- Fake orders that cost your business time and money;
- Credit card fraud and customer chargebacks;
- Hacking attempts to access your customer data or payment records;
- Attacks that harm your website or prevent it being used by other customers; and
- Reputational harm caused by any of the above
How to avoid e-commerce fraud and credit card chargebacks
There are some obvious signs to look out for when trying to identify fake or fraudulent online orders:
- International orders from less well regulated countries in Africa and Asia;
- Large order quantities for expensive stock items;
- Popular webmail services where accounts can be set up quickly for free;
- Poor English or grammar in order emails or messages; and
- Different credit card and delivery addresses, especially where the delivery is to a different country.
If you suspect an order is fraudulent check with your bank and/or payments processing firm for advice on validating a credit card to see if it has been reported stolen.
It may be some weeks before the card is reported so always try Googling the address for delivery as sometimes scammers use standard order instructions to speed up their payment scams.
Check to see if the name and country have been written about online by other retailers.
If you can, call the buyer and ask to speak to the cardholder about the order – do they sound genuine? Go with your gut feeling but also investigate credit screening services offered by your bank or payments service.
Protect your website
Make sure your website is secure and that customer data cannot be accessed and stolen.
If you have paid a developer for the website then ensure they are aware of common security vulnerabilities and tested the public facing website and backend order management system.
Popular off the shelf e-commerce platforms can become become targets for cyber criminals looking to exploit a large number of websites. Ensure you patch or update your sales software as soon as the provider notifies you of a known security issue.
Other things to consider are:
- Use strong passwords on the sales or editing system – don’t leave in place a default password.
- Make sure the server is protected and updated to patch known vulnerabilities – talk to your website host about this.
- Monitor intrusion attempts made on the website, again ask your web host for advice.
- Don’t store customer data in plain text on a public web server, especially credit card details. – your bank or merchant provider may require you to meet PCI Security Standards.
- Consider getting a specialist security firm to penetration test your website.
- Prepare a plan and investigate services that help you deal with DDoS attacks and ransom demands.
- Read the .nz Business Guide to Digital Security.
- Discuss the OWASP Top Ten security vulnerabilities with your website developer.
- Review IRD advice on e-commerce and tax laws in New Zealand.
- Report cyber security problems, large or small, to CERT NZ. They also provide practical guidance on how to keep you information safe and secure online.
- The Australian Signals Directorate has guidance on Securing Content Management Systems (CMS) including Drupal, Joomla! and WordPress
- US-CERT offers advice on Web Shells, scripts that can be uploaded to a web server to obtain unauthorised access and can lead to wider network compromise