Practical Ecommerce

Fraud-Proofing Your Ebiz

I know a business that had its website hacked: Its entire customer database was hijacked and thousands of customer credit card numbers were stolen at the same time.

In the following months, the hackers did their best to steal as much as they could from this business through a number of “phishing” scams and direct email campaigns to the customers, all while posing as the legitimate business.

After months of heartache, expense and lost sleep, this company cleaned up the mess and the hackers moved on to greener pastures.

What’s the lesson for all of us?

Whether you operate a multimillion dollar ecommerce empire or generate part-time income with a small eBay or ebook enterprise, the following tips will help you fraud-proof your online business before it’s too late.

Protect Your Passwords

Never share passwords for sensitive applications such as web hosting, email, PayPal, bank accounts or anything else with anyone.

If you must share hosting passwords with web designers or programmers, change the password immediately after they complete work.

Change all your sensitive passwords on a monthly basis.

Use Proven Service Providers

Custom programming is great until someone figures out how to hack an unproven system.

When you use credit card and shopping cart providers like ClickBank, 1ShoppingCart, and PayPal, you greatly reduce the chances that your sensitive data will get hacked and stolen online.

Shred Everything

A good, cross-cut shredder rates as just about the best investment you can make in online security.

Before throwing anything away, shred it.

The shredding list includes bank statements, check stubs, lists of names and emails, printed emails, and anything else that can lead someone back to you, a customer, an account or where you go or what you do online.

Fight the “Clone Wars”

Keep an eye out for illegal copies of your website posing as you or your business.

If you find someone posing as you online, the easiest way to shut them down is a direct frontal assault.

Contact their hosting company, their credit card processor, and their domain name registrar about the illegal activity. Threaten to sue them (the provider) if the illegal activity does not cease immediately.

Troll eBay

Regularly check eBay for people selling bootleg copies of your products.

Set up automated searches to email you any time a listing gets placed with your name, product name or any reference similar to your product.

Sign up with eBay’s Vero program to get the offenders shut down immediately with a simple email from you.

What Mom Always Told You: “Never talk to strangers!”

That means never give any information to anyone via phone or email, especially if they call you.

Your bank, hosting provider, email service, ISP and PayPal already know your username and PIN number… they don’t need to call or email you to ask you to confirm it.

Additional Tips

Never leave your physical mail (incoming or outgoing) in your mailbox overnight.

Don’t share any sensitive information with anyone who doesn’t need to know it.

Be careful of any shareware you download and use because it can contain spyware and even viruses intended to steal critical information.

Use common sense and never think you’re invulnerable to an attack that could derail your business with one little misstep.

Practical Ecommerce

Practical Ecommerce

Bio   •   RSS Feed


Sign up for our email newsletter

  1. Legacy User January 8, 2007 Reply

    Great article Jim,

    I would like to add one thing that many people are still unaware of even though its becoming so critical for business online.

    Ensure that ALL your providers online are PCI/CISP certified.

    PCI/CISP are strict new standards for conducting business online set down by the credit card industry (visa, mastercard, etc) and only the MOST secure systems can become certified. PCI/CISP very clearly outlines how data should be stored, and transmitted online. was one of the first eCommerce solutions to become fully certified in 2006, but you have to ensure every company in your payment process has been certified as well.

    If you want to learn more about PCI/CISP, you can read our page at:

    you will find links back to the appropriate pages at Visa here also.

    Michael Valiant

    — *Michael Valiant*

  2. Legacy User January 11, 2007 Reply

    Jim said:
    "Be careful of any shareware you download and use because it can contain spyware and even viruses intended to steal critical information."

    My comment:
    Shareware is not a type of software, but rather a marketing method. The method is used by Symantic, Microsoft, and a few other little companied you may have heard of, even if they do not use the term "shareware" in their advertising.

    The Association of Shareware Professionals [ASP] has fought for years to disentangle the erroneous association of properly obtained software, that happens to be marketed as shareware, with harmful computer code such as viruses and spy ware.

    In general, software marketed via shareware channels and other commercial software is normally virus-free. Indeed, the basis of shareware marketing is TBYB [try-before-you-buy].

    Companies that integrate the shareware marketing method in their core business model [over 10,000 of them!] would no more want to distribute a virus or Trojan than companies distributing by other channels. The try-before-you-buy nature of software marketed as shareware means that our
    members work very hard at closing a sale with each user by impressing them
    with how good the product that theyre trying is. Distributing software problems and malware invaders doesnt result in a good relationship with our best potential customers.

    The ASP is a not-for-profit association of over 1,300 independent software
    developers, marketers and vendors, most of whom use the try-before-you-buy method of software distribution. For more information on the ASP, visit our consumer information web site at .

    Ed L. Pulliam
    Association of Shareware Professionals
    Janesville, WI (USA)
    877 479-4493 Toll Free in US and Canada

    — *Ed L. Pulliam*

  3. Legacy User January 29, 2007 Reply

    Jim – I am a technology advisor for Parsippany Chamber of Commerce ( — I would like reprint rights so I can distribute your article to members?

    Please advise.

    — *Frank Cahill*

  4. Legacy User April 23, 2007 Reply

    Excellent article. Now the bad news. If a hacker wants to break in, it's a done deal. Might take a few long days. Met a professional hacker for a large accounting firm. Told me that he has never been stopped from getting root access to a server. Make sure you have a lot of liablity insurance if you're an ecommerce site or put the legalese on your site to give yourself some protection. It's a shame but there are some major companies that will tell you their sob story right now (cough tjm/marshalls cough). Best wishes. Scott Neuman –

    — *Scott Neuman*

  5. Legacy User May 17, 2007 Reply

    I own an ecommerce site and have been in business for at least a decade. This past month, my GATEWAY was hacked and in excess of 4,000 credit card numbers were authorized (within 2 days). Where is the security? This anomaly should have rung out fast and furious within the system since my company does nowhere near that amount of business. More than half a month has transpired and it is still "in review." (My MSP, on the other hand, immediately reversed all charges.)

    I reported the situation to the FBI and they told me this is happening more and more to small businesses. Is anyone else outraged?

    — *Nancy McKay*

  6. Legacy User July 3, 2007 Reply

    Regarding the clone war: What you said is good information that every site should know.

    But trying to stop a clone site is a lot easier said than done. First you have to be able to get a phone number and/or email address that's valid. And they usually don't answer anyway.

    Threatening their ISP only results in that ISP saying "take us to court and prove it." Lets face it, the ISP is making money from the clone so why help you?

    If you can find the registrar, good luck there. What's in it for them? to help you

    Unless you have a lot of money and time to burn it is very difficult to actually get a clone shut down. The problem is the lack of any governing body that enforces such things.

    The web is still the wild west with very few marshals and lots of bad guys looking to steal your ideas. Being innovative, providing quality content, and SEO goes a long way to making sure the clones don't get much.

    — *Michael Keilhofer*

  7. Legacy User January 28, 2008 Reply

    The single most important thing with lists is that they have to be simple to use. Anything that takes more than three seconds to use will be great for about a week. After that only half the items get put in, worse than nothing.
    Text file on the desktop is the one, so long as you can avoid spending half an hour making it look nice every time you open it. Ten minutes every morning organising it then the rest of the day getting things crossed off.

    — *Lisa*