What is phishing
Phishing is a fraudulent practice that consists of impersonating someone's identity, after having stolen or obtained their personal data, payment details and passwords by cheating, generally to make online purchases or steal money from their funds.
According to The Paypers' Fraud Prevention in Ecommerce Report 2020 / 2021, ecommerce fraud has grown by 18% since 2017, and this situation has been exacerbated by the global COVID-19 pandemic.
According to several surveys conducted since the onset of the global crisis, 63% of users have used electronic payment methods and 80% have shifted to using more contactless systems.
Logically, in these circumstances shoppers have no choice or feel much more confident about shopping online. However, this situation has also posed many challenges for online retailers and payment platforms, as demand has grown and fraudsters have become more resourceful in taking advantage of the situation. According to Google, phishing sites grew by 250% between January and March 2020, and unfortunately, the figures are set to continue in the face of booming digital commerce.
Fortunately, best practices to prevent phishing in ecommerce and strengthen the security of shoppers and businesses are also flourishing.
Types of phishing to watch out for
All types of phishing seek to gain access to a shopper's accounts through their details. In ecommerce, this practice is aimed at making illegal purchases or redirecting a legitimate purchase to an unauthorised purchase.
In all cases, the situation is detrimental to both the buyer and the company. The user goes through the unpleasant experience of a fraud, which involves a multitude of claims to get their money back, and will already have a negative association with the website where they suffered the scam. For the business, it means dealing with those complaints and, in some cases, having to take responsibility for lost or stolen purchases.
In most examples of phishing, the seller or retailer cannot identify a legitimate buyer from a fraudulent one. Many problems arising from phishing can also be due to logistical obstacles, such as unreceived packages or which arrive empty, or returned products that arrive to the seller empty.
Despite this, the most common and dangerous types of phishing in ecommerce are based on "phantom" orders rather than stealing legitimate orders:
Phishing via email or phone
The user receives an email that is supposed to be from his bank, demanding personal data or installing malware on his device. Calls are also used to try to obtain information from a customer in order to access their accounts or to impersonate them in calls to their bank or insurance company.
This is the most basic type of phishing, where the user's account details are held and they act in their name illegally. Similarly, triangulation is used, where a fake ecommerce site is created to steal users' payment details and redirect purchases to real ecommerce pages.
Click & Collect / BOPIS fraud
The increasing use of Click & Collect / BOPIS has led to an increase in fraud in many cases. In this type of purchase, the customer orders the product online to be picked up at the shop, or at the curb (Pick up at the Curb or BOPAC). The scam consists of stealing the online shopper's credentials and card and picking up orders on their behalf.
CDN (Card not present)
The fraudster carries out online transactions without having the genuine bank card. This is easier if there are no proper security measures in place now that more card-not-present payment methods and digital-only cards are emerging.
BEC (Business Email Compromise)
Because many businesses have moved to working entirely remotely or with part of their team operating from home, the security of devices at home is lower than in organisations. Many types of phasing have found it easier to access private data through less protected hardware.
Fake profiles on marketplaces
Apart from impersonating buyers, online scams can also rely on impersonating a business. This practice involves replicating the profile of a real company on a marketplace, such as Amazon, by including fake reviews that give the impression of legitimacy. In this way they attract purchases, but never ship the products.
How to avoid phishing on your ecommerce site
The responsibility seems to fall on the shoulders of the business, and to a large extent it does. Businesses have to take on the challenge of implementing the most secure methodology and practices possible, both internally operationally and for customers shopping, while ensuring a pleasant and uncomplicated user experience.
What can you do to ensure that phishing is never a problem in your business?
Educate the shopper
You may think it's their responsibility, but you need to do your part too. Most victims of phishing in ecommerce are older or less tech-savvy people: easy targets who will appreciate your help if you instruct them how to shop and pay securely. This also enhances your brand image as a trustworthy company.
Secure payment process
On the one hand, one-click payments respond to the agility that online shoppers expect. On the other hand, although you should try to keep it simple, 87% of shoppers are willing to go through a longer process if it involves extra security. Now with PSD2 mandatory in Europe, the customer is more protected and it is mandatory for your ecommerce to offer Strong Customer Authentication (SCA) to authenticate the user and confirm payment.
Good identification practices
For home delivery methods and collection from agreed shops or delivery points, many companies relax customer verification. Businesses need to educate their employees to ensure they are rigorous in checking customer identity, and solutions such as personalised passwords or keys, biometric identification, face matching, AI analysis, etc. are increasingly emerging.
Strong data encryption
The option of creating an account and saving payment data for future purchases is very convenient for the customer, but carries greater risk. It is the responsibility of the business to collect and store this data as securely as possible, mainly through the use of tokenisation. This converts bank card data into unique identifiers, which hides and protects payment numbers.
Consult a specialist
As with legal issues, it is important that the company reviews its cybersecurity status often and produces an updated report in case it has never stopped to assess phishing problems. Whether they are occurring or at risk, it is vital to analyse the data, compare it with current popular phishing trends, and take appropriate measures to protect the ecommerce site and the shopper.