Phishing in online stores – how to protect yourself from it?

Anyone who wants to run an online store needs to know that it is not enough to just set up a store page and insert products with descriptions and photos. Developing a store is a time-consuming and difficult process. It’s important to keep in mind that there are many risks involved in running a store – it’s not just about negative reviews from angry customers, which can alienate others from shopping. One very serious threat is so-called phishing. A store can become a target for attack and phishing of customer data. What exactly is phishing and how do you protect yourself from it?

What is phishing?

Phishing is an increasingly common method of attack whose victims are people using the Internet, whether doing business or ordering products or services. Scammers cleverly impersonate well-known brands, including online stores. They can impersonate any popular site or important institution, such as a bank. They use fake sites and emails for this purpose, which are virtually no different from the original ones of the company in question. Even the domains of fake sites not infrequently look deceptively like real company domains. The purpose of such an action is to seize login data from the owner of a store or site, who will provide it himself, convinced that it is really requested by the owner of the site or institution (whose services he has been using for a long time).

Why are online stores increasingly falling victim to phishing?

Attacking online stores is on the rise for several reasons. First of all, the store sells products to customers, so its business is based on constant interaction with them. Customers, on the other hand, who want to buy something, have to create an account on the store’s website, and even if they buy as a guest, they have to provide their personal, address and contact information so that the purchase can be delivered and notifications regarding it can be sent. Stores thus often have huge databases with customer data, which they process.

In addition, no online retailer can allow the store to be compromised in a public forum for any reason , as this would entail the loss of customers’ trust and the end of the business, as no one would want to buy anything anymore. The most important reason, however, besides having a mass of personal information, is that stores make money, and often not a lot of it. So the scammers know that the store owners have the money to cover the ransom they demand in order to protect the store and its image. It is not uncommon in such a situation for scammers to demand a ransom by threatening that if the victim does not pay it, they will release the data they have obtained to the public, and this is something store owners cannot afford.

According to Kaspersky Labs, in the first 10 months of last year, the number of phishing attacks on online stores, and virtual banks, that registered the company’s signature products was more than 40 million!

The effects of phishing on online stores

Your online store can fall victim to phishing in two ways.

• You may be attacked by a scammer claiming to be some institution or site, but it could also be that a scammer impersonates your store and attacks your customers. In the first case, a scammer may steal your customers’ data and demand a ransom in exchange for not making it public.
• In the second case, the issue can be even more serious. A scammer can easily fake a store’s website to make it look like the real thing. He can perform the same harmful actions with emails or messages to customers on social media. After such an attack, customers will perceive your business as fake and consider you a scammer. It will be difficult to regain their trust and may even end up in court. It could look like this: a customer is tempted by some special bargain in a store, about which he got an email from a scammer, but confusingly similar to yours. A link from the email takes him to an almost identical page to your store. The customer makes an order and, of course, pays. Later he waits for the shipment, which he does not receive, and at this point your troubles begin, because you are the one who gets messages with complaints, claims, and you have no idea what happened. There’s nothing you can do, which makes the annoyed customer might even end up calling the police.

The beginning of problems is, for example, software installed on the server pretending to be another site. Then the hosting company may react and block your account if a fake site opens under your domain. On top of that, you can expect a visit from the police, since you are the owner of the domain and server. So you are the one who has to explain what happened and explain how a fake site appeared under the domain. If you can prove that you were a victim of fraudsters, half bad. If you don’t, you can say goodbye to the store and still incur the penalty awarded by the court.

Is it possible to protect against phishing?

Phishing is a common phenomenon that is difficult to protect against. However, you can take certain steps to reduce the likelihood of such an attack. How can scammers be outsmarted? Here are some ways:

• When registering a domain name, it is worth remembering that the name should not contain letters that are almost identical to characters from foreign alphabets, such as Cyrillic;
• take care of SSL certificates at the EV level, as this gives you the ability to encrypt communication between the client and the browser it uses;
• Two-factor verification – double security is an excellent solution, minimizing to zero the risk of being logged in by a fraudster. The second ingredient can be, for example, providing a code received by email or SMS, or answering a question. It is also worth using Captcha, so that no software or bot logs in, because only a human is able to execute the command of this tool;
• phrases or images for customer verification – customer-personalized phrases or images known only by the account owner that need to be indicated when logging in will also be a good protection tool;
• strict rules for setting passwords and logging in with incomplete passwords – it’s worth reminding new, registering customers that passwords should be sufficiently long and complex. It’s a good idea to set rules that it can’t be shorter than 8 characters, for example, and must contain capital letters, numbers and special characters. In addition, it is a good idea to log in with an incomplete password. This is often used by banks. Only a few characters of the password are highlighted and you have to enter them instead of the whole password. This is also a good patent for scammers;
• latest software versions – keeping software up-to-date is very important, because new versions contain improvements and fixes that close loopholes that in older versions fraudsters can easily exploit to break in and take control of a domain and server;

What if a store falls victim to phishing?

From the moment a customer’s data falls into the hands of a fraudster, time is of the essence. Every minute counts, so there’s no need to waste time on unnecessary moves and actions that won’t do anything.

• First of all, you need to start by diagnosing and estimating the scale of the data leak and looking at the fake materials – the website, the emails – to find the details that distinguish them from the original ones. Then you need to find out how many customers have already received the fake messages and how many were fooled.
• The next step is to contact the hosting company and send out copies of the fake site and messages to customers explaining the differences and warning them. This can be done not only by email, but also, for example, on the blog you have, on your website or on social media, i.e. wherever the store’s customers congregate.
• It’s also a good idea to report the situation to CERT, a Polish organization operating within the structures of NASK and dedicated to detecting and responding to any danger on the Internet.

How to detect a fake website or email?

• In the case of a website, the lack of a visible domain or its incorrect language should be of concern.
• It is important to pay attention to whether a letter is replaced by an identical character from another alphabet. The most common characters used for this are those from the Cyrillic alphabet, many of which look identical to our letters, although they mean something different.
• The absence of a padlock in front of the site address will also be a worrying sign. You also need to look at the site’s design and check the certificate compliance and that the store’s name is visible in its details. Don’t skip checking the footer, either.
• In the case of an email, first of all, the sender’s data is important – the name and address of the mail and domain. It pays to check that the link does not look suspicious and the page under the link. In addition, it is important to pay attention to any typos and errors – after all, you are not making them yourself. It is also worth checking the preheader, that is, the announcement of the message, the subject line, which should be consistent with the one appearing in the store, as well as the entire layout of the message and the text in the footer.

Phishing – summary

Any online store can fall victim to phishing, as can any company that sells and offers anything, collecting the data of many customers in its databases. It is not easy to prevent such an attack, but you can minimize its risk with certain measures. We should remember not to confuse phishing with hacking. Hacking is usually done behind the site owner’s back and data is simply stolen. Phishing, on the other hand, is a deliberate action that induces the site owner to voluntarily provide data to access databases. It is worth remembering that no institution or person should ask for this, and once someone demands money in exchange for not publishing the data, the matter must be immediately reported to the police.

Protection against attacks, including phishing, can be provided by a properly managed store’s corporate network and a good Internet connection. It is also worthwhile, when choosing a hosting provider, to make sure that it will not be difficult to contact them in case of problems. Using the services of ITH and KRU.PL, you can be sure of security and the ability to contact them at any time of the day. These are professional Internet services, so the threat of any attacks will indeed be minimal. The offer is really attractive – at Kru.pl you can take advantage of a special promotional offer only until the end of the year.