Motivated by the continual surge in eCommerce, which according to UNCTAD has seen unprecedented growth during the COVID-19 pandemic, retailers are scrambling to adapt to a shift in consumer demand and create unique customer experiences that set them apart from the competition. The rise in online sales and new technologies means businesses are being more strategic about their physical stores — using them as fulfillment centers, offering curbside delivery, and designing pop-up and augmented reality experiences around them — while reaching online shoppers through social media and virtual worlds like the Metaverse.
While the U.S. Department of Commerce reports that the recent spike in eCommerce has normalized closer to pre-pandemic levels, it is clear that eCommerce will continue to grow, integrating with automation technologies into more seamless digital and physical shopping experiences. For many retailers, it is no longer a question of selling online, but rather a question of when and how much.
Whether making the shift of your brick-and-mortar storefront to online, expanding an existing online presence, or starting a digital-first business, you need to do so securely. Many eCommerce retailers are caught unawares, though, due to particularly sneaky bot attacks that pose as legitimate customer accounts and steal their login credentials. Account Takeover (ATO) is essentially a form of identity theft, which means customers are put at risk in multiple ways, including compromised personal data and fraudulent transactions.
Why do bad bots target eCommerce?
All organizations have bad bot problems, but eCommerce is targeted more highly than most. Recent eCommerce security data show that over half (57%) of all bad bot attacks were carried out on retail websites, compared to all industries at just 33%. What’s more, nearly a third of all login attempts to online retail websites were ATO attempts, compared to a quarter in all other sectors.
Why so many login attempts, rather than other means of hacking eCommerce sites directly? For one thing, many companies have distributed denial-of-service (DDoS) protection layers and web application firewall (WAF) defenses that mitigate more direct attempts to reach sensitive data. Bot-driven ATO attacks, on the other hand, can be deployed in minutes, and are often less visible and growing more sophisticated in aiming not just for customer login credentials, but also employee credentials.
Secondly, customer credentials are incredibly valuable to cybercriminals for a number of reasons. Once the bots have allowed bad actors access to user accounts on your site, they have access to:
- Saved customer credit card information
- Gift card balances
- Loyalty points
- Shopping history
- Customer contacts and addresses
- Other customer benefits
If the cybercriminals do not use this information themselves, they can sell it to your competitors or on the dark web to other criminals.
The high cost of ATO attacks for your customers…and your business
From brute force attacks to credential stuffing to phishing emails, malicious actors will find ways into customer accounts one way or another. When a successful ATO attempt occurs, it can undo all of your years of work establishing a loyal customer base in a matter of minutes.
At best, the customer is locked out of their account, which may lead to hours of emails and phone calls trying to identify the problem when they could have been shopping, thus souring their relationship with your brand. At worst, ATO attacks can do real damage to your revenue and infrastructure at the expense of your customer. A recent Forrester study reported that up to 38% of UK companies claimed that they had lost business because of security issues and PCI-PAL, a UK-based secure payments provider, found that 44% of consumers said they would temporarily stop spending with a business after a security breach, and 41% of consumers claimed they would never return to a business post-breach.
The high cost of ATO attacks can include:
Fraud complaints. If sensitive consumer information is compromised, that puts them at risk for years of identity theft and privacy headaches for years to come. They may take legal action against your company.
Time and resources. Detecting the ATO attempts in the first place and determining the fraudulent from the legitimate activity in user accounts takes away time and resources that could be best spent elsewhere.
Refunds, reimbursements, and chargebacks. Part of your damage control includes reimbursing customers for purchases they did not make, reinstating reward points, offering them complimentary items to help compensate for their losses, and more.
Damaged reputation. Once your brand reputation is damaged, it can be hard to win back trust with your customers and gain new customers. Word-of-mouth is still one of the most effective ways to advertise — a recent Nielsen study reports that 88% of people surveyed across the globe trust recommendations from people they know over any other advertising channel. If word about your brand is negative, it can spread rapidly through social media and negatively impact your bottom line. Additionally, vendors and payment service providers may think twice about doing business with you.
Website performance hindrances. Your efforts to resolve issues and mitigate automated bot attacks may bog down your website during the times of highest traffic, leading to abandoned shopping carts.
Include ATO defense in your eCommerce cybersecurity strategy
When it comes to bad bot activity, the best offense is a good defense. As you set up shop online, remember to add Advanced Bot Protection to your routine cybersecurity management.
Recommendations for preventing ATO attacks
- Encourage customers to practice good credential habits and safety. Unfortunately, as many as 65% of consumers still reuse passwords across many different sites and fail to change them when affected by breaches. Educate your customers about credential safety and encourage them to change their passwords often.
- Shore up your login security. Create strong password requirements and use multi-factor authentication and other security features that make it harder for bad bots to break in with weak passwords.
- Beat bad bots at their own game by automating fraud protection. In addition to your Cloud WAF and API Security monitoring, automating protection against ATO threats will keep these automated attacks at bay, no matter how many swarms of bots descend upon your website.
- Monitor site performance and investigate successful logins to determine legitimacy. As you prepare for high volumes of legitimate traffic, stress-test your infrastructure and look into patterns of unusually active user logins or behavior.
- Be proactive and transparent with your customers. Alert customers to any ATO attempts, phishing emails, or data breaches and keep them informed about how you are resolving the issue and if any action is needed on their part.
Sometimes staying competitive in the eCommerce world is as simple as adding robust cybersecurity solutions to your overall strategy. Including ATO protection will give you and your customers peace of mind by allowing only legitimate customers to your website, so consumers can enjoy a stress-free shopping experience and can’t-miss deals, while you see a well-earned return on investment for all of your online preparations.
Learn more about preventing account takeover fraud.
Try Imperva for Free
Protect your business for 30 days on Imperva.