The Covid-19 outbreak has severely disrupted business on a global scale. Merchants, retailers and businesses are moving operations online as workers are forced to stay at home and work remotely to contain the pandemic. Criminals are taking advantage as normally sensitive operations are suddenly handled on less secure home networks and practically all business is conducted online.
The pandemic is pushing security and risk enforcers to their limits as digital fraudsters launch a global offensive of online skimming, a form of fraud where malware is inserted into a payments page to steal customer details. Companies with massively reduced operations are struggling to respond in good time. With everyone working at home, business activity is shifting online, setting off a surge of traffic containing accounts, personal information and payment details. An increase in data going online is always a goldmine for digital skimmers. Security firm RiskIQ detected a 20 percent increase in online skimming activity in March over February. Like Black Friday, there is a surge in online purchases, but everyone is preoccupied with their own safety and not safeguarding themselves against online fraud.
High-profile companies are no exception. On March 20, the security firm Malwarebytes reported that cybercriminals planted malicious code on the Tupperware Corporation’s website. It was hidden in an image file and could activate fraudulent payment forms during the checkout process. Because operations were reduced to a skeleton crew, it took almost a week for Tupperware to remove the malicious code, on March 25.
A week earlier, researchers at RiskIQ found a similar malicious attack on the blender company NutriBullet’s website. The attack took place at the end of February, but the company was slow to respond. The researchers eventually took matters into their own hands by organizing a joint effort with other internet watchdogs to take down the malicious infrastructure behind the attack. After days of unresponsiveness, NutriBullet finally reacted to stop the skimming, but the attack could have been dismantled sooner if it were not for its reduced manpower.
The pandemic is thrusting companies into a dilemma. It is in their interest and within their responsibilities to maintain a secure payment platform for their customers. However, with its staff working from home the choice between a delayed response and simply shutting down their sales is really no choice at all. Now, more than ever, they need those sales. It is not just companies that are failing customers, it is governments and institutions, too. Cybersecurity startup Technisanct says the details of hundreds of thousands of credit cards in Southeast Asia have been leaked online, involving customers at top banks in Singapore, Malaysia, the Philippines, Vietnam, Indonesia and Thailand. The firm expressed concern over the lack of awareness from both banks and national authorities that led to the leak.
Countering a Sloppy System
A solid, safety-first strategy is more crucial than ever to protect customers from cybercriminals while governments and companies are overwhelmed.
Official websites can be set up, for instance, to have customers complete their information when signing up. Two-step authentication or multi-layer verification checks are the best way to anticipate false accounts or fake orders. Transparency, even just via a disclaimer laying out the situation, is important to inform customers about the necessity of new processes and win their trust and collaboration. As hacks often exploit unpatched vulnerabilities, website owners must also carry out full security clean-up to catch potential risk and backdoor exposure. Regular assessment of their content management systems will help make their website infrastructure secure. IT divisions must be especially vigilant.
Embedded features are worth considering, especially for a website that averages a million visitors per month. A security contact form is a simple element that e-commerce companies can embed on their websites. The security file will make reporting violations easier and shorten recovery times. Third-party payment services like Paypal could also be preferred over normal payment forms. Paypal only shows an email address and sends tokens as payment confirmation, hence no personal information to steal. The top priority now is to make sure businesses stay afloat and everyone stays healthy. Still, relentless attempts to enforce digital protection are equally necessary, especially when digital scamming is enjoying such a heyday. Companies need to stay vigilant at all costs to keep digital security intact and save business communities from what could turn into sizeable losses.
It is everyone’s responsibility now to maintain awareness against not only physical but digital threats. The demand is even more pressing as businesses rush online with no clear idea of how long they will have to remain there. Secure payments are paramount.