Retailer beware: hackers are already targeting your customers

When COVID-19 struck and physical retail stores shut down, there was a swift and massive adoption of digital transactions, contactless payments and deliveries.

While great from a customer convenience standpoint, such a rapid transition meant there were a lot of security gaps left unaddressed by many retailers.

The problem grows even bigger when we consider how dependent retailers are on third-party services and local supply chains, who often add huge security gaps of their own into the mix.  It’s no wonder we’re seeing a spike in cybersecurity risks and fraud in the eCommerce sector. In fact, the Office of the Australian Information Commissioner’s Notifiable Data Breaches report revealed that the Australian retail sector was the third most targeted industry when it comes to cyberattacks, after finance and healthcare.

The retail digital experience is particularly prone to cyber risks. To encourage customer spending, user-friendliness is a top priority in retail website design. Retailers worry that robust security measures can make the buying process seem time-consuming and inconvenient, causing customers to abandon purchases. As a result, many retailers have dragged their feet on implementing security best practices like two-step purchase verification. Taking shortcuts like this only increases the likelihood that retailers will be targeted even more. 

How are retailers being attacked?
Retailers handle a tremendous volume of customer data, everything from customer payment details to physical addresses, which makes them a jackpot for hackers. Let’s take a look at the four biggest vulnerabilities retailers face and how they can address them.

1. Web application attacks

Online retailers use a bunch of different web applications to fulfil customers’ needs, like order fulfilment forms, and processing sensitive customer information. Unfortunately, exploits that target these web applications are one of eCommerce’s biggest threats. Depending on the kind of attack, web application attackers could try to hack your database or inject malicious code to trick users out of sensitive information.
 

Make sure you only use proven and safe payment methods. In fact, it’s a good idea to only use third-party platforms and providers who have certified security measures in place. Installing a reputable web application firewall (WAF) can be a powerful defence against web application attacks. You should also regularly audit your application databases and conduct security assessments of web applications, fixing vulnerabilities as you go.

2. Bots

Bots are malicious software which can target the login pages of online retailer sites and steal customer information as well as payment card details. Using WAFs and a secure content delivery network can prevent your site from getting overwhelmed by bots. But it’s important to automate the monitoring and blocking of bad bots, so you can catch on to any suspicious activities on your website.

3. Fake browser-based ads

Also known as customer journey hijacking, this is when hackers inject unauthorised ads into the browsers of users who visit your website. These fake ads can redirect your visitors to competing products or worse, fake sites where hackers can harvest their information. The worst thing is that this all happens on the customer’s end, and is largely out of your control. The best way to deal with this threat is to educate your customers about cybersafety and what they should expect when shopping on your site.

4. Phishing attacks

One of the oldest tactics in the book, phishing relies on social engineering to trick users into giving up their personal information. This includes creating fake emails, fake websites, fake login pages, fake payment pages, all with your branding and logos. Even their URL’s can be similar to yours, making it easy for your customers to fall for the trap. This can be an internal risk as well if hackers decide to target your employees. Awareness training is your best defence, so make sure both your customers and employees know how to spot a phishing attempt.
 

Retailers need to act now

Brandjacking is a serious problem, and eCommerce can be a high-risk endeavour from a cybersecurity perspective. Customers won’t care who was responsible if something goes wrong, they will simply blame your brand in case the worst happens. Retailers need to take immediate action to avoid making the front-page news if they do experience a cyberattack. It’s also important to understand that cybersecurity is a team sport, and it falls to both your marketing team as well as your cyber team to ensure your customers have a safe shopping experience and that your hard-won brand reputation stays intact.