As an online seller, you know that running an eCommerce business comes with its fair share of risks – from supply chain disruptions to changes in consumer demand. But one threat that doesn’t get enough attention is phishing scams targeting online merchants.
Phishing is a type of online fraud where scammers send fake emails or texts, pretending to be from a trustworthy source. Their goal is to trick you into clicking onto a malicious link and sharing login credentials, credit card details, or other sensitive information. Once armed with this info, scammers can steal your money, hijack your online accounts, or sell your personal data on the dark web. The good news is that with a bit of awareness and precaution, you can help keep your eCommerce business safe from phishing. Here are some key steps all online sellers should keep in mind.
Understand the Common Tactics Used in Phishing Scams
To better protect yourself, it helps to understand exactly how phishing scammers operate. Some of the most common phishing tactics targeting online businesses include:
- Spear phishing – Fraudsters research specific individuals or companies and craft personalized messages purportedly from a trusted source like a vendor, lawyer, or credit card company. Because the message seems legit, recipients are more likely to comply with requests for sensitive data.
- Pharming – Hackers secretly redirect website traffic from a legitimate commercial site to a nearly identical fraudulent one. Users entering logins, payments, etc. on the fake site have their data stolen without realizing.
- Smishing – Phishing attempts sent via SMS text instead of email. Scammers pose as banks, shipping companies and more to get users to click a malicious link on their phones and share confidential info.
- Vishing – Similar to smishing, but conducted via phone call rather than text. Scammers use spoofing technology to make calls seem to come from a legitimate business or government agency in hopes of tricking call recipients verbally.
- Phony customer service numbers – Imposter merchant support numbers get listed online, often appearing above the actual CS number in search ads. Callers attempting to get legitimate help instead end up speaking with criminals posing as support staff.
- Email spoofing – Attackers spoof legitimate business email addresses so messages appear to come from a vendor, client, etc. Generates immense open rates since the sender seems real.
These are just a few common ways attackers directly target online merchants. It’s helpful to understand the variety of phishing methods out there, as the scams are constantly evolving.
Enable Two-Factor Authentication
Two-factor authentication (2FA) adds an extra layer of security beyond just a password. It requires you to enter a randomly generated code from your phone or email along with your password when logging into important accounts. Major ecommerce platforms like Shopify and WooCommerce offer 2FA for added login security. You should also enable 2FA for your:
- Email accounts
- Payment processor dashboard
- Bank accounts
- Social media accounts
Requiring two pieces of information makes it much harder for scammers to access your accounts even if they steal your password.
Carefully Inspect Any Unexpected Emails or Texts
Phishing scams typically arrive via unsolicited emails, texts, or messaging apps. Be extra cautious about clicking on any unusual links or attachments.
Look carefully at the sender’s email address – scammers often spoof legitimate addresses. Check for typos, grammatical mistakes, threatening demands, or anything else that seems “off.”
Also try hovering over any links to preview the real destination. The link text may say one thing, but mousing over it often reveals a different, suspicious URL.
When in doubt, contact the company directly through their official website or app instead of replying to the message. Don’t call numbers listed in suspicious emails – look up the real customer support contacts separately online.
Keep Software and Devices Updated
Hackers exploit vulnerabilities in outdated apps, operating systems, and devices. By keeping everything updated with the latest security patches, you remove many of these weaknesses that scammers target.
On your desktop and phones, enable automatic app updates whenever possible. This ensures you always have the most secure versions.
Also turn on automatic software updates for operating systems like Windows, iOS, Android, and MAC OS. Even though it’s tempting, don’t ignore or delay system updates for long – installing them promptly minimizes security risks.
Make sure any internet-connected hardware like routers, printers, or security cameras also stay updated. Their apps and firmware contain vulnerabilities too. Either enable automatic updates or periodically check manufacturers websites for the latest patches.
Staying on top of updates takes diligence but prevents hackers from gaining access via fixed exploitable defects that your software already patched.
Use Strong, Unique Passwords
Reusing simple passwords across multiple accounts makes you vulnerable if any single site gets hacked. Instead, each important account should have its own long, complex password that would be difficult to guess.
To keep track, use a password manager application. These tools create and save strong passwords for you while requiring just one master password to unlock.
If you really want to lock things down, you can enable two-factor authentication on the password manager itself for optimal security. Also ensure your master password is a lengthy phrase, and where possible, use the auto generated suggestions as these are typically very secure.
Set up password manager emergency contacts as well – they can access your vault if you ever get locked out or forget the master password.
Monitor Accounts Closely for Suspicious Activity
Make a habit of regularly checking or converting bank statements to csv, credit card charges, and online account activity. Look for any unfamiliar charges, password changes, withdrawals, login locations, or other red flags. Report anything suspicious to the company ASAP.
Setting up transaction alerts and notifications through your financial institutions can also help quickly detect fraud. Being proactive beats realizing days or weeks later that you’ve been hacked.
On social media, keep an eye out for malicious links or content posted from your accounts without consent as well – sometimes hackers take over profiles to launch attacks on an account owner’s connections.
Only Shop and Share Data on Secure Sites
A tip for online shopping in general – when entering payment info or other personal data, double check that the site has “HTTPS” in the URL instead of just “HTTP.” That “S” indicates data encryption that prevents eavesdropping.
If you do need to use public Wi-Fi, implement a VPN service which encrypts all traffic in/out of your device. Still, you should avoid accessing highly sensitive accounts or data if possible though, even over VPN.
Also beware of phishing risks from public USB charging stations – only use your own cables and wall adapters rather than plugging directly into questionable open ports. Some charge stations have been discovered stealing data off connected phones.
Final Word
There’s no denying that staying vigilant takes some time and effort. But putting these phishing prevention basics into practice will give you invaluable peace of mind that your online business and hard-earned income stays protected.
