Marketing / E-commerce

Holiday ecommerce security threats to watch out for (and how to protect yourself)

Kaarle Varkki

Updated: Dec 21, 2023 · 5 min read

Toolkit for download in this article

Holiday ecommerce security threats to watch out for


The holiday season is here again, and if data and history is anything to go by, this is always a big deal for ecommerce.

According to this compilation of holiday ecommerce statistics:

  • Retail and ecommerce spending accounted for a whopping $1.007 trillion in sales in 2019 -- the first holiday season in which this figure will exceed the trillion-dollar mark.
  • 2020 is expected to be bigger, with holiday sales predicted to reach $1.042 trillion and ecommerce spend in particular projected to increase by a massive 13.9%.
  • While these figures are exciting, it is important to watch out for a key trend during holiday shopping seasons: a significant increase in the number of attacks directed at ecommerce sites.

    Several studies have shown that users are very particular about privacy and security when it comes to holiday ecommerce shopping.

    According to a particular holiday ecommerce study:

  • 43% of people have fallen victim to fraudulent charges from retailers.
  • 62% of people are not confident about the security of their data with retailers.
  • 52% of victims of fraud and data breaches end up having a negative opinion about the involved retailer.
  • If there is one thing these statistics make clear, it is this: you cannot afford to joke with your ecommerce security this holiday season.

    Most common ecommerce security threats

    So what are the most common holiday ecommerce security threats to watch out for? Here are four of the most common holiday ecommerce security threats you should pay attention to:

    1. RDDoS attacks: Many are familiar with Distributed Denial of Service (DDoS) attacks in which attackers unleash bots on a website server in order to flood it with traffic that makes it inaccessible.

    Not many are familiar with Ransom Distributed Denial of Service (RDDoS) attacks, however.

    With RDDoS attacks, the goal of the attacker is to flood your server with ransomware and then demand a payment to call off these attacks.

    In other words:

    There is a financial motivation to flood ecommerce sites with DDoS attacks so the likelihood of these attacks taking place this holiday season is high.

    2. Denial of inventory attacks: An increasingly common ecommerce attack that tends to take place during the holiday season is a denial of inventory attack.

    This is a form of violation in which hackers (mostly sponsored by competitors) use bots to rapidly add items to ecommerce carts in order to make products unavailable for genuine buyers.

    This is because ecommerce stores generally remove an item whenever it is added to the cart in an effort to prevent the inventory from having been exhausted by the time the buyer checks out.

    These hackers on the other hand have no intention of purchasing; they simply use bots to add items to a lot of carts to prevent others from being able to purchase them since the system will tell potential buyers the items involved are out of stock -- when this is not the case.

    3. Formjacking/e-skimming: Formjacking or e-skimming is a rising ecommerce attack in which attackers execute malicious code mostly during the checkout process in an attempt to intercept and transmit sensitive data to the hacker in real time.

    E-skimming is so insidious that in a lot of cases the person making the purchase would not know it is taking place due to the evasive techniques the hackers use. These invasive techniques include using a domain name very similar to the site being attacked and preventing the skimmer from loading for users who might be more technical and have a browser’s developer tools option open.

    E-skimming is reported to be the top malware aimed at stealing personal info found on ecommerce sites in 2019 and a particular study found that at least 4,800 unique websites are compromised with formjacking every month.

    4. Phishing: While phishing is almost as old as online commerce itself, it remains one of the most common security threats ecommerce businesses should watch out for. Owners, employees, administrators and customers of ecommerce sites are regular targets.

    How to protect yourselves from ecommerce security threats

    With the most common ecommerce security threats revealed, how do you go about protecting yourself? Here are some ideas:

    1. Enable SSL.

    Ensure you enable encryption and use SSL to add an extra layer of security to your ecommerce site.

    This not only makes your site more secure by encrypting information submitted on your website, but it also communicates to users that you take their security seriously.

    2. Define shopping cart policies.

    These policies prevent shopping cart abuse and denial of inventory attacks; for example, there should be a time limit on how long a user is able to have an item in cart without making a purchase and the number of times a user can re-add an item to said cart.

    This should especially apply to products with a limited stock.

    3. Install email security filters on company emails.

    These filters automatically detect and prevent phishing emails from getting to the email inbox of company employees.

    4. Sensitize employees and site administrators.

    Employees should know the importance of being careful about links they click in emails. They should always double-check the login page of your ecommerce site before entering their details to avoid phishing.

    5. Be careful about asking users for sensitive information via email.

    Make your policy about this clear while also sensitizing users about how to detect phishing emails.

    6. Install a Web Application Firewall (WAF).

    This helps detect and block malicious traffic to prevent your ecommerce site from being taken offline in the case of a DDoS attack.

    7. Ensure your ecommerce CMS/platform is regularly up to date and secure.

    This will help protect against SQL injection attacks that could allow an attacker to carry out formjacking on your customers.

    8. Set up an automated security scanner.

    You want to regularly scan your website for malware, vulnerabilities and security issues.

    9. If possible, use a reliable third-party payment processor.

    Avoid storing payment information on your servers to limit your risks should all else fail and your ecommerce site becomes eventually compromised.

    In conclusion

    With the COVID-19 pandemic driving people to shop online, you can expect a spike in holiday ecommerce shopping and the resulting security threats. By taking the above measures, however, you should be able to protect yourself and your business from the unthinkable.

    Was this post helpful?
    Illustration of Keap growth handbook
    How can you grow your business to the next level? Take our assessment to find out.

    The Small Business Growth Assessment will reveal where you are on your path to growth and help you identify common pitfalls so you can avoid them. Plus, you’ll get FREE curated resources to get you to the next stage.

    Take the assessment

    You may also like

    {{ deSlug(record.displayCategory || record.secondaryCategory || record.primaryCategory || '') }} | min read

    Knowledge is power, get some more...

    Hello, have a question? Let's chat.

    Got it