Tackling e-Commerce Fraud

by GOsafeonline | 10 March 2011

Your company probably does great business over the Internet. And, as online shopping grows in popularity, is likely to do even better in the future. But just like traditional brick-and-mortar shops, online shops with weak security can be hit badly by criminals too.

And weak online security not only opens up your site to a greater risk of fraud (that robs you of goods and revenue), it also exposes your company’s systems to more elaborate acts of theft and intimidation, such as the theft of customer information and denial-of-service attacks that shut down your online business operations.

So, how can you tackle e-commerce fraud?

Step 1: 
Know the best way to sell your product and what online fraud risks you can face.

For example, if you are a stay-at-home mother who makes and sells baby clothes online for a living, the likelihood is that you would probably be less willing to invest in own e-commerce website or sophisticated online security software. So, you would probably choose to sell your products through a third-party site (like eBay) and make use of an online financial transaction system (like PayPal) to accept online payments on your behalf. Therefore, the sort of online fraud you are likely to encounter would be less technical in nature (for instance, dealing with suspiciously large orders from dubious sources).

For small businesses using third-party e-commerce sites and online financial transaction systems, risks include:
  • Fraudulent purchases (when buyers either refuse to pay for the goods sent, or use a stolen credit card account to make the purchases illegally);
  • Hacking (computer programs developed specifically to break into systems, often via viruses and other malware sent through emails or unknowingly downloaded onto users’ computers when they visit malicious websites); and
  • Social engineering (activities performed by criminals to manipulate users into providing confidential information through the use of phishing, identity theft, spam, etc.).
  • However, if, for example, you run an online coupon buying site, that sells coupons for discounted food and drink at popular restaurants, then not only do you have an entirely virtual product but you need to run your own e-commerce site that customers can sign up with and purchase coupons from. This then opens up your systems to greater potential technical attacks (to extract customer information, like credit card details, for instance).

For businesses running their own e-commerce site, risks include:
  • Employee information theft (when employees themselves abuse the trust put in them by extracting and misusing valuable company information);
  • Hacking (computer programs developed specifically to break into systems, often via viruses and other malware sent through emails or unknowingly downloaded onto users’ computers when they visit malicious websites);
  • Social engineering (activities performed by criminals to manipulate users into providing confidential information through the use of phishing, identity theft, spam, etc.); and
  • Fraudulent purchases (when buyers either refuse to pay for the goods sent, or use a stolen credit card account to make the purchases illegally).
Step 2: Once you know how your online business could be at risk, you can develop ongoing employee awareness programmes to help them understand the threats to your business, and how to appropriately secure your systems and processes regardless of whether you are running your own e-commerce website or using a third-party site.

For small businesses using third-party e-commerce sites and online financial transaction systems, this would include:
  • Being wary of suspicious online orders (e.g. unusually large or expensive orders from foreign countries);
  • Ensuring that you use strong passwords that are kept private and regularly changed;
  • Practicing safe surfing habits, such as not opening suspicious emails from unknown senders or with vague subjects that are not work-related, and ensuring that you log out of secure websites when you are finished using them;
  • Being aware of the risks and dangers of phishing scams and other social engineering activities;
  • Ensuring that your anti-virus software and firewall are up-to-date; and
  • Clearing old equipment of confidential information before disposal.

For businesses running their own e-commerce site, this would include:

  • Controlling employee access to confidential information;
  • Ensuring that employees use strong passwords that are kept private and regularly changed;
  • Regulating employee access to social media (e.g. Facebook and other social networking sites) and non-corporate email accounts (e.g. Hotmail), to limit their ability to deliberately or inadvertently leak confidential information;
  • Reminding employees to practice safe surfing habits, such as not opening suspicious emails from unknown senders or with vague subjects that are not work-related, and ensuring that they log out of secure websites when they are finished using them;
  • Educating employees about the risks and dangers of phishing scams and other social engineering activities;
  • Ensuring that the company’s e-commerce software, anti-virus software and firewall are up-to-date;
  • Clearing old equipment of confidential information before disposal; and
  • Being wary of suspect online orders (e.g. unusually large or expensive orders from foreign countries).