How To detect phishing attacks on your ecommmerce website
One of the most effective techniques used by hackers and internet fraudsters to steal identity information, collect credit card numbers, and gain access to accounts is phishing. Phishing is so successful because it targets the weakest link in any IT security system: the human users. Phishers trick users with fraudulent correspondence (usually emails, but sometimes social media, text messages, or phone calls) that are designed to look like they come from legitimate sources. Phishing emails prompt users to visit faked websites, hand over passwords or other sensitive information, or open attachments that install malware on their devices. Falling for a phishing attack is a costly mistake; phishing costs victimized companies more than half a billion dollars every year, and that number is only expected to rise as new fraudsters try to get a piece of the action. Nearly 1.5 million new phishing websites are created every year, making it all the more difficult for businesses to defend themselves.
How to Defend Against Phishing Attacks
There are a few IT-based defenses that companies can implement to protect themselves against phishers – beginning with antivirus and anti-malware programs, continuing on to email filtering software that keeps suspicious emails out of employee inboxes, and proceeding on to robust fraud detection solutions and browser add-ons that block redirects to suspicious websites. But one of the most important lines of defense against phishing is shoring up the vulnerability that these attacks seek to exploit: the human element. By training employees to recognize the warning signs of a fraudulent email, teaching them how to verify legitimate correspondences and URLs, and providing them with an easy means of flagging and reporting suspicious messages, you can dramatically reduce your susceptibility to phishing attacks. However, since it only takes a single moment of inattention on the part of a single employee for a phishing breach to occur, it’s also important to reduce the amount of damage that phishing attacks are capable of inflicting: for instance, using multi-factor authentication limits the amount of access that stolen passwords or login details can grant to a phisher. The best defense incorporates a combination of employee education to prevent successful phishing attempts, and tech solutions to block or minimize the consequences of those few successful phishing attacks that slip through.
Learning to Recognize Phishing Attacks
1. Take the time to pay attention. In the vast majority of phishing attempts, there are clear signs that the correspondence doesn’t come from the person or company it’s meant to look like it was sent by, but a user has to look carefully to spot those tells. In the fast-paced world of ecommerce, signs of fraud are all too easy to overlook. Before opening an email, hover your mouse cursor over the sender’s name to be sure it comes from the email address you have on record. Double-check the URL of any webpage you are linked to, reading the domain right-to-left (the right-most name is the actual domain). If a URL begins with an IP address, assume it’s fraudulent. Always check for the https at the beginning of a URL to indicate a secure webpage, especially if you are being asked to enter authentication or financial details.
2. Critically examine email content. Most professional correspondence uses a cultivated “customer service voice” which is polite and amiable, even when there is a problem or the recipient has done something wrong. Phishing scams tend to lack that customer-service tone, seeking instead to scare the recipient into acting without thinking. If the tone of an email seems aggressive or overly detached, it’s probably fraudulent. Similarly, there are certain requests that a legitimate sender simply would not make – like asking a user to give their password over email. Not only is this grossly unsecure, but it would also be inefficient for the sender. If anything about the content of the email doesn’t seem right, don’t follow its instructions.
3. Identify who needs extra training. By sending out mock phishing emails to your own employees and tracking who takes the bait, you can find out where your business’s vulnerabilities are and provide additional training in how to recognize scam correspondence. Of course, effective training is key. No important information is absorbed from a click-through online “class” skimmed during a lunch break, or from a series of PowerPoint slides narrated in a soporific monotone. Effective, engaging training makes it far more likely that even the most trusting, least tech-savvy employees will learn to recognize phishing attempts and avoid rising to the bait.
4. Check your code. If you use certain online marketplaces for your ecommerce business, phishers can insert lines of code into the checkout page that redirects customers to a phony site to enter their financial details, putting their account at risk and losing you a sale at the same time.