Despite UK lockdown restrictions coming to an end last month, eCommerce is expected to maintain its popularity among consumers.
By the end of 2021, UK shoppers are predicted to spend £10 billion more than they did in 2020, making up almost a third of all retail spending this year.
It’s a great time for eCommerce and many merchants have been reaping the rewards, but an increase in online fraud is the price that some merchants are paying.
86% of all data breaches are said to be financially motivated, so your customers sensitive data is sure to be a prime target for cybercriminals.
If you’re an eCommerce Merchant, tightening up your cybersecurity should be at the top of your to-do list.
By following the best practices for eCommerce security your customer data, your brand and the reputation of your business will be in much a safer place. You’ll be able to reap the rewards of the upward trend in eCommerce without a fraudulent sting in the tail.
To help get your business on the right track, we want to share some of our insights and tips to help reduce and prevent cybercrime from damaging your business.
Why is Cybercrime in the UK increasing?
The Explosive Growth of eCommerce
Unfortunately, such rapid growth has created plenty of new unsuspecting targets for fraudsters. Customers shopping online for the first time are less aware of the tricks and techniques often used by cybercriminals.
A 2021 report suggests that 46% of consumers are unsure about how to protect themselves from cybercrime.
As eCommerce continues to grow, so too does the amount of data in need of protection.
Cybercrime has two aspects which are very appealing for criminals – anonymity and the ability to target businesses and customers on a global scale from a single location.
It’s alarmingly easy for fraudsters to impersonate a business or steal information from a form when submitted through digital channels.
This anonymity can also make it very hard for consumers to distinguish between what is real and what is fake. A company logo and a domain can sometimes be all it takes for a consumer to be tricked into handing over their details to a fraudster.
Less Payment Security
The number of businesses achieving compliance with payment regulations has declined in recent years. Only 27.9% of businesses reached the required compliance levels for payment security in 2020, a big drop from 55.4% in 2016.
Sampath Sowmyanarayan, President, Global Enterprise for Verizon Business, believes this is due to ‘many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives’.
The Most Common eCommerce Security Threats in 2021
Phishing is a type of cyber-attack that uses social engineering to trick people into sharing sensitive information or to infect their digital devices with malware.
Most phishing attempts involve cybercriminals sending malicious emails with the goal of impersonating the identity of a trusted sender. These emails try to prey on the fears of consumers, such as warnings about password changes or failed delivery attempts.
How Phishing is Impacting UK Businesses
In 2021, 85% of medium businesses and 91% of large businesses found themselves having to deal with phishing attacks.
Cybercriminals use phishing as an attempt to impersonate a business. As much as 56% of medium businesses and 63% of large businesses are said to have been a victim of this at some point.
A Distributed Denial of Service (DDOS) attack is when a hacker overwhelms the network resources of a website or other online service in an attempt to make it completely inoperable.
The server is targeted with traffic from bots to the point where it is slowed down or crashes entirely. While most DDOS attacks tend to last for 10-40 minutes, some of the worst attacks have been known to last for days or even weeks.
Impact of DDoS attacks on eCommerce Merchants
Successful attacks have the potential to temporarily take your online store offline, causing you to miss out on potential sales whilst creating a frustrating experience for your customers attempting to place an order.
In February 2020, Amazon had to fend off the largest DDoS attack in history. The attack was 35% bigger than a previous record set in 2018.
Since then the threat of DDoS attacks has only increased. Over 2.9 million DDoS attacks were launched around the world in Q1 2021 – a 31% increase compared to the same period in 2020.
Web Skimming is a cyber-attack whereby the attacker injects malicious script into the checkout page of an ecommerce website and steals sensitive customer information from the infected form.
The Threat of Web Skimming for eCommerce
Web Skimming can be a big threat to merchants using open-source eCommerce platforms.
In September 2020, malicious code was injected into nearly 2,000 eCommerce sites using an old version of Adobe’s Magento software, putting more than 10,000 customers at risk.
While these threats may be growing, the good news is that is plenty you can do to protect your business from them.
Best Practices for eCommerce Security
Although online fraud is always evolving, there are some steps you should take now that will help protect your business from many of these threats.
1. Make sure your eCommerce software is always up to date
If your eCommerce software supports automatic updates we strongly recommend enabling this feature.
Cybercriminals are unlikely to have had enough time to discover vulnerabilities in the latest software and previous security loopholes are likely to have been closed.
Unfortunately, some eCommerce software providers do not include an automatic update feature, so be sure to bear this in mind when deciding what to use for your online store.
2. Install eCommerce Security Plugins
eCommerce Security plugins are a simple, yet very effective way of protecting your website from cyberattacks.
By taking the time to research and install well-trusted and widely used security plugins available on your eCommerce platform, your business and customers will be much better protected.
Some examples of popular eCommerce security plugins include:
- Sucuri – A popular plugin for WooCommerce that offers protection against DDoS, Brute Force and Malware attacks
- Cozy Antitheft – A Shopify plugin that prevents images and text on your store from easily being copied, making it harder for cybercriminals to create spoof emails or web pages.
3. DMARC: A Must-Have for Phishing Protection
DMARC (Domain-based Message Authentication Reporting and Conformance) is an email authentication process which helps protect senders and recipients of emails from phishing, spoofing and spam.
DMARC achieves this by combining two existing email authentication methods, SPF and DKIM, to accurately determine if the email is from an authorised sender.
By setting up a DMARC policy you can provide clear instructions to receiving servers about how they should deal with emails that use your domain.
According to a recent report, domains without DMARC enforcement are nearly 5 times more likely to be the target of spoofing.
4. Educate and Inform your Customers
A good way to protect your customers from falling victim to phishing is to produce a newsletter with security tips that can help them identify if an email is actually from your business.
These should include a summary of information that you will never ask your customers for or the types of emails you will never send them.
Providing your customers with helpful tips for managing and updating their account security is another good practice that can keep your customers clued up.
5. Be Compliant with Regulations
Strong Customer Authentication
Strong Customer Authentication (SCA) is an authentication process that requires a customer to verify their identity though one of the following:
- Something only your customer knows (One Time Password, SMS code, PIN, answers to security questions)
- Something your customer owns (a smartphone, wearable device or card)
- Something your customer is (fingerprint scanning, voice and face recognition)
Compliance with SCA is already a legal requirement for EU merchants located within the European Economic Area (EEA). UK merchants will need to be compliant with SCA regulations by 14 March 2022.
To learn more about SCA be sure to read our blog ‘What is Strong Customer Authentication?’
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards which purpose is to reduce the risk of card data being stolen by online hackers.
These standards have been put in place to make sure that your customers’ card data is handled in a safe and secure manner, reducing the chances of it being stolen by fraudsters.
If your business accepts card payments, you will need to be PCI compliant, either via direct accreditation or via an accredited third party organisation.
The card schemes (such as Visa and Mastercard) will put your business into one of four levels of risk.
You can learn more about these levels by reading our dedicated blog on PCI DSS.
General Data Protection Regulation (GDPR) is an EU law that has been in effect since May 2018. It introduced a set of rules designed to give people more control and protection over their personal data. GDPR has also been adopted by UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, known as UK GDPR.
GDPR compliance applies to any organisation that operates within the EU/UK or provide services to EU/UK residents.
Failure to comply with GDPR not only puts your customers’ data at risk, it can even result in your business having to pay some hefty fines.
In October 2020, British Airways were fined £20 million by the Information’s Commissioner’s Office (ICO) for failing to protect the details of more than 400,000 customers.
Some key tips on how to be GDPR compliant include:
- Register with the relevant Supervisory Authority for data protection purposes (the ICO for UK companies)
- Ensure legal basis for collection and processing of personal data
- Provide privacy notice to your customers
- Only collecting personal information that is needed and nothing more
- Introducing clear data destruction procedures for your employees to follow
- Training your staff to respond to data access requests received from your customers
Choosing the right online payment processor can also help you reduce fraud such as those that offer real-time fraud scanning to check every transaction as it happens.