Clearsale Blog | Insights on Ecommerce and fraud

How to Spot Phishing Attacks on Your e-Commerce Business

Written by Bruno Farinelli | May 23, 2018

A new type of online attack is hitting businesses hard: phishing scams. These attacks are a savvy mix of social engineering and identity theft that manages to trick individuals into revealing personal information.

Unfortunately, it’s a lucrative past time for fraudsters. Phishing scams cost businesses a half-billion dollars yearly, with nearly 76% of businesses victimized by a phishing attack in the last year. And with nearly 1.5 million new phishing sites created monthly, phishing attacks are on the upswing.

The good news is e-commerce merchants don’t have to be a victim of attacks if they know what to look for, who’s at risk and the steps to take to prevent them.

How Phishing Works

Phishers have multiple tricks up their sleeves to con customers and businesses.

Fake Emails, Texts, and Phone Calls

In the most common phishing scam, fraudsters contact victims and pose as an authority figure from a legitimate company. The fraudster then tries to get the victim to reveal confidential data, such as passwords and account numbers.

These fake communications often contain highly technical elements that look legitimate. It’s increasingly difficult for consumers to distinguish real emails from fake.

Take, for instance, a 2014 attack against JP Morgan Chase customers. The scam began with a fake message that tricked users into clicking a link. Not only did this give the fraudsters the opportunity to obtain customers’ credentials, it also delivered malware to the victims’ computers that could have resulted in breaches with other institutions.

Fake Checkout Pages

Hackers can add malicious JavaScript snippets to checkout pages in Woo Commerce, Magento, PrestaShop and other platforms. When the customer goes to click to a website’s checkout page, the script redirects them to a malicious site.

If the customer isn’t paying attention to the address bar once they’ve landed on the fake checkout page, they may not realize they’re on a completely different site and unwittingly providing their credit card details directly to the fraudster. This ends up as a double whammy: Not only will the customers’ credit card data be stolen, but the merchant will also lose the sale.

URL Modification

Fraudsters know that a few vigilant customers do in fact pay attention to the links they click. To counteract that and prevent detection, fraudsters create even more secure-looking (but still fake) URLs — often almost identical to the real URL, except for a few small, barely noticeable changes — to entice customers to click on them.

PayPal Account Suspension

Because many merchants use PayPal to conduct business, a suspended or restricted account would result in a serious revenue hit. So merchants will take notice if they receive an email that warns that their PayPal account is about to be restricted due to unusual activity.

While most emails are scams, merchants may still naively follow their instructions — like entering user names and passwords on a fake page or downloading, completing and submitting an attachment — and inadvertently give the cybercriminal their login credentials and full access to the merchant’s PayPal account.

Embedded Malware

Phishers send legitimate-looking documents — like invoices, proposals and bills — as attachments to emails. When the recipient opens the attachment, the file auto-installs dangerous malware. According to Symantec, 53% of its analyzed emails are spam, and 1 in 131 emails was infected by malware in 2016.

Who’s Most Likely to Be a Victim of Phishing

Phishing continues to grow simply because it works. Consumers have trouble distinguishing fake communications from real ones, especially when they appear to come from a trusted source, like a friend or supervisor.

And with so much of daily life spent online these days, fraudsters have ample opportunities to use phishing to hack into businesses and capture sensitive data.

What businesses or industries are most susceptible to phishing attacks? It depends on who you ask.

Healthcare Industry

In 2017, phishing attacks were reported most frequently in the healthcare industry, according to Infosecurity Magazine. Reasons for the elevated fraud levels were attributed to the high volume of customers and employees’ lack of awareness about (and training on) preventing these malicious transactions.

Financial Industry

PhishLabs, however, reported that financial industry was the hardest-hit target in second-quarter 2017, receiving 33% of all phishing threats, followed by web/online services (22%), payment services (16%), cloud storage/file hosting (10%); and e-commerce (7%). Financial businesses may be a bigger target because of the wealth of data and money available.

Merchant Services Companies

Fraudsters also target businesses that process credit card payments for retailers, knowing that compromised accounts are likely to have funds available. Fraudsters send emails stating that a merchant’s credit card processing account has been blocked due to unusual activity, laying the groundwork for employees to provide fraudsters with their credentials and full access to accounts.

The takeaway? Phishers are casting wide nets in the hopes that the recipients who fall for their tricks will make it profitable. That means every business — regardless of industry or size — must protect themselves against the risk of fraudsters.

How Merchants Can Protect Themselves and Their Customers

Phishing attempts are becoming more sophisticated, so here are four tips on how e-commerce merchants can protect both themselves and their customers from becoming a victim.

1. Create a Master List of Account Numbers

Compile all vendor account numbers into one document. Then before employees open any emailed invoice, compare the account number in the email with that on the master list. If they don’t match, delete the email.

2. Check the Sender’s Email Address

Even if the email looks like it’s coming from Renee Smith, employees should hover their mouse over her name to confirm that it’s truly coming from her email account. Fraudsters often slightly change names — like from Renee.Smith@company.com to Rene.Smith@company.com — to sneak fraud past unsuspecting recipients.

3. Watch the Tone

If the tone of the email seems unusually aggressive or impersonal, don’t respond. Simply delete the email and move on.

4. Educate Employees

Some businesses will phish their own employees, sending out emails that look like they’re coming from co-workers or outside parties and documenting the names of those who opened it. Take time to educate those who are fooled by the fake phishing emails and reinforce the implications that revealing sensitive information can have. Merchants can also offer employees training on what to look for in phishing emails and keep them up-to-date on evolving fraud techniques.

Leveraging Technology to Ensure Security

All the technology in the world can’t protect businesses and customers 100% against human error — and that’s exactly why phishing attacks continue to be so successful. In today’s “gotta have/do it now” world, fraudsters take advantage of individuals who don’t pay attention to the details, whether that’s employees or customers.

While avoiding phishing attacks generally involves just healthy doses of common sense and skepticism, that doesn’t mean technology isn’t essential for defending your business against fraudsters. Protect the business you’ve worked so hard to build with ClearSale’s robust fraud detection solution, which uses advanced artificial intelligence to complement highly trained analysts. The result is fewer false declines and chargebacks and more approved sales.

Contact us today to learn why companies of every size, in myriad industries, trust their sales to ClearSale.