James Coker assesses the security risks posed by the dramatic shift to e-commerce caused by the pandemic and outlines how retailers and online shoppers can protect themselves The COVID-19 pandemic has brought about substantial changes to everyday lives, many of which look set to sustain long beyond the crisis. One of these is the dramatic shift to e-commerce, emanating from the temporary closure of physical retail stores as part of strict lockdown measures. In the UK, for instance, figures from the Office for National Statistics (ONS) showed that e-commerce grew by nearly 20% year-on-year in May, and accounted for a record 33.4% of total retail sales. Lisa Forte, partner at Red Goat Cyber Security, says: “The pandemic drove the entire world almost instantly online, and shops in Europe shut their doors and quickly had to transform their businesses into a solely online model, which is unprecedented.” Even since the reopening of non-essential stores around the world more recently, e-commerce sales have generally remained well above pre-pandemic levels, with many consumers previously new to this domain now using this channel regularly. New Opportunities for Cybercrime While the online space has provided a critical lifeline for many retailers this year, unsurprisingly, cyber-attackers have sought to take advantage of the additional opportunities the shift to e-commerce has provided. Forte notes: “Any time you see a rapid global migration to a different way of doing business, you will see mistakes and oversights leading to security holes that turn into huge opportunities for cyber-criminals.” Even before the pandemic, there were major concerns about the impact of cybercrime related to online shopping – be it payment fraud, data hacking or other customer scams. Back in March, for instance, a report by Juniper Research predicted that online payment fraud losses will increase by 52% between 2020 and 2024. However, this has been revised significantly in light of the pandemic. “We anticipate that this growth will accelerate to over 70% over the next four years, compared with the 52% we outlined in March. This is mainly due to the increased usage of e-commerce during the pandemic, which has also generated a rise in fraud,” explains Nick Maynard, lead analyst at Juniper Research. Cyber-criminals have undoubtedly ramped up attacks at a frightening speed since the crisis began. Chris Waynforth, area vice-president, Northern Europe at Imperva, observes: “As the volume of online sales grew, so too did the volume of cyber-attacks on online retailers. In fact, according to data from the Imperva Cyber Threat Index, attacks rose dramatically around late March and have continued throughout the year – exceeding the peak levels around last year’s Black Friday and Cyber Monday events.”

As well as the greater volume of e-commerce activity, a number of other factors have heightened the risks associated with online shopping since COVID-19 struck. One is the fact that a number of retailers, including small independent stores, were forced to sell online for the first time. Raef Meeuwisse, author of Cybersecurity for Beginners, comments: “Traditional retailers, who weren’t online in the past and are inexperienced in using those kinds of technologies, can fall foul of misconfiguring or setting up vulnerable online hosting services that can be exploited.” Another opportunity has been borne out of the creation of a vast number of new customer accounts, each storing highly sensitive information. Forte notes: “From an attacker’s perspective, if they get one of the consumer’s passwords, they’ll then have passwords to almost all of their accounts. This has provided the cyber-criminals with an opportunity that I’m not sure we have ever seen before.” Similarly, Riskified has seen user accounts become increasingly targeted since the start of the crisis. Elad Cohen, VP data science at Riskified, outlines: “Account takeovers (ATOs) have quickly become one of the preferred methods for fraudsters. They’re a huge threat to merchants, because they’re difficult to detect and deter. Merchants risk upsetting established customers if they’re too aggressive in trying to deter ATOs, but allowing an ATO to take place will cost the merchant in chargebacks, while also upsetting an established customer.” Additionally, the ongoing pandemic has precipitated a huge rise in online scams targeting shoppers. Kevin Bocek, VP security strategy and threat intelligence at Venafi, explains: “COVID-19 has prompted a surge in the number of us shopping online, and cyber-criminals are using this to their advantage by creating spoof websites for popular retailers to catch out bargain-hunting customers. They do this by creating fraudulent domains that are almost identical to real retailer sites, with very similar URLs which simply substitute a few characters to look the same at a glance.” It is also worth noting that many subsets of people who rarely or never shopped online before the pandemic, such as elderly people, have now become regular users. These customers are especially vulnerable to scams due to their lack of experience with digital technology. Although the volume of attacks has grown substantially, the tactics employed by cyber-criminals haven’t varied a great deal compared with recent years. Payment security consultant Neira Jones says: “When you look at the pattern of attacks, especially on retailers, more often than not you will find that the attacks are not sophisticated. Certainly in the last two or three years, the root causes of attacks on retailers stem from things as simple as phishing attacks to steal credentials.” She adds that this pattern has been exacerbated by COVID-19. Another common method used to target e-commerce platforms that has been expanded in the pandemic is Distributed Denial of Service (DDoS) attacks. For example, Imperva has observed that the average online retailer has experienced around eight application layer DDoS attacks a month so far in 2020.

