5 steps to protect your business from cybercrime threats

The growing popularity of online shopping has been aided by advancements in payment gateways, increased business adoption of eCommerce and growing customer familiarity with the benefits of shopping online.

Given this continued climb in the number of digital shoppers, the need for UK businesses to be remain vigilant online with their security software and systems is as important as ever against the threat of cybercrime.

In the first half of last year, UK Finance reported that criminals stole a total of £609.8 million through authorised and unauthorised fraud and scams.

The finance and banking sector has continued to respond to cybercrime and it’s the industry prevented £583.9 million of unauthorised fraud in the first half of 2022, equivalent to 61.8p in every £1 of attempted unauthorised fraud being stopped without a loss occurring.

Unauthorised access to your on-line shopping systems can lead to major business disruption, financial losses and reputational damage, including the withdrawal of your payment facility by the card scheme/s and card scheme fines of up to £20 for each individual compromised cardholder account. 

Trusted Third Parties

Selecting reputable, trusted third parties to support your eCommerce solution with valid TLS certificates as well as the most current software upgrades and security patches is important in enhancing the security of your eCommerce website and associated software. Making sure the following points below are included in your contract with them help galvanise your business’ online security.

Preventing Online Fraud

All online businesses must ensure all of the components and features on their eCommerce website are identified and properly secured or managed by relevant third party providers.

Given the very tangible impact this can have on a business’ finances and reputation, online fraud prevention is better and far less costly than seeking cybercrime cures. Below we have highlighted some of the potential threats and preventative measures you can take to keep your online business safe from hackers.  

Weak passwords still remain an easy target for hackers looking to breach online platforms and software. Data and systems should never be protected with passwords that can be guessed easily like family names, favourite sporting teams or musicians.

Obvious number sequences, like 123456, and words made up of letters immediately adjacent to one another on a keyboard still remain popular password options that can leave businesses exposed. Reusing the same password for a multitude of uses and not updating your passwords only heightens vulnerabilities.

Ideally passwords should be 12-15 characters long, consisting of a seemingly random collection of uppercase and lowercase letters, numbers and special characters, like punctuation.

These passwords should be changed a minimum of every 30 days with regular reviews to access and permission levels of staff, as well as deleting accounts that are no longer required.

Malware and ransomware (where hackers demand a fee) are on the rise and can bring your business to a halt by preventing access to computer files, systems and networks or the loss / theft and compromise of customer, payment and business data, leading to major business disruption and losses. 

Along with making sure your anti-virus/ antimalware software is running properly, you should also ensure you or your web-hosting provider have implemented a web application firewall (WAF) or additional intrusion-detection technologies.

The data transferred between your computer and a website’s server should always be encrypted using TLS certificates.

Criminals rely on complacency and delays, so make it a priority to stay up-to-date. You may be exposing your business to an increased risk of intrusion, fraud, financial losses and reputational risk.

Software and security patches, including ones for your shopping cart, will protect you from online attackers who would otherwise take advantage of system vulnerabilities. If you and not a third party vendor are responsible for updating security patches, it’s recommended to apply updates from trusted network locations (e.g., home, work) and only install links from trusted vendor sites. 

Do not trust a link in an email message—attackers have used email messages to direct users to websites hosting malicious files disguised as legitimate updates. Be vigilant with email messages claiming to have a software update file attached—these attachments may contain malware

Fraudsters can steal your revenue by creating fake payment pages and diverting your customers using false links. 

Regular reviewing any links (such as URLs, iFrames, APIs etc.), from your website to the payment gateway to confirm the links have not been altered to redirect customers to unauthorized locations. 

The risk of fraud from an individual with too much or unnecessary access to your business’ confidential information and /or systems weakens your defences against online fraud. By accident or design, confidential information or access to your system could be shared with malicious parties.

For people managing your IT environment, especially business critical systems / infrastructure, regulating their access depending on what role or task their responsible for can minimise the risk of fraud by any individual and lessens the potential for that person to become a target for fraudsters.

By having minimum level of systems access for the job /duties (‘least privilege principle’) to limit accessibility to confidential information, Should an employee, contractor or third party vendor become compromised, the impact will be more limited as you don’t have all your eggs in any one basket. 

Monitoring, tracking and restricting access to sensitive payment data and critical IT systems / infrastructure by ensuring processes, logs and audit trails enhance traceability. 

Cybersecurity training will help all staff become aware of the purpose and benefits of this approach as well as supporting them use systems securely and follow defined procedures, Training should also include temporary staff and should make everyone aware of potential security threats and take appropriate action in the event of a suspected breach.

Retail is one of the most targeted industries for cyber criminals and cyber-attacks may result in regulatory fines, loss of reputation and customer trust, compromised customer data and financial losses. By being informed, alert and security aware the threat of online fraud happening to your business.

Take Five to Stop Fraud, a national campaign offering straightforward advice to prevent online fraud, has more information and toolkits on what business owners and managers can do to protect their business and customers from fraudsters. 


The Journey to Strong Customer Authentication and the UK’s  20 year response to fraud.