Cyber Weekend Cyber Security
As the busy Q4 holiday shopping rush heats up, so do fraudsters' efforts - especially online. There are many articles that tackle the subject from the buying side with helpful advice about avoiding phishing scams, being wary of "too good to be true" deals, and protecting your personal information.
Dale Smith
Dominic Yeatman
Written by Allie Johnson for NortonLifeLock
But what should merchants be doing to protect themselves, and their legitimate customers, from security breaches and fraud attempts?
First and foremost, make sure whatever ecommerce platform or site builder you're using is running with the most recent security patches and updates. The same goes for any payment processing software or third party apps you may be using.
Danny Palmer
It's also a good idea to partner with payment processors who offer seller protection for unauthorized transactions and/or engage the services of fraud detection and prevention companies that specialize in protecting ecommerce companies from fraud.
If you use PayPal to process credit card payments on your site, you may be eligible for Chargeback Protection for additional fees. If your payment processor doesn't offer that type of protection, there are many software as a service solutions like Signifyed, Kount, Eye4Fraud, NoFraud and more.
I don't endorse any particular solution. Every business is different and you'll need to research to see what best fits your specific budget and needs. But I do highly endorse having some kind of fraud detection and prevention plan in place.
If you're concerned about the expense and weighing whether it's worth it - trust me, you don't want to be scrambling to put something in place after you've already been hit with hundreds of thousands of dollars in fraudulent orders.
Liz Morton
If you sell on third party marketplaces, you'll want to take additional precautions for those parts of your business as well. The marketplaces provide the security infrastructure and seller protection policies for their sites and there is very little control you may have in that regard, but sellers can still work to mitigate their exposure to fraud through these marketplaces.
The following advice can be applied broadly to any marketplace, but since this site is dedicated to the eBay selling experience I'll give more eBay specific examples as well.
One of the most important ways to protect yourself is to secure your account credentials and information. Account takeover fraud is a serious problem, especially on eBay.
This type of fraud occurs when bad actors gain access to your account and use it to create fake items for sale or change payment details to siphon off funds from your existing listings.
A few years ago, fraudsters would simply change the PayPal email address on listings to divert money to their own accounts.
eBay has stated that Managed Payments will prevent this type of fraud going forward because they are required to collect and verify information about accountholders under various Know Your Customer laws and regulations. In theory, that should prevent fraudsters from placing fake listings and diverting funds to alternate bank accounts, but in practice that doesn't seem to be slowing them down much.
Peter Craig
It takes many forms, from the triangulation fraud I personally experienced to the ubiquitous eBay car scams and across all categories on eBay, but one thing they have in common is the use of compromised accounts to perpetrate fraud on the platform.
Hey @AskeBay you’ve got another compromised account. Thanks to @foxacheUK for the spot!
— eBay classic car scams (@eBay_antiscam) November 9, 2021
Anyone recognise the same brown Audi? This is getting embarrassing. pic.twitter.com/dSCMB0ITP2
@AskeBay another account hacked with fake listings! pic.twitter.com/WqBeI4cwby
— Shehzad (@shehzadhassam) November 20, 2021
Unfortunately in these situations, even once the fraud is discovered and the account has been re-secured, there is often a huge cost to the seller.
I've seen reports that eBay may attempt to recover refunds and fees for the fraudulent orders from the legitimate seller's bank account or payment method on file, even though they did not receive the original funds and are an innocent victim in the scheme. Some sellers have even had their accounts shut down and been hounded by collection agencies over unpaid fees stemming from fraudulent orders.
It's not clear exactly how these accounts are being compromised - is it lazy password and security practices on the part of the accountholder or have bad actors discovered reliable ways to access accounts through brute force measures or larger security vulnerabilities?
Here are some basic security measures all sellers should be taking to secure their marketplace accounts:
-
Unique Log In Credentials That Are Changed Often - never use the same password for your selling account that you use for any other online accounts or transactions and change passwords often. To take it a step further, create an email address specifically for your selling account and don't use it anywhere else on the web.
-
Don't Click On Links In Emails or Text Messages - Phishing scams can be elaborate and sophisticated and it's not always easy to tell if an email is real or not. The easiest way to avoid this trap is to simply open a new browser window and navigate directly to a site to log in rather than clicking through from an email or text.
-
Separate Bank Account - if you're doing any real volume of business as an online seller, there are many good reasons to keep your business accounting separate from your personal finances and fraud is definitely one of them.
-
Two Factor Authentication (2FA) - there are mixed feelings on this one in the cyber security world, especially when the authentication is done through SMS text messaging. However, generally speaking, I think it is still an important precaution to take when possible.
More from eBay on how to get help with a compromised account -
Have you been a victim of account takeover fraud? I'd love to hear your story! Leave a comment below or reach out on Twitter, Facebook or email.
