Security for ecommerce: key threats and how to prevent them

This is an umbrella term for malicious actions exploiting human factors. For example, using a phishing technique, criminals pretend to act on behalf of reputable brands and trick users into going to their fake ecommerce website and stealing their personal information, such as login or credit card details. In addition to harming customers, this cybercrime damages the brands’ reputations and revenues.

Distributed Denial of Service (DDoS) and Denial of Service (DOS) attacks can overload your website with requests to make it unavailable and disrupt your digital operations. Digital stores can be particularly vulnerable to this type of attack during peak times, such as Black Friday or Cyber Monday sales. In 2022, DDoS attacks reached new records in rate, frequency, and complexity, with an unseen spike in duration and a trend for repeat attacks within 24 hours.

These attacks can target both consumers’ and retailers’ financial assets. Cybercriminals typically rely on two common scenarios: using stolen credit card details to place orders and submitting requests for illegitimate refunds. Ecommerce websites offering the Buy Now, Pay Later service are also at a high risk of online fraud. Criminals can take over existing BNPL accounts or set up new mule accounts using stolen credentials to make unauthorized purchases.

Also known as a Magecart attack, this hacking technique uses malicious code to capture and steal credit card information from the checkout page on a compromised ecommerce website. Moreover, hackers can sell stolen financial details or use them for illegal transactions. Formjacking is another skimming technique where threat actors insert malicious code into a website to take over forms and directly collect sensitive data customers enter.

Bot attacks constitute one of the biggest threats to ecommerce, accounting for 62% of all attacks on online retailers, which is twice as much as in other industries, according to Imperva. Malicious bots can be programmed to automatically perform tasks like stealing sensitive information, pricing scraping, and committing fraud attacks. The level of bot complexity is significantly higher in commerce than in other industries. These bots can mimic human behavior and are the most evasive, which makes them difficult to detect and deter.

Since more and more shopping occurs across different channels and devices, ecommerce businesses are switching to headless commerce solutions to ensure seamless omnichannel experiences. However, this architecture entails an extensive use of APIs that can become a target for cyber attacks. According to Imperva, over 41% of all online store traffic comes from APIs and 12% of the API traffic goes to endpoints holding sensitive data, such as credentials and credit card information. This increases the possibility of malicious API usage and data breach.