In this second article on phishing, I want to talk about its relationship with e-commerce. The biggest dangers faced by companies that conduct online sales are data leakage and data hijacking. In many cases there is a direct relationship between phishing and these problems, since many of the ransomware and credential theft attacks begin with a successful phishing attempt. Before we go deeper into the subject, I will tell you about a personal experience.
About three years ago, I decided to give a turn to my career and embark in computer science as a profession. I had always been interested in it and already had some prior knowledge. What can be said about phishing is that I had already survived 300 Nigerian princes, and that I don't know how many social networks and banks of whom I didn't even have an account asking me for data that didn't even exist.
I was sitting in the car waiting for my partner to come out of the house. It was her birthday, and I was waiting for the gift I had bought her to arrive on that day. At that moment, while waiting and double-parked, I got a message from the post office. The company that was to make the delivery had a problem, and payment of €1.38 was needed for the package to be delivered on time due to a problem I could not recall.
Under the pressure of the moment and not wanting to be caught without a gift, I filled in the details in a flash and said ok to everything I was told. When I had accepted everything and the tension of the moment had lifted, a voice in my head asked me: "Since when does the post office charge you for a shipment that another company takes care of or at the last minute"? After mockingly thanking the voice, who was evidently late to the rescue, I looked at my account - which showed a 1,300 € charge on a purchase of a well-known electronics brand.
Phishing - attention is paramount
What I want to tell with my example is that sometimes even knowing that this kind of scams exist and how they work, the stars align for the worse and we fall into a trap that at any other time would not have been possible. In the case above, the timing was perfect - due to the haste, many people would not assess the situation carefully.
The gift was not going to arrive that day if I had not paid 1,38 €, therefore it was peremptory to make that payment. We do not usually meditate on what is happening, and often we do things driven by an excess of urgency. This can lead us to serious mistakes. I did not assess the situation with due attention, and that is why I fell into a scam.
Imagine if this had happened with something related to the company that you work for. It may be a message urging us to carry out some action, something related to a purchase that must be made immediately, or a request of any kind. We have to take the necessary time to carefully read everything that appears in an email before answering or getting started.
Whether it is a usual course of action or not, if the sender is known or if it is a competitor, there is a long list of things for us to verify before facilitating any type of data or to click any link that is sent to us. In many cases, just reading carefully and not overreacting can save us from more than one problem. Throughout this article, we will provide a list of good practices to mitigate the risks of potential phishing attacks.
A story that provided a valuable lesson and inspiration for my career
I immediately called the bank to cancel the purchase, but they told me that it was impossible. I could only cancel the card to avoid any major problems. I called the company where the purchase had been made and they kindly indicated that the only thing to do was to report it to the police as soon as possible and stand by. That's what I did, promising myself that my IT career was going to move towards cybersecurity. Happily, and after accepting the 1300 € for a loss, it was paid back to me a few months later. The conviction of where my career was headed remained.
It is also important to react quickly to the fact, to take the appropriate actions to fix the damage, or in case of not being able to fix it, to at least mitigate it in the best possible way. In a company environment, if we have any doubts after doing something or if we think that we may have been victims of a security attack, it is essential to notify the IT team as soon as possible so that they can try to do damage control and solve the situation. It is always better to report a potential breach and to discover a false alarm, than to say nothing and that the damage is real.
Subscribe to our newsletter.
Stay tuned to the best practices and strategies in e-commerce and grow the business as leading brand in your industry.
What are phishing attacks looking for?
That said, in some cases the attackers are not only looking to steal credit card information to make a purchase or get the cash needed to "free" the account of our dear Nigerian prince. Phishing can also be used for credential theft and ransomware, which is a serious problem for companies and in e-commerce.
Spear phishing, whaling, and CEO fraud, as spoken in a previous articleAccording to IBM, the average detection time of a data breach is 277 days and 9 months. In cases of credential theft or compromised credentials, these times increase to 327 days. 19% of the cases come from credential theft, and is the most common data breach indicated in IBM's data breach report in 2022.
Also according to the report, 16% of initial attacks come from phishing, which places this threat in second place in terms of risk for companies and the first in terms of cost. This is due to several factors including the fact that most ransomware attacks are phishing attacks and ransom stakes are not particularly cheap.
Credentials as one of the juiciest targets
Through phishing, it is possible to steal credentials from a company's employees, therefore it is very likely that a high percentage of these credential thefts are due to spear phishing. According to this article 65% of all attacks start with the use of spear phishing. In addition to the direct costs that these attacks can produce (such as the payment of ransom in the case of ransomware) we also have to take into account the risks that our customers' data, their payment information, purchases and so on have been compromised.
When a company suffers a massive data breach, the trust in the company decreases. In addition to the estimated cost of a breach (according to IBM, four million euros on average and the sum is expected to rise to five million on average this year), the public's view of the company is permanently damaged and many users are likely to decide to stop buying through its e-commerce or use its services.
Once again, we can see how attacks are focused on the greatest vulnerability of any computer system, which is the user himself. People can make mistakes and the level of attention and mental state is not always the same every day, making it difficult for IT security teams to safeguard 100% a company’s work environment and its security. However, there are ways to help users to avoid compromising the company.
Best Practices
What are some of the best practices to counter data breaches? The most important is awareness and training of the subject. Getting participants to follow certain guidelines helps a company environment to be safer. Let's look at some of these guidelines:
- Be wary of emails and text messages: Do not trust emails or text messages from unknown or suspicious senders. Do not click on links or download attachments without first verifying the legitimacy of the sender.
- Do not share personal information: Do not share personal information, such as passwords or credit card numbers, via email or text messages.
- Use two-factor verification: Using two-factor verification to add an extra layer of security to accounts gives extra assurance that our credentials are more secure.
- Verify email address: Verify the email address of senders before clicking on links or downloading attachments. Make sure the email address is legitimate and corresponds to the company or person they claim to be.
- Do not trust the authenticity of web pages: Do not trust the authenticity of web pages which we are directed to via email or text messages. If there are doubts about the legitimacy of a web page, verifying the URL address or searching for the page in a search engine helps to dispel doubts.
- Do not respond to phishing emails: Do not respond to phishing emails as this may indicate to the attacker that the email address is active and valid.
- Regular security training: Include regular security training for all members of the company to ensure that all employees are aware of the latest techniques and methods used for spear phishing attacks or any other type of phishing.
- Report phishing attempts: If a phishing or suspicious email is received, report it immediately to the IT department or security managers.
The responsibility to ensure the integrity of the company depends on everyone in it. It is important to teach all employees the best practices to keep credentials and the company safe, as stopping these attacks is a collective responsibility. It is advisable to give seminars on security to all employees at least once a year, just as it would be advisable to perform phishing awareness campaigns to audit the preparation of employees on this aspect.
There are studies that indicate that by 2023, more than 30 billion dollars will be lost in ransomware attacks alone; most of the successful data hijackings come from a phishing attack.
As we have already seen many credential thefts which end in losses, they start from spear phishing attacks. Therefore, having a security-conscious work environment helps brands and their ecommerce by making security breaches more difficult, thus discouraging data breaches and keeping the company's image safe and reliable.
Technical Office Specialist at Orienteed.
