As the holiday season ramps up, cybercriminals are launching new fraudulent e-commerce sites to trick consumers into handing over personal and financial information. Black Kite investigated 50 major global e-commerce companies and published a report that reveals the trends in website phishing, the probable impacts as a result of attacks and how to limit your risk.

E-commerce has so many benefits for both customers and businesses, including lower cost, time-saving, ease of use, and real-time transactions without geographical borders. However, the coin always has two sides. The broad attack surface of e-commerce also gets the attention of hackers, especially during the peak shopping season.

E-commerce phishing at a glance

  • Potential phishing domains registered so far in 2019 exceeds 6,000 and is expected to exceed 9,000.
  • The number of potential phishing domains increased by 11% compared to 2018.
  • The number of potential phishing domains certified by registrars tripled in 2019 over 2018.

Recent phishing attacks targeting e-commerce

As the holiday season approaches, many e-shoppers are excited to buy gifts for their loved ones and take advantage of campaigns on Black Friday and Cyber Monday deals. Care also highly motivated by holiday shopping deals, although their motives are not in line with the spirit of holiday giving. They use fraudulent websites to not only mimick a genuine site, but also use in phishing emails that overpromise huge discounts, offer free gift cards, and make other enticing offers. The goal is to manipulate e-shoppers into entering personal information, credentials or credit card info that they can then use to make fraudulent purchases, steal identities or sell on the darknet.

  • In 2014, 10,000 customers of Booking.com became victims of scammers using phishing email addresses.
  • In 2015, Alibaba customers were victimized by a phishing attack with e-mails from feedback[@]service[.]alibaba[.]com.
  • In 2016, Amazon Prime Day phishing email included inviting to write a  review on the product for $50 bonus credit.
  • In 2017, scammers took advantage of the popularity of online shopping during the holiday season.
  • In 2019, McAfee reported a phishing kit, called 16Shop, targeting Amazon customers.

Phishing domains are on the rise

According to the report:

  • The number of potential phishing domains for 50 major e-commerce sites multiplied six times in the last four years. While under 1,000 in the first 9 months of 2016, it is more than 6,000 so far in 2019.
  • The number of phishing domains registered in the first 9 months of 2019 is 11% higher than during the same period in  2018.
  • The projections, which take the holiday season into account, indicate that the number of potential phishing domains for 50 major e-commerce sites may exceed 9,000 by the end of the year.
  • Hackers like to wait for the right moment. Some domains that were registered last year are still lying in wait and are at risk for activation at any time.

The padlock can lie

Another interesting takeaway from the report is the number of registered potential phishing domains. Hackers are creating more credible phishing websites every year. To gain higher levels of trust, they purchase legitimate certifications for fraudulent domains.

30% of the possible phishing domains registered in 2019 have certifications. When compared with 2018, the number of certified phishing domains are three times higher in 2019.

The Impact of phishing attacks

The impact of phishing attacks on e-commerce companies are usually three-fold;

  • Financial Impact: Website phishing has contributed to 1.3 billion in BEC losses in 2018  according to the FBI Internet Crime Report. Another report by Cybersecurity Ventures estimates that the global cost of online crime is expected to reach $6 trillion by 2021.
  • Brand Reputation: Companies whose customers targeted by a phishing campaign experience a reputation loss. On average, more than 25% of a company’s market value is directly attributable to its reputation (World Economic Forum).
  • Consumer Trust: Phishing attacks dents the trust between customers and e-commerce companies. One in every three consumers will no longer do business with a company if it suffers from a cyber-security breach (a statistics given by Deloitte).

Learn More

Our latest research gives more insights into the state of e-commerce phishing. The report can be reached via https://www.blackkite.com/whitepaper/the-state-of-e-commerce-phishing-2019/