Last year alone, the Federal Trade Commission (FTC) received 5.7 million complaints about fraud.
At the same time, researchers estimate that e-commerce retailers were at risk of losing over $20 billion in 2021 due to fraud, an 18% increase from the 2020 total of $17.5 billion.
The reality is that as an online store, every piece of information you hold about your customers is valuable and could be used to steal their identity. Your ability to protect that information is fundamental to building customer trust.
This article will look at identity theft in e-commerce and five types of e-commerce user behavior you can use to detect identity theft. We’ll also examine why fraudsters target customer data and what steps you can take to prevent it.
Why is customer data a prime target for hackers?
Fraudsters know that your customers’ data is a valuable commodity. Why? Fraudsters can use this data to apply for new credit, make false purchases, steal information from their online accounts, and apply for government benefits.
With the right combination of data, a hacker can not only steal the victim’s entire identity but even create their own falsified synthetic identity, with a mixture of legitimate and fake records.
Unfortunately, with a whole underground economy on the dark web and over 15 billion stolen passwords exposed, it’s vital for any e-commerce business to ensure it can detect and protect against user behavior that causes identity theft.
What types of personally identifying information can hackers steal?
When it comes to data theft, it’s not just credit card numbers that are valuable. Hackers seek to gather information ranging from emails and passwords to social security numbers and bank details; anything that can potentially be used to steal an individual’s identity or create a new synthetic one.
For instance, even an email address is a valuable piece of data. That’s right. An email address provides a criminal with an avenue to target an individual with phishing scams. With a single scam, they can attempt to manipulate the victim into handing over their personal information or logging into a fake e-commerce website.
How does customer data get stolen?
Nine times out of ten, customer data gets stolen from e-commerce providers due to sloppy data handling practices, such as employees sharing Personally Identifiable Information (PII) in tools like Slack or email and cloud-based spreadsheets or giving employees over-privileged access to customer data.
It’s important to note that with more and more employees working in remote or hybrid environments, there’s much more room for sloppiness with data storage. In short, a lack of security training and awareness creates significant security risks to customer data.
At the heart of the challenge of preventing fraud is the fact that most organizations don’t have the visibility to ensure that employees are following data handling best practices.
In addition, the shift to remote working has made employees’ home networks prime targets for attackers who can exploit vulnerabilities in the router hardware or Wi-Fi hacking to eavesdrop on their communications.
Similarly, cybercriminals can pay for ‘subscription-based’ malware attacks and brute force hacks to gain access to customer data, even if they don’t have the technical expertise to steal it themselves.
When it comes to stealing customer data, cybercriminals have a range of tools they can use to harvest the information they need, from buying the data outright from other threat actors to innovating their own scams.
Five methods of stealing customer data:
1. Phishing scams
One of the most common ways hackers will steal customer data is through phishing scams. In fact, these attacks are so common that every 11 seconds, a business is attacked by a hacker or phishing attempt.
In these attacks, the fraudster will send the target a phishing email that impersonates a trusted brand or individual before attempting to manipulate them into clicking on a malicious email link or attachment.
For example, an attacker will send the victim a message saying their Office 365 account will expire if they don’t update their login details via a linked URL. When the user clicks on the URL, they’ll be taken to a fake Office 365 website where the attacker can harvest their email address and password with a form.
2. Impostor scams
A scam where an individual will imitate an executive, such as the CEO or CFO at a company, to request financial support from an employee in the form of an invoice or a “gift card.”
For example, an attacker will email an employee and say that they’ve lost their wallet and need temporary support to pay an invoice. If the employee tries to help, then the fraudster will route the funds to their personal account.
3. Brute force hacks
In this type of attack, a hacker will try to break into a user’s online account or device by trying lots of different combinations of passwords until they find the right one and obtain access.
For instance, an attacker will try common passwords like 123456, qwerty, password, 12345678, or 11111 as part of a sequence. They can also enter passwords associated with your name and address leaked as part of previous data breaches on the dark web.
4. Social engineering
As part of a social engineering scam, an attacker will try to manipulate the target by email, phone, or SMS message into handing over the personal information that they can use to steal their identity.
For example, a criminal will phone up the target and try to warn them that they need to pay an invoice and take
5. Viruses malware
Attackers can also gain access to sensitive information by infecting the target’s device with malware or a virus that harvests their data so that the attacker can use it as part of future cyber crimes.
5 Types of User Behavior that Could Show Identity Theft
For e-commerce stores, one of the simplest ways to combat fraud is to understand the types of behavior that malicious users will exhibit when they attempt to commit identity theft.
There are five main types of user behavior you should look out for:
1. Card testing
Before a fraudster attempts to use a stolen credit card, they’ll often try to complete a number of smaller purchases to test if the details they’ve stolen work.
This means if you see someone visit your site who attempts to make lots of small purchases, particularly if they’re the same item, then this could indicate that they’re testing a stolen credit card.
2. Refund fraud
Another red flag you should keep an eye out for is if a user purchases a product and then requests a refund, to be made out to an alternative payment option.
A redirected refund can suggest that the individual has stolen a credit card and is looking to redirect the funds back into their personal account. Research estimates that this type of return fraud costs merchants $25.3 billion annually.
3. Account takeovers
One of the biggest signs that a user has managed to take over someone else’s e-commerce account is if they log in and start changing details associated with the account, such as changing the address or password. It can also take place on social accounts, as occurred most recently when someone hacked Disneyland’s Instagram.
These actions are even bigger red flags if they’re accompanied by lots of failed login attempts that indicate the user is trying lots of combinations of passwords.
4. Interception fraud
Another high-risk user behavior you should look out for is related to interception fraud, where a fraudster uses a stolen credit card to get an item sent to a shipping address but attempts to intercept the package before it reaches the victim’s address.
So if a customer contacts customer service and tries to convince a representative to change the address on theIorder before it is shipped to them, there’s a high likelihood they’re attempting to commit interception fraud.
Usually, the fraudster will try to do this by contacting customer support and trying to convince a representative to change the address on an order before it is shipped to them.
5. Multiple failed purchases or logins
While many of the techniques on this list can be quite specific if you’re looking to catch them with abnormal behavior, one of the simplest warning signs you can look out for is if a user has multiple failed purchases or login attempts.
Multiple failed purchases could indicate that the attacker is trying out a stolen credit card, while failed logins could show the user is trying out lots of password combinations to break into an online account.
This happened most notably when hackers launched a series of credential stuffing attacks against 11,000 Canada Revenue Agency government service accounts.
Other warning signs to watch out for
Another important red flag to look out for is if a new shopper visits your site. While most new visitors will be legitimate customers, a minority will be fraudsters who hop from site to site making fraudulent orders.
It’s also a good idea to double-check any unusually large orders. This will help to catch out criminals who’ve stolen credit card details and are trying to make as many purchases as possible before the victim realizes it.
Also pay close attention to users that try to have goods shipped to internal shipping addresses, as sometimes fraudsters will do this to sidestep address verification services and increase their chances of getting away with identity theft.
Lastly, you can check user IPs and block the activity of users who attempt to use the details of multiple credit cards from a single location. This will reduce the likelihood of customers falling victim to fraud and improve the customer experience.
How do I prevent hackers from stealing customer data?
If you want to protect your customers from identity theft, there are a number of steps can take to reduce the risk of hackers stealing customer data. These include:
1. Increased security training
One of the most effective tools that organizations have at their disposal to prevent hackers from stealing customer data is security awareness training.
With security awareness training, you can teach employees about security best practices, such as how to select a strong password, using a VPN when working from home, the importance of regularly updating devices and software, and how to avoid phishing scams by not clicking on links or attachments from unknown senders.
2. Are all your employees getting the same level of access to user data?
In this day and age, it’s easy to find a product or a solution for a specific e-commerce need (such as landing pages or email newsletters or payment processing). However, most of the time, we forget to check if this tool or solution is security compliant. For example: are all your employees getting the same level of access to user data? Or do you have admins and other security levels which can view certain data other employees cannot?
If all your employees can access all data and there are no security roles or privileges, you may be a prime target for a hacker. For example, just this week, Twilio suffered a data breach resulting in 286,000 active customer accounts data being stolen. How did the hackers get this data? The hack was an SMS phishing attack targeting employees and was bent on stealing employee credentials.
Freshmarketer adds a layer of security by allowing admin privileges such as
- Role-based access: Role-based access allows you to restrict data access based on the hierarchy of your employees
- Custom roles: Create customized roles which define the level of access for special users
- Field-level permissions: Control access to sensitive fields by regulating users who can either view or edit a field or hide the field for the role
3. Don’t fall for social engineering attacks
Making employees aware of the risks of social engineering attacks and how hackers will try to manipulate them into giving up information with smishing, phishing, and vishing scams is essential for minimizing data breaches.
Increasing awareness of high-pressure sales tactics designed to get employees to log in to fake sites or hand over information to fraudsters reduces the chance of them falling victim to those techniques.
4. Never use unauthorized USB devices or install unauthorized apps/software
Another security essential for employees working in coworking spaces or public areas is to never use unknown USB devices, as attackers will often plant these to trick unsuspecting users into infecting their devices with malware.
It’s also essential to highlight to employees that they should never install unauthorized apps or software on work devices as at best these services could have vulnerabilities and, at worst, could actively spread malware.
5. Enable biometric security for mobile devices (like fingerprint ID or Face ID)
Over the past few years, it’s become clear that cybercriminals are more than capable of side-stepping common defenses like passwords, which is why it’s safer and more effective for employees to use fingerprint ID and Face ID.
Using biometric authentication options like fingerprint ID and face ID means that hackers can’t use credential-based attacks to log in to their online accounts.
6. Regularly update your devices
Employees can also reduce the chance of a breach by regularly updating their devices. Encourage users to never ignore software updates as these include valuable patches for keeping their devices free of vulnerabilities that attackers can exploit.
7. Use an authenticator app instead of SMS for 2FA
If you use two-factor authentication on a device, it’s important to use an authenticator app to prevent malicious entities from conducting SIM-swapping attacks.
Relying on two-factor authentication codes sent to your phone gives a skilled attacker the opportunity to get the one-time passcode rerouted to their own device.
8. Use a secure password manager
Encourage employees to use a password manager to store unique passwords for all their online accounts in one place.
It’s important to highlight that they should never recycle passwords as this will provide an opportunity for hackers to log in to multiple accounts with one set of stolen credentials.
9. Avoid public or insecure Wi-Fi networks
While public Wi-Fi may be convenient, it’s also a hotspot for cybercriminals, who can use man-in-the-middle attacks to eavesdrop on your employee’s activity and steal your data.
Let employees know that using work devices on public Wi-Fi puts customer data at risk and isn’t acceptable under any circumstances.
10. Use antivirus and VPN
Ensure all work devices are protected with an antivirus and a VPN. Antivirus or antimalware solutions will protect the device from being infected, while a VPN will change the location and encrypt the user’s traffic so that it can’t be intercepted.
11. Protect yourself from shoulder surfing
When accessing sensitive data, always be wary of who is around you, and consider whether they’re authorized to view the information you’re accessing.
Try to discourage employees from assessing private customer data in front of unauthorized individuals and in public spaces.
Protect Your Customers
The information you hold about your customers is valuable, so protect it. You don’t want to gain a reputation as a provider that doesn’t care about the privacy of its customers.
While identity theft is incredibly common, the good news is that you can protect your customers from it simply by building security awareness among your employees and ensuring that data handling best practices are applied whether they’re working from home or in the office.
