In 2013, Target — a US retail giant — suffered a massive cyberattack and subsequent data breach, the effects of which reverberated for years. Hackers stole “names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.” In 2018, Target paid $18.5 million in settlements to resolve the investigation of the incident.

Currently, the focus of cyberattacks shifts towards online shops because of the rapid growth of the eCommerce industry. Besides, the rapid digital transformation of established retailers makes them vulnerable against digital threats and exposes new weaknesses. If not properly addressed, these security issues are open to exploitation.

Data breaches and successful hacker attacks can cost a retailer millions of dollars as well as their good reputation. Knowing the most prevalent security weaknesses of online stores as well as how to address them goes a long way in strengthening eCommerce defenses.

eCommerce Cyber Security Threats

Here are some of the most prevalent cybersecurity threats eCommerce businesses face.

DDoS (Distributed Denial of Service) Attacks

Some things are just like classical music — always relevant. Time passes by, and DDoS attacks are still effective and often used as a means of making the life of online retailers harder. One of the reasons for such lasting popularity of DDoS attacks is the straightforward simplicity of this exploit. Your server gets bombarded by thousands of requests from different IPs. If the server is unable to handle them, it crushes. As a result, your online store loses potential clients and becomes more vulnerable to other hacking attempts.


E-skimming is a relatively new and maliciously clever cyber attack. It can be performed in different ways. One of the more sophisticated approaches is infecting checkout pages with special malware and stealing the payment data of customers who make purchases. So, not only are users completely unaware of their data being stolen, but their financial security is being compromised as well. For example, during Thanksgiving, 780 consumers of a Smith & Wesson company became victims of such e-skimming.

A more brute-force approach to e-skimming involves redirecting users to third-party services that mimic the checkout page. Less tech-savvy or more inattentive consumers won’t notice that something fishy is going on.


Malware comes in an incredible variety of tastes and flavors. Overall, any piece of software the purpose of which is to harm or compromise your system is malware. Depending on the complexity and efficacy of malware, it can disrupt the work of an online shop, steal or manipulate data, hack passwords, gather information about your operations, send messages to your customers on your behalf.

Overall, malware is not to be underestimated and constant security updates and checks are essential to having good defenses against malicious software.

Malicious AI

Malicious AI or ‘bad bots’ that can mimic human behavior well can be used to deceive your system into “thinking” that real people are interacting with it. As a result, such an AI can be used to

  • Seriously skew your statistics
  • Get hold of users’ accounts
  • Steal data, such as payment information, user addresses, etc.
  • Monitor how you perform inventory management, form prices, and market your goods. Afterward, competition can use the obtained data to set lower prices or get to your target audience faster.

So far, about 20% of all eCommerce traffic consists of bad bots.


Phishing refers to the methods of social engineering used to get valuable information out of people. The simplest example includes fake emails sent as if from a company the person interacts with. This email may contain the request to change login/password in an attempt to steal the data. The more complex methods involve deliberate communication with a person to win over their trust and get hold of valuable information.

eCommerce Cybersecurity Practices and Standards

First of all, properly developed software that follows the standards of writing code, building back end architecture, managing databases, and testing will be protected from a significant part of the security threats.

Above that, there are several eCommerce cybersecurity recommendations to keep in mind.

  • First things first, encourage your users to come up with complex passwords. A long password (bare minimum of 8 symbols) that contains lower and upper-case letters, as well as numbers or other symbols, will be very difficult to hack. The same applies to your employees, and especially administrators.
  • Implement multi-step authentication such as face id or fingerprint scanner.
  • Never forget to update your SSL certificates.
  • Educate your customers about phishing. If your company doesn’t send certain types of emails, inform your customers about it. Encourage users not to follow third-party links from your online store.
  • Delete all irrelevant data from your databases and don’t store data duplicates.
  • Monitor the online shop’s performances, third-party integrations, and traffic. If any suspicious activity is present, investigate it.
  • After any update to your eCommerce business, conduct a thorough QA check to determine any new weaknesses.
  • Make backups of valuable data.
  • Use a reliable eCommerce platform to build your online store. Newcomers on the market may have great offers, but until they’re tested in the open field, it’s difficult to know the limitations of their security practices.
  • Make sure your eCommerce business complies with the security regulations. For example, GDPR if you operate on the European market.
  • If DDoS attacks or sharp traffic fluctuations bother you, implement CDN (content delivery network) to optimize the load on your system between different servers.

Competency of Employees: Last Line of Defense

This point is often omitted, but, at the end of the day, your online store is as secure as your least experienced employee is knowledgeable about cybersecurity practices.

Proper training is the only surefire solution to this issue. Every new employee that has access to information that can compromise your company security should know how to behave and manage their data. The training should include not only how to handle passwords and accesses, but also communication tips. Some people specialize in the exploitation of digital systems by getting valuable information out of workers during casual conversations. Without the proper knowledge, it’s difficult to notice when you’re being used for information extraction and not a simple chit chat. Establishing a proper training period will cost you some time and money. However, the resulting benefits are incredibly far-reaching and invaluable to your retail business security.

Also, proper HR and crisis management are important to any company to avoid angry or frustrated employees that can, consciously or not, share sensitive data with third parties.


Building a robust eCommerce system with reliable cybersecurity defenses is a feat of software development prowess. The quality of the written code, the standards of secure architecture, proper encoding and data transmission, intuitive UI/UX for admins and users, thorough QA phase — every piece should be top-notch to ensure robust security.

We know the thousands of hours of meticulous work that goes into a secure online store and retail software development from our experience. We built online stores for such international retailers as Trademax, North European Trust AB, Stenstroms, Gymgrossisten.

Now, you can use our skills and experience to your benefit. If you need highly-skilled developers to build a secure system, contact us. We can quickly assemble a team of dedicated developers with relevant experience so you can be sure that your online retail is in the hands of professionals.