Effective Tools & Strategies to Prevent Phishing (Account Takeover Fraud)
Phishing is a growing problem for online merchants. Criminals hack their customer accounts, access their private data and payment information and, of course, make fraudulent purchases on their behalf.
In the end, it not only leaves customers feeling uneasy and distrustful of the merchant, but it also equals a lost sale and a costly chargeback—all of which are bad for business.
Fortunately, because most phishing fraud stems from poor digital security or password policies, protecting your company (and your customers) is not a lost cause. Let’s take a look at some of the tools you can use to fight back, as well as the internal changes you can make to prevent phishing attacks from occurring in the first place.
There’s a lot you can do to prevent phishing fraud in-house and without much investment.
First, require strong passwords—both on your systems and of your customers and employees. Your CRM and databases should be password-protected, using phrases that mix letters, numbers, characters and uppercase/lowercase variations. You should also require employees and customers use similarly strong passwords for their logins and accounts.
Here are some other tips:
- Be careful with security questions. If customers need to answer security questions for a password reset, be sure your questions are off the beaten path. If hackers can find the answers on social media or via public records (street names, birth city, etc.), it opens the door for phishing attacks.
- Prohibit open Wi-Fi use. Advise your employees to avoid unsecured or open Wi-Fi networks, especially when using company email or logging into administrative accounts. Though it might be tempting to work from Starbucks, using the network there can leave you vulnerable to password theft and fraud—making your customers vulnerable, too.
- Be choosy about who you host with. Don’t risk your security by using unreliable or budget hosting services. Stick with well-known, proven hosts like AWS or Google Cloud for your storage needs.
- Decrypt at the database level. If a hacker gains access to your database files, you want the information they find to be indecipherable. Keep your data encrypted to the deepest level possible.
- Choose a PCI-compliant CRM. If you use a third-party CRM, make sure it’s compliant with PCI standards. You should also update it regularly and install any recommended security patches from the developer.
- Protect your name. Set up Google Alerts for your company name. Be on the lookout for other people trying to use your name and phish for customer information. You should also subscribe to your own email updates and alerts, so if a fraudster tries to contact your customer base, you’ll know as soon as it happens.
- Maintain your systems. Regularly update your computers, software and systems and install the latest security patches as they’re released. These protect you from newly discovered vulnerabilities.
You should also be careful when initially designing your website or using third-party developers. Make sure there are secure processes and protocols in place so that off-site vendors don’t have access to your company’s critical data and accounts. You could have the strongest security in the world, but if your passwords are stored on your web developer’s home computer, you’re still vulnerable to attack.
There are also some external tools that can help in the fight against phishing fraud. PasswordPing, for example, can help you identify compromised account credentials, while bots can be used to regularly assess your systems and data in the cloud. There are also automated account takeover prevention tools (Spy Cloud, Sift Science, etc.) that can flag vulnerabilities and keep potential phishing damage to a minimum.
How to Measure Effectiveness
To make sure your efforts to prevent phishing fraud are effective, keep track of the number of security breaches and data hacks you encounter every year.
If the number doesn’t decline over time, consider making more internal changes or implementing additional external tools.
Keep in mind that internal changes may be the most effective for smaller businesses, as they have a lower nominal cost. Larger merchants with more budget may want to spend extra and leverage external tools. These merchants are typically more vulnerable to phishing attacks anyway, as the potential payoff for fraudsters is much higher on these accounts.
Fight Back Against Phishing Fraud
In total, phishing accounts for 11 percent of all fraud and 14 percent of all fraud for large e-commerce merchants. It poses a serious threat to online retailers and requires a comprehensive plan of attack.
Want to learn how to better protect your business (and customers) from this and other types of online fraud? Download your copy of the Fraud Prevention eGuide today.