24 Feb Prevent Online Fraud happening to your Business
Online fraud remains a real risk for customers and Irish businesses especially with the growing popularity of online shopping has been aided by advancements in payment gateways, increased business adoption of eCommerce, growing customer familiarity with the benefits of shopping online, with this accelerated change in consumer buying behaviour being a result of the Covid-19 pandemic.
Given this continued climb in the number of digital shoppers, the need for Irish businesses to be remain vigilant online with their security software and systems is as important as ever against the threat of cybercrime.
Grant Thornton’s recent survey on the Economic Cost on Cybercrime noted that online fraud increased by 55% in 2020 and cost the Irish economy €9.6 billion. While the majority of businesses leaders interviewed as part of the study acknowledged the need for cyber security, only 55% had a cyber security strategy and under half had cyber awareness training for staff.
Unauthorised access to your on-line shopping systems can lead to major business disruption, financial losses and reputational damage, including the withdrawal of your payment facility by the card scheme/s and card scheme fines of up to €20 for each individual compromised cardholder account.
Trusted Third Parties
Selecting reputable, trusted third parties to support your eCommerce solution with valid TLS certificates as well as the most current software upgrades and security patches is important in enhancing the security of your eCommerce website and associated software. Making sure the following points below are included in your contract with them help galvanise your business’ online security.
- use the latest version of all software and security patches that meet the latest IT security standards
- ensure your web host provider monitors any attempts or un-authorised changes of your Home Page content and will react immediately if something is detected
- use 2-step verification for remote access by any connected third party
Preventing Online Fraud
Online businesses must ensure all of the components and features on their eCommerce website are identified and properly secured or managed by relevant third party providers.
Given the very tangible impact an online breach can have on a business’ finances and reputation, online fraud prevention is better and far less costly than seeking cybercrime cures. Below we have highlighted some of the potential threats and preventative measures you can take to keep your online business safe from hackers.
Threat: Weak and not updated passwords pose a cybercrime risk
Weak passwords still remain an easy target for hackers looking to breach online platforms and software. Data and systems should never be protected with passwords that can be guessed easily like family names, favourite sporting teams or musicians.
Obvious number sequences, like 123456, and words made up of letters immediately adjacent to one another on a keyboard still remain popular password options that can leave businesses exposed. Reusing the same password for a multitude of uses and not updating your passwords only heightens vulnerabilities.
Prevention: Make sure staff, devices and operational software use strong and regularly updated passwords.
Ideally passwords should be 12-15 characters long, consisting of a seemingly random collection of uppercase and lowercase letters, numbers and special characters, like punctuation.
These passwords should be changed a minimum of every 30 days with regular reviews to access and permission levels of staff, as well as deleting accounts that are no longer required.
Threat: Ransomware and Malware attacks can cause serious damage
Malware and ransomware (where hackers demand a fee) are on the rise and can bring your business to a halt by preventing access to computer files, systems and networks or the loss / theft and compromise of customer, payment and business data, leading to major business disruption and losses.
Prevention: Run the latest anti-virus / anti-malware software on your eCommerce platform
Along with making sure your anti-virus/ antimalware software is running properly, you should also ensure you or your web-hosting provider have implemented a web application firewall (WAF) or additional intrusion-detection technologies.
The data transferred between your computer and a website’s server should always be encrypted using TLS certificates.
Threat: Delaying the installation of security and software patches
Criminals rely on complacency and delays, so make it a priority to stay up-to-date. You may be exposing your business to an increased risk of intrusion, fraud, financial losses and reputational risk.
Prevention: Make sure the latest software and security patches are installed as soon as they are available
Software and security patches, including ones for your shopping cart, will protect you from online attackers who would otherwise take advantage of system vulnerabilities. If you and not a third party vendor are responsible for updating security patches, it’s recommended to apply updates from trusted network locations (e.g., home, work) and only install links from trusted vendor sites.
Do not trust a link in an email message—attackers have used email messages to direct users to websites hosting malicious files disguised as legitimate updates. Be vigilant with email messages claiming to have a software update file attached—these attachments may contain malware
Threat: False links divert online shoppers to fake payment pages
Fraudsters can steal your revenue by creating fake payment pages and diverting your customers using false links.
Prevention: Review all website links to prevent online fraud
Regular reviewing any links (such as URLs, iFrames, APIs etc.), from your website to the payment gateway to confirm the links have not been altered to redirect customers to unauthorized locations.
Threat: Having your business information available to too many employees and third parties
The risk of fraud from an individual with too much or unnecessary access to your business’ confidential information and /or systems weakens your defences against online fraud. By accident or design, confidential information or access to your system could be shared with malicious parties.
Prevention: Divide out duties, regulate access and implement training
For people managing your IT environment, especially business critical systems / infrastructure, regulating their access depending on what role or task their responsible for can minimise the risk of fraud by any individual and lessens the potential for that person to become a target for fraudsters.
By having minimum level of systems access for the job /duties (‘least privilege principle’) to limit accessibility to confidential information, Should an employee, contractor or third party vendor become compromised, the impact will be more limited as you don’t have all your eggs in any one basket.
Monitoring, tracking and restricting access to sensitive payment data and critical IT systems / infrastructure by ensuring processes, logs and audit trails enhance traceability.
Cybersecurity training will help all staff become aware of the purpose and benefits of this approach as well as supporting them use systems securely and follow defined procedures, Training should also include temporary staff and should make everyone aware of potential security threats and take appropriate action in the event of a suspected breach.
Retail is one of the most targeted industries for cyber criminals and cyber-attacks may result in regulatory fines, loss of reputation and customer trust, compromised customer data and financial losses.
Stay informed, alert and security aware to limit the threat of online fraud happening to your business. FraudSMART is a fraud awareness initiative developed by the Banking and Payment Federation Ireland. It aims to raise consumer and business awareness of fraud activity and trends, while offering impartial advice and solutions on how best to protect businesses.
Strong Customer Authentication (SCA) also ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. It requires cardholder data from at least two of the following categories to be provided during the authentication process.