Image Source: Pixabay (https://pixabay.com/photos/hacking-cyber-hacker-crime-2964100/)
If you’re running an e-commerce business that works almost exclusively online, cybersecurity needs to be your top priority. Every day, you are taking in a constant stream of customer data, and if hackers get a hold of that information and you are known as a company that let it happen, your business will undoubtedly suffer. While hackers will try many different methods to gain unlawful access, special attention needs to be paid to the social engineering scam.
Essentially, this is a tactic that aims to take advantage of human error by exploiting a person’s trust or curiosity, so they unwittingly click a link or otherwise allow access to hackers into confidential systems. Many of these tactics are well known, including phishing scams, but the problem is that people just are not trained well enough about what to avoid. To keep your company protected and respected, everyone in your organization needs to be on the same page.
When you are training your staff about social engineering scams, you can easily scare them straight by telling them about the danger that can come to your company if they aren’t careful. Most important is the damage to your company’s reputation. We have all heard about the famous data breaches that have hit corporate giants like Target and Equifax, and customers remember these risks even years later.
If a company falls victim to a cyberattack, they need to repair their reputation, restore their data, and put new protections in place. To do all this, the average cost of getting back to normal is upwards of $3 million.
Can your e-commerce business recover from that?
The issue is that once a social engineering attack is successful and hackers gain access to your system, they can hurt you in many different ways. Once inside, they can unleash malware that will shut down your systems and leak information back to the criminals.
Hackers are also able to install ransomware, which locks your network and all of your files until you pay a hefty sum to the criminals. Then there is spyware, which tracks the user’s activity and can use their log-in information to gain access to even more of their personal and professional computer systems.
The point is that a data breach is not only catastrophic at the corporate level, but it could also be a great risk to employee livelihood.
Now that you know what is at stake, it is important to train your staff on the many forms of social engineering attacks and the signs they need to be aware of. Some scams aim to take advantage of a victim’s curiosity, such as the technique called “baiting.”
One method of baiting involves a hacker leaving a USB drive in a public area of the office in the hopes that an employee will pick it up, plug it into their computer, and unknowingly install a virus. Baiting can also evolve into a hacker placing an ad online or sending an email for free music or a video game to entice the victim, and when they click the link, the virus is installed.
There are also more targeted attacks, including the water hole, where a hacker catches wind of a website that a user likes to frequent by researching their search history or social media accounts. The hacker then places malicious code on that site, knowing there is a good chance that their victim will visit and click where they’re not supposed to.
Then, of course, there is the phishing attack, which is one of the most commonly used tactics employed by hackers. In fact, as of 2018, more than 83% of people and 64% of businesses were the recipients of phishing emails. In essence, phishing emails are communications sent in an attempt to take advantage of the victim’s fear or vulnerabilities.
For instance, many phishing emails have been sent during the COVID-19 pandemic with promises of vaccine information and testing site locations. However, instead of helpful information, they contain malicious links or attachments that, when clicked or opened, unleash a virus or malware onto their system.
For phishing and many other forms of social engineering attacks, training must come down to enforcing the idea that employees should not click on any attachment or link unless they are familiar with the sender and they know it is coming. Other red flags associated with phishing emails include:
- The subject and body of the email are filled with spelling errors.
- Instead of being addressed to you, it is addressed to “Dear sir or madam” or “Whom it may concern.”
- The sender looks authentic, but their email address is from a public address like Gmail or Yahoo.
Now that your staff is aware of common social engineering strategies, they need to know what they can do on their end to protect their systems and mitigate the damage if they fall victim. This starts with proper passwords, which should be a complicated combination of letters, numbers, and special characters that are changed on a bi-yearly basis.
Hackers can often try brute-force attacks, which are programs that try millions of passwords in hopes of guessing the correct combination. So if employees stick with their street or pet’s name, it could be easily guessed.
Your e-commerce site must also have multiple layers of protection. To start, every computer should be equipped with antivirus software, and scans should be run weekly. These programs must be updated regularly so they can catch the newest threats. On top of that, computers must also have firewalls in place that monitor all incoming and outgoing traffic and block any unwanted intrusions.
The great thing about working for an online business is the opportunity to do so remotely. However, if you operate at a public place like a coffee shop, then you must ensure that you are using a secure Wi-Fi network. Hackers can take advantage of a victim’s trusting nature by employing a man-in-the-middle attack, which is basically a fake Wi-Fi network that is designed to look like the real deal. However, connecting to this incorrect network provides the hacker with instant access to your device.
Because of the risks, all work equipment should have secure passwords, and encryption must be enabled, so data cannot be used even if it is stolen. Also, before connecting to public Wi-Fi, verify with the store owner that it is legitimate.
As an e-commerce business, awareness of all scams is an absolute must. By incorporating social engineering awareness into your training practices, you can keep your website out of harm’s way.