In 2024, online retail is set for growth, but security is crucial. Last year’s festive season saw a 3.7% increase in online spending and a 12.7% rise in ‘Buy Now Pay Later’ (BNPL) methods, expanding the cyber threat landscape. With more frequent and varying online transactions, security concerns are heightened as they attract more cybercriminal attention.
With a 237% increase in phishing emails during Black Friday in 2023, it’s essential that we revise outdated attitudes that blame consumer negligence and consider how business leaders can safeguard digital infrastructure and websites to keep pace with increasingly sophisticated attack techniques.
Emerging threats in online retail and consumer safety
Global ecommerce fraud losses for 2023 are estimated to have exceeded $48 billion last year, a frightening increase from $41 billion in 2022. Importantly, threat actors are using increasingly complex methods to commit this fraud.
Most notably, my team and I tracked multiple malvertising campaigns that exploited retail and ecommerce websites. Malvertising refers to the use of online advertising to spread malware, whereby harmful links can appear on legitimate websites through ad networks, often exploiting vulnerabilities in web browsers or plugins to deliver malicious code to a user’s computer or device.
We observed a notable increase in these attacks in 2023; one major campaign we tracked exploited Amazon using Google search, leading users to tech support scams and phishing pages. Scammers used cloaking techniques to evade detection; such advanced methods are hard to spot for the untrained eye, highlighting the dangers posed to users trying to shop on popular retail sites.
The BNPL (Buy Now Pay Later) industry heightens online fraud risks. It’s a prime target due to rapid growth and lax security checks compared to traditional systems. BNPL systems have less stringent checks, making it easier for cybercriminals to hijack accounts or create new ones with stolen or synthetic identities, combining real and fake details for unauthorised purchases.
Senior Director of Threat Intelligence at Malwarebytes Threatdown Labs.
A three-step action plan for retailers
An amalgamation of advanced fraud tactics, new payment gateways that lack sufficient guardrails, and an overall rise in e-commerce activity is creating a dangerous online environment for consumers. Minimising fraud in the retail space starts with revamping retail security strategies to prioritise consumer safety, but it’s less daunting than some business leaders might think:
1) Appoint a dedicated person or team
Having a team dedicated to cybersecurity is crucial. This team is responsible for keeping software and security measures up to date, monitoring for and responding to security breaches, and reviewing logs for suspicious activities. Outsourcing to specialists is an especially viable option for smaller retailers who can’t maintain an in-house team.
80% of experts believe advanced detection systems such as Managed Detection and Response (MDR) that employ AI play a pivotal role in minimising payments fraud. For example, AI systems can examine diverse datasets to pinpoint trends, creating fraud propensity scores crucial for forecasting and averting improper activities.
2) Support passkeys –– not passwords
The prevalence of weak password choices, reuse, and continued usage has perpetuated scams in the ecommerce space, with over 80% of breaches attributed to stolen credentials. In contrast, supporting the use of passkeys transforms the authentication process by relying on public and private keys, effectively relieving users of the burden associated with password management.
Passkeys use public key cryptography, which is not susceptible to common attacks such as phishing, replay attacks, or credential stuffing, as the private key used for authentication is never stored on a server or transmitted over the internet. The force of cryptography in protecting sensitive information has already been backed by the major ‘big tech’ players, with Google implementing them in users’ accounts last year. Passkeys also offer retailers a 40% increase in speed compared to passwords, enhancing both security and conversion rates – it’s a no brainer for 2024. This increasingly popular method of security for consumers should be wholly supported by retailers as they look to strengthen authentication and boost their bottom line.
3) Calculate business risk and inform security investments
Understanding the full cost of a breach is crucial as a first step to becoming a cyber resilient business. The cost of fraud and security breaches extends far beyond immediate financial losses. Statistics reveal that every $1 of fraud now costs retail and ecommerce merchants $3.75, with the cost in damaged reputation and customer trust being even more significant and harder to quantify. As many as 44% of data breach victims would tell family and friends to avoid the brand, and 30% would express their displeasure on social media.
Retailers should adopt a proactive approach to calculating business risk and informing their security investments. This could involve implementing a comprehensive risk assessment strategy that evaluates all implications of potential breaches and minimises the threats facing customers.
Securing the digital checkout
Prioritising cyber safety for consumers must become standard practice for retailers. Cybersecurity has become a critical aspect of business strategy across industries, and due to the level of threat that persists in the online retail space, it’s a surprise that it’s not already the norm.
The onus is now squarely on retailers to make cybersecurity the must-have accessory for success in 2024 – because in this digital age, protecting consumers isn’t just a trend, it’s the only way forward.
We’ve listed the best patch management software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro