Securing online shoppers against social engineering threats

In an increasingly digital world, online trading and shopping activities have become a routine part of the business environment impacting significantly on financial systems, technology-driven products and services, and financial inclusion, among others all in an effort to create convenience in doing business.

It is important to recognize the outcomes and developments within the e-commerce space post-COVID-19 which has seen an increase in online activities of consumers resulting in significant patronage of e-commerce platforms to meet their purchasing needs.

Globally, the e-commerce market is expected to record over USD 6 trillion in retail e-commerce representing about 20.8% of retail purchases worldwide. In Africa, the e-commerce market size reached USD 241.6 billion in 2022, and it is expected to reach USD 567.6 billion by 2028.

According to Statista, the forecast of the e-commerce market revenue in Ghana will continuously increase between 2023 and 2027 by 512.4 million US Dollars representing about a 73.49% increase. However, this increase and convenience also come with risks such as identity theft, exposure to fake/impersonated websites, social engineering threats, data breaches, fake product or service reviews, unencrypted data, malware threats, package theft, counterfeit products, etc.

It is significant to establish that social engineering threats are one of the most prevalent threats targeting online shoppers and derailing the gains and successes of the e-commerce space. Social engineering is a technique used by cybercriminals to manipulate individuals into revealing sensitive information or performing actions that may compromise their security.

It uses psychological manipulation to trick people into giving out personal information. Analysis from investigations and assessments conducted by the e-Crime Bureau corroborates the fact that the most prevalent schemes used by cyber fraudsters to defraud their targets are social engineering schemes.

In recent times the Bureau has seen an increasing trend of criminals and threat actors leveraging social engineering schemes to take over accounts (both businesses and individuals) on social media, particularly on messaging platforms predominantly WhatsApp to perpetrate scams.

A case reported to the Bureau, reveals that a fraudster impersonated a popular brand within the food industry and social engineered prospective clients to make payments for goods that never got delivered to them. Cash out of these fraudulent funds is usually via mobile financial service products.

Social engineering threats can have significant consequences on individuals as well as businesses that rely on virtual platforms to promote their brands and products. Globally, the rise of cybercrime has been fueled by the increasing number of online users and the evolving techniques of cybercriminals.

In 2022, the total damages caused by cybercrimes reached USD 6 trillion, and over 33 billion accounts are estimated to be breached by the end of 2023 (Vojinovic, 2022). According to Open Text Cybersecurity’s 2023 Global Threat Report, phishing remains one of the most popular initial access vectors for cybercriminals.

The total number of scam URLs increased by 30% between 2021 and 2022 – from 2.7 million to 3.5 million, according to the report. Ghana recorded GHS 49.5 million direct financial losses through cyber fraud activities between January and June, this year 2023 according to the Cyber Security Authority, Ghana.

Situational analysis of the fraud and cybercrime landscape in Ghana, reveals online shoppers continue to be a primary target of these cyber fraudsters. Common social engineering schemes targeting users of e-commerce platforms include but are not limited to:

1. Phishing: Fraudulent emails or websites impersonate legitimate entities to trick users into revealing personal or financial information. Information gathered is then used to either target the victim or impersonate the victim to defraud others.

2. Pretexting: Attackers invent a fabricated scenario or pretext to obtain information from victims, often over the phone.

3. Baiting: Malicious software or files are disguised as enticing downloads, enticing users to click and unknowingly compromise their systems.

4. Watering Hole Attack: This attack targets groups of users by infecting websites that they commonly visit. Watering hole attacks aim to infect users’ computers to gain access to a connected corporate network. They then steal personal information, banking details, and unauthorized access to sensitive information.

5. Smishing – This is a type of e-commerce scam that involves sending fraudulent text messages to trick people into divulging sensitive information or clicking on a malicious link. Smishing is similar to phishing, but instead of using emails, scammers use text messages on mobile devices to deceive people.

To ensure maximum security against social engineering attacks especially targeting online activities, consumers within the e-commerce space must first pay attention to these signs:

1. Unsolicited Communication: Be wary of unexpected emails, calls, or messages requesting personal information or financial details.

2. Urgency or Fear Tactics: Attackers often create a sense of urgency, pressuring victims to act quickly without thinking.

3. Suspicious URLs or Links: Hover over links to reveal their actual destinations before clicking. Verify the legitimacy of websites.

To secure online shoppers against social engineering threats, both individuals and e-commerce platforms must take proactive measures. Below are verifiable and key preventive strategies that must be adopted while conducting business online:

1. Online shoppers should be educated about the various social engineering techniques used by cybercriminals, such as phishing, smishing, baiting, scams, etc. They should also be trained and provided with regular awareness insights to identify and report suspicious activities.

2. E-commerce platforms should implement strong authentication methods, such as two-factor authentication, to ensure that only authorized users can access their accounts.

3. Users should regularly update their devices and install security patches to protect against social engineering attacks that exploit unpatched vulnerabilities.

4. E-commerce platforms should use secure communication protocols, such as SSL/TLS, to encrypt users' sensitive information and protect it from interception.

5. E-commerce platforms should have robust monitoring systems in place to detect and respond to social engineering attacks in real-time. This includes monitoring for suspicious account activities and implementing incident response plans to mitigate the impact of successful attacks.

Fraud and breaches targeting the e-commerce industry continue to take a heavy toll on the industry, with losses from online payment fraud totaling more than 40 billion U.S. dollars in 2022.

In light of this situation, the e-commerce fraud detection and prevention market is forecasted to grow more than two-fold between 2023 and 2027, exceeding 100 billion dollars (Statista, 2023). Besides the growth in figures, it is anticipated that the use of social engineering for e-commerce-specific fraud will increase in sophistication with criminals using a combination of online and offline tactics.

Securing online shoppers against social engineering threats is a complex task that requires a multi-faceted approach. By educating users, implementing strong authentication methods, ensuring endpoint security, using secure communication protocols, and having robust monitoring and incident response systems in place, both individuals and e-commerce platforms can work together to create a safer online shopping environment.

In Ghana and other African countries, it is crucial to focus on the unique challenges faced by marginalized individuals and develop tailored solutions to protect them from social engineering threats.