Where there’s money, sharks circle. And in ecommerce, there’s plenty of both—the market saw its fastest growth in seven years at the end of 2019. That makes small business owners valuable targets to malicious hackers who can commandeer compromised accounts to defraud you and your customers.
But if you’re like me, you’re a bit bored with the endless data hacks that seem to headline the news every few months. There’s even an academic concept, “privacy fatigue”, to explain the feeling of futility we get when thinking about data breaches—they’re just so out of our control. A quick check of this database could snap you out of privacy fatigue—it tells you how many times your email or login details have been leaked and potentially sold on the dark web to fraudsters. If you got a positive result, you’re among the 47% of American adults who had their data exposed online in 2018 alone.
Although there’s not much we can do about large scale breaches, like Facebook’s 2018 data debacle, we can stop them from mattering as much by taking control of our online accounts. There’s also a whole realm of more individualized hacks that everyone has the power to prevent.
Read on as I guide you through these common hacking methods and how to protect yourself from them.
When it comes to online security for small businesses, most ecommerce sites are PCI compliant. This means they invest a lot of resources into cybersecurity, protecting the way financial and login information gets handled server-side. However, hackers know how to target a soft spot that no amount of tech-defense can fix.
That soft spot is you.
First, it’ll help to understand the two main ways hackers could hijack your digital life.
Phishing is when hackers disguise themselves as companies you trust, then bait you to enter your login details to their spoof-site. They mostly use a fake email, call, text message, or a counterfeit search engine listing. Even a well-timed pop-up could end up with you giving away your details or installing malware with a misclick (a good ad-blocker will prevent this).
Apps and browser extensions like Guard or Netcraft for Chrome will alert you to potential phishing attempts on desktop, but the main key to beating phishing isn’t the latest free security plug-in or tool. It’s to stay aware of the faults in your own thought processes—this is what hackers rely on.
Picture this—it’s the middle of the night, and you’re awoken by your phone. An email notification lights up your screen; “Suspicious login detected”. Someone has tried to log in to your ecommerce platform account! In a panic, you smash the email call-to-action button, urging you to “log in now” to change your password. You tap in your login details with trembling fingertips, wondering who tried to access your account.
Unfortunately, you didn’t notice that the email “sent-from” address ([email protected]) was slightly different than the real one—”[email protected]” and, you’ve just entered your login details into “www.amazonian.com”—a fake site. You also didn’t notice other tell-tale signs, like the generic greeting “Dear Sir/Madam”, as opposed to your name which is the way real companies usually open important emails.
This is the lesson—scammers and hackers leverage panic and fear to make you rush and miss obvious signs. So keep calm and double-check all (even slightly) suspicious or panic-inducing emails. Reach out to the official support staff at the company in question when in doubt to verify the message.
This all might sound obvious to you, but even the smartest developers sometimes fail to recognize phishing, so be wary! Online fraudsters are consistently getting smarter. We’ll learn how to fight phishing in the “tools” and “habits” section of this article.
When a successful cyber attack hits a big company’s private database, millions of users’ login details could become… not so private. Especially if the hacker leaks the database onto the internet. Famous examples include Adobe in 2013 and the infamous AshleyMadison.com leak in 2015.
Check haveibeenpwned.com, it’ll show you a list of websites that suffered a data breach—that included your details! It’ll also tell you what leaked; your email, first name, and possibly your password. Personally, I was “pwned” by tumblr, myspace, myfitnesspal and adobe.
If you had an account on any of the hundreds of sites listed, you were probably already notified—websites are usually transparent with their data breaches. But if you continue to use those same exposed credentials, you need to change your password.
Let’s avoid becoming a victim of the second major hacking technique—“credential stuffing”.
In late 2019, thousands of ‘Disney+’ accounts got compromised just days after launch. Although Disney’s servers weren’t hacked in the technical sense, bad apples managed to match up combinations of previously leaked usernames and passwords.
These stolen accounts were then sold on the dark web for fraudsters to log in to, then change the password, locking the real owner out—as reported by hundreds of reddit users.
The worst thing you could lose with your Disney+ account is your subscription fee. But when your online store is the target, there’s a lot more a stake for you and your customers. This is why it’s essential to use security tools to keep your store and personal accounts secure.
Avoid phishing attempts and data breaches by making sure you have fail-safes in place. The best online security apps will partially cover you, even if you insist on using your dog’s name as your password. But please, please don’t.
If only Disney+ offered two-factor authentication (2FA), a second layer of defense against hackers who manage to get past your password.
A study by Google found that 2FA prevented 96% of bulk phishing attempts. That failed 4% could include people who set up 2FA via mobile text message, which can be intercepted by savvy hackers. Text message based 2FA is vulnerable to mass-scale phishing attempts where the entire login page and 2FA screen can be faked to steal your details.
I recommend app-based 2FA such as Google Authenticator or Authy, for their robust simplicity. The best 2FA apps are free and compatible with many sites, including Printful. Although some sites like Facebook and OneDrive have their own dedicated 2FA apps, the most reliable option by far is Google Authenticator (it’s in Google’s best interests to pump time, money and development into keeping their accounts as secure as possible). Sites that support 2FA should give you some backup codes when you sign up, in the event that you lose your smartphone and access to your 2FA app. Keep these codes handy but secure in a word document or write them in a notebook.
To illustrate how important 2FA is, here’s a personal example. I received an email recently, claiming that one of my accounts had a login attempt from the other side of the world. For a millisecond I panicked, but then I remembered that I’d enabled 2FA for that account. It’s reassuring to know that the only way this mystery hacker could get any further was to:
In my Mr.Robot-inspired feverish dreamscape, I realized that a hacker would have to do all that while I’m unable to remotely wipe my phone, which I can do from my laptop. So, they’d essentially have to kidnap me.
Is all that worth my Shopify password? Probably not (yet).
Admit it, you probably have just one or two passwords you switch up with special characters and numbers depending on the specific site requirements.
Change that bad habit with a password manager. It’ll generate strong passwords, keep them all in one place, and auto-fill your login at the touch of a button. You’ll find password managers that work for both Mac & PC, and on most browsers. They usually work by the use of a master-password or your fingerprint which then auto-fills the correct password.
Here’s my selection:
A password manager makes it easier to use a unique password for each of your accounts, which makes it harder for hackers to use leaked login data against you. This makes those big data breaches matter less. Oh, and they’ll also save you from forgetting your passwords.
Develop habits around your online accounts and login details, treat them like the keys to your home. Take care of them, and give them thought— there’s a lot at stake.
As habits are notoriously hard to make stick, I recommend using your Google Calendar—that’ll make it easy to set reminders. Set yourself periodic alerts to do quarterly or monthly security checks.
In this 5-10 minute audit:
In day-to-day life, you should think about the way you use public Wi-Fi and shared computers. Cybersecurity experts warn not to enter your login details at your regular coffee spot or airports (auto-fill is still okay). You wouldn’t wear your password on a t-shirt in public, so don’t type it into a public network either—assume that someone will notice.
This will vary between generations, but be mindful of how much personal information you post on social media. Remember that you’re a valuable target for hackers, and make sure to follow data privacy tips to protect yourself online. Don’t include your home address on resumes that are in public databases like LinkedIn, and finally, make sure your Twitter isn’t a personal diary that could be used to get to know you a bit too well.
We’re not trying to make you paranoid, just recommending that you invest in the free tools above, and take the time every few weeks to clear your conscience. I get it, we like to shift responsibility to the big tech companies who probably should be looking after our data a little better. But owning your online security will pay off dividends in relaxation points when you hear about the next big data breach. By making it harder for hackers to use the leaked data against you, those data breaches matter less.
Do you have any stories like mine? Did someone try logging in to your store? How did you handle it? Let me know in the comments and teach other entrepreneurs your top tips.
Ottis keeps on top of the latest trends in Tech, Psychology, and Entrepreneurship. If there's exciting new research in these fields, he's read it.