eCommerce Security 101

There are some basic rules one should follow if they operate an ecommerce site that are important for overall security for your business and your customers. Unfortunately we see clients not paying attention to these rules and sometimes it might cost you dearly.

1. This rule applies to both your personal and your business. Never click on links in emails unless you are 1000% sure it is a bonafide email from someone you know. Even when it is from someone you know doesn’t always mean it is legitimate. We see peoples emails getting hacked then the hacker sending out emails to their contact list as if it is from the true sender when in fact it is from the spammer and has a link that is bad. Something like “hey take a look at this link.” Since it is from someone you know you think it is legitimate when in fact it isn’t.

We also see lots of emails that are very tricky and want you to think immediate action needs to be taken or something bad will happen. Maybe it seems to be from Chase Bank, or an investment account or Paypal or anywhere you choose. It sounds familiar, looks familiar, smells familiar. How do they know I have an account at Chase? They don’t. These are called spear phishing attacks. They randomly send them out to millions of email addresses looking for someone to respond. If you do respond they capture your information and compromise you. Point is, never click on these links. If you are in doubt, simply go to your account directly and see if there is a problem or call them.

2. “I want to pay you with a credit card but a part of the payment is to pay my shipper, or my web developer, or my graphic artist, or my consultant, or my????” A very common scam. It’s a scam 100% of the time. One of our clients (details hidden or slightly modified for privacy) (one of the ones that didn’t listen to us when we gave this lecture on ecommerce security) had an order placed with his store. The buyer lived in Australia. (supposedly) The buyer had a store in Australia and supposedly wanted to stock it with some of my clients products and ordered about $9,000 worth of product from my client. Shipping was going to be around $3000. The buyer explained they had a local USA shipper they wanted the client to use, paid the client in full plus shipping and asked them to remit the $3000 in shipping directly to the shipper and the shipper would make arrangements to pick up the product. The client fell for the scam. Once the credit card payment for the full amount hit their bank account they wired via western union or moneygram the $3000 to the “shipper”. The “shipper” was actually the crook or one of the crooks in the crooks enterprise, likely a mule that takes a piece off the top then forwards the balance overseas to the crook organization.

Meanwhile the client has purchased additional inventory to cover the order. Using some of the $9000. Three days later the credit card company flags the charge as fraudulent, its a stolen credit card number. (Actually the buyer used a couple of credit cards for the transaction, also a common part of this picture and all of them were stolen). So the credit card processor charges back the full amount and reaches into the clients bank account for it. Only there isn’t enough in there to cover it. But they take everything that is there, wiping out the clients account. (Client has a small online business normally doing around 3k or so a month in gross sales).

Now the credit card processor wants their money. Client doesn’t have it. Client is sued and a judgment is rendered, plus attorney fees, plus court costs. Client has no assets to speak of or money. Client is now blacklisted and cannot get a credit card processor no way, no how. The only thing that has saved client and kept them in business is they are still able to use paypal to process payments (barely). Meanwhile they have a judgement against them for thousands of dollars that won’t go away.

In this scenario there were a bunch of red flags not necessarily listed here in order of importance.

1. Buyer is overseas. Sorry to the legitimate overseas customers, but it’s true since the majority of all scams are from someone overseas. So these need to be more closely scrutinized. Especially if they are trying to buy something they can easily get in their own country. Then it is likely a scam for certain.

2. Order is for more than the average order. It’s easy to get caught up in the idea that you are about to make a lot of money, much more than average. But when an order is out of the ordinary in its average value, it needs to be scrutinized for fraud.

3. Billing and shipping don’t match. This is common red flag. Naturally, in some cases this is legitimate. But often it is not. Because the billing address needs to match the correct one for the credit card or chances are pretty good it will not go thru. And the scammers often will have the correct billing information on the card they’ve stolen. But of course, shipping address needs to be somewhere the crook can get to the product they are stealing. But something to consider here, when it is a case of the crook is simply stealing money like in the above scenario, the shipping address is irrelevant to the crook so may match billing because they don’t care about delivery of product. But often it isn’t the money scam its actually crooks using hot credit cards to steal products. This is very common if you sell electronics but certainly not exclusive to electronics. Usually the only giveaway to the scam is billing and shipping don’t match. So in those cases you must look much more closely at the order. If you have a decent eCommerce program you should have the IP address of your buyer. Use something like ip-lookup.net to figure out where it is located. How far away from the billing address is it? Call the phone number listed for the billing address to verify the charge.

4. Buyer has some sort of story, any sort of story, whereby the seller is to remit some of the purchase amount to a third party (eg, shipping fees or overpayment so you can pay my “consultant” or some such third party for some reason or another) I cannot think of one legitimate reason for this. To my knowledge, 100% of the time this is a scam. If someone knows of or can think of some legitimate reasons for this, comment here because I’d like to know.
This is not all inclusive but is the basic test in our experience against ecommerce fraud. Don’t rely upon it to keep you safe but use it as an example of some of the things you should consider when vetting your online orders.