating: a successfully carried out phishing attempt can expose usernames, passwords, credit card or other sensitive information, might put vendors out of business for days while also potentially exposing the data of their customers.
“Phishing attacks can be extremely sophisticated and highly targeted,” adds the NordLayer CTO. “Everyone who has access to business resources online needs to be made aware of various phishing techniques and stay vigilant, always double-check, and don’t make hasty decisions, especially during hectic periods like the holiday season.”
3. Distributed denial-of-service (DDoS). In a DDoS attack, the targeted website is overwhelmed with requests from thousands or hundreds of thousands of IP addresses to be taken down or significantly crippled. DDoS attacks are particularly devastating during peak shopping periods when each minute of downtime adds up to significant losses in lost revenue.
4. Malware and ransomware. Malware is malicious software designed to cause damage to the system it manages to infect. The most popular type of malware is ransomware, a kind of software that encrypts the files in the infected system to coerce the victim into paying a ransom.
If a vendor gets infected by ransomware, the losses can be catastrophic. The victim business is losing money over downtime, is at risk of losing its data, and is being forced into paying the attackers a substantial amount, not to mention the reputational losses.
Protecting the eCommerce business
Even with all the looming threats, a solid cybersecurity posture in eCommerce is not overwhelmingly expensive or time-consuming to achieve. It is perfectly normal for an entrepreneur not to be aware of every new threat or its antidote - as the threat landscape is constantly evolving, so do the counter-measures. However, following some general cybersecurity guidelines can substantially curb the above-listed risks.
1. Using Web Application Firewall (WAF). WAF protects the eCommerce store by acting as a shield between them and the internet. A firewall of this kind protects from various threats that eShops are susceptible to, like cross-site scripting (XSS) and SQL injection, among others.
2. Basic cybersecurity checklist. Entrepreneurs need to make sure they and their employees use multi-factor authentication (MFA), strong passwords and that every third-party software solution used is constantly updated.
3. Cybersecurity training. As most successful cyberattacks rely on human error, being aware of possible threats and following safe online practices is the starting point for every business to secure their digital assets.