Security Awareness Training Must Evolve to Align With Growing E-Commerce Security Threats
Users must continually be made aware of new threats, including attacks targeting shipping, the supply chain, email, and hybrid workers.
Digital transformation has accelerated during the past couple years, and so, too, have security threats. With more employees working remotely, more customers buying through mobile and social channels, and more retailers expanding their supply chains to keep inventory in stock, criminals have more ways than ever to go after e-commerce businesses.
Meanwhile, security awareness training may not be keeping up. It's a good time to review your organization's awareness program and adjust reflect the current threat landscape. Here's how retailers can update their awareness training and practices to match their digital transformation progress.
A Dramatic Increase in Shipping Fraud
While most retailers understandably focus on fraud at the payment stage of the customer journey, shipping fraud should also be considered. In fact, shipping fraud is the fastest-growing type of fraud worldwide, according to TransUnion's "2022 Global Digital Fraud Trends" report. Shipping fraud grew by 780% from 2020 to 2021, and by 1,541% from 2019 through 2021, according to the report. Shipping fraud can lead to chargebacks, inventory losses, and brand damage just as card-not-present (CNP) and account takeover (ATO) fraud do.
"Shipping fraud" is an umbrella term that covers several tactics that criminals use to exploit the e-commerce shipping process. Different approaches can target different areas of your business, so it's important to expand shipping fraud awareness across your organization rather than solely training your fraud team on this threat.
For example, your customer service and fulfillment teams should be aware of how package rerouting scams operate. Fraudsters place orders with stolen payment data or hijacked customer accounts and use the victim's real delivery address so the order doesn't get flagged as suspicious. After the order is approved, fraudsters contact customer service and request a delivery address change, claiming they made a mistake.
While honoring such a request may seem like good customer service, it could be exposing your company to fraud. One solution that can satisfy legitimate customer requests while avoiding fraud is to cancel the original transaction and run it again with the updated delivery address. If it's approved, customers get their purchases directed to the right address. If it's not, your company has avoided a case of shipping fraud.
Expanding Supply Chains, More Email Attack Risk
Other security risks aren't necessarily coming in through your website or shopping app, but they can imperil your brand, your business operations, and your customers. A prime example is email phishing attacks, which increased against e-commerce businesses by 53.9% from 2019 through 2021, according to the TransUnion report.
One reason for the current email phishing surge is the rapid expansion of supply chains since the start of the pandemic, as retailers made new connections to avoid running out of stock and disruptions. Another is the increasing reliance on email for customer interactions since early 2020: Online interactions now make up 61% of all customer engagements with companies, according to Salesforce's "State of the Connected Customer" report. The addition of more contacts to the email ecosystem and the higher volume of email traffic provides criminals with more opportunities to launch email attacks.
A subset of business email compromise (BEC) is vendor email compromise, and it's a growing problem. In a vendor email compromise scheme, attackers impersonate trusted third parties such as suppliers and vendors to trick employees into paying fraudulent invoices, entering login credentials, or sharing proprietary data. According to a report from email security firm Abnormal, more than half of all BEC attacks now impersonate third parties. As a result, all employees need to be aware that when emails from trusted senders, including suppliers and vendors, contain requests that seem unusual, they should flag those messages for the security team to review before responding.
Attackers Exploit Remote and Hybrid Workforce Trends
Ransomware and other forms of malware are a perennial problem for retailers, especially malware that steals customer payment data. Verizon's "2022 Data Breach Investigations Report" found that the retail industry suffered seven times as many instances of "capture app data" malware than other industry. These Magecart-style attacks can silently scrape data as it's entered, going undetected until fraud complaints start coming in. To prevent them, everyone who works with your website needs to be aware of the potential for this type of malware and the processes for scanning, removal, and remediation.
Another growing opportunity for malware attackers is retailers' shift to remote or hybrid workforces. As employees log in remotely more often — and more often from personal rather than company devices — fraudsters have seized the opportunity to create realistic-looking login request emails that can appear to come from your company's cloud services, such as Google Drive or Microsoft SharePoint. All employees and executives need to be aware of the risk that unexpected or slightly unusual login request messages can pose. Like unusual vendor messages, these should be reported to the security team for review before replying.
These trends illustrate why it's important for security awareness to be a process rather than a one-time discussion. This year, your people need to be aware of shipping fraud, vendor email compromise, and credential phishing attacks posing as company resource providers. Next year, it will likely be something else. By having regular discussions about these security issues and encouraging a data-safety mindset, you can reduce the risk of today's threats and create a culture of security that benefits your company over the long term.
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024