SAP Cybersecurity and Ecommerce Fraud

Mar 16, '21 by Joerg Schneider-Simon

Cybercriminals have never seen a weakness they didn’t like. If a trend in ecommerce, a shift in consumer buying habits or a shift in technology makes retailers more vulnerable, cybercriminals are the first to discover these vulnerabilities—and exploit them.

So, you probably aren’t all that surprised to learn that the rise in ecommerce purchases and transactions caused by the COVID-19 pandemic is being accompanied by a similar rise in cyberattacks, ecommerce theft and fraud.

If your organization uses SAP applications anywhere in your ecommerce supply chain, you must prepare for these rising threats. Here’s how.

Ecommerce Cyberattacks Are Contagious

Around July 2020, as the pandemic increased in scope and severity, global retail ecommerce sales grew by more than 81% compared with the same period the previous year (Card Not Present). Some retail sectors have experienced increases of more than 300%. This rapid and unprecedented increase in transaction volumes caught retailers off guard. And cybercriminals jumped in to take advantage in three ways.

1. Account takeover fraud

According to, account takeover fraud has increased by 347% since 2019. Account takeover fraud happens when cybercriminals gain access to a victim’s login credentials and use that access to steal money or information. Some hackers use phishing, malware, mobile banking trojans, SIM card swapping, man-in-the-middle, and other methods to steal login credentials directly. Other hackers harvest this information from data breaches or buy it on the Dark Web.

Once criminals take over an account, they make payments to fraudulent companies, go on shopping sprees with stolen credit cards, and make purchases on ecommerce sites where the victim has an account.

The quickest way to prevent account takeover fraud is to implement multifactor authentication. Move away from simple PINs and static passwords, supplementing them with a code sent via SMS text message or a one-time password sent via email, or biometric data, such as a fingerprint scan or facial recognition from a selfie.

The next step is to deploy a real-time fraud detection and prevention solution across your enterprise, choosing a solution that integrates with your SAP systems.

2. Bot attacks

Online fraudsters are also using bots to exploit vulnerabilities created by the COVID-19 pandemic. The most common attacks see fraudsters using bots to create, test and build fake online identities, which they then monetize. Fraudsters create these fake accounts (known in the industry as “synthetic identities”) on multiple online platforms, including:

  • Ecommerce stores
  • Media sites
  • Virtual gift card companies
  • Ridesharing sites

Fraudsters typically monetize these fake accounts by taking advantage of free trials and bonuses, and then selling them for profit. Fraudsters are also using bots to make small purchases using stolen credit cards, to test the validity of the cards before making larger purchases.

To protect your organization against bot attacks, you must think beyond single-point prevention. You must deploy a solution detects when fraudsters are impersonating genuine customers. This requires a solution that offers a layered defense of fraud, identity, and authentication capabilities, and that delivers this protection across the entire customer experience, not just at the early identity verification stage or at the final checkout stage.

3. Click-and-collect fraud

The trend today is to make shopping contact-free and to reduce face-to-face contact. This has meant a rapid increase in “click-and-collect,” the practice of buying online and picking up in-store. This service is convenient for shoppers and fraudsters alike. Fraudsters like it because it helps them evade in-store point of sale defenses and gain same-day access to stolen goods.

The solution to click-and-collect fraud is to use tools that help you gather and analyze as much customer data as you can. Some anti-fraud solutions, for example, embed a snippet of code on your ecommerce site or mobile app that gathers information about each shopper, including the device they are using, where the device is located, and their activity on your site or mobile app. This code helps you assign a unique digital “fingerprint” to each device, detect proxies, and analyze suspicious behavior.

How to Safely Integrate SAP Solutions with Payment Applications

Staying ahead of cybercriminals requires a 24/7 approach to security that involves every stage of your customer’s buying journey. It also means taking steps to ensure that your ecommerce platforms integrate securely with your payment processing applications and SAP back-office systems. Here are the places you should spend the most energy.

Make sure your integrations are secure: To keep your customer data away from prying eyes, and to protect your organization from ecommerce fraud, ensure that the communications between your SAP systems and your third-party payment processors are secure. Only use SAP ecommerce integrations that meet SAP security standards.

Digitize your data: Hackers love manual processes because manual processes don’t scale to meet rising transaction volumes. Manual processes simply give cybercriminals even more ways to defraud and steal. So, digitize your processes and data to eliminate manual order taking and manual order reconciliation. Replace paper order forms, spreadsheets and sticky notes with a solution that integrates your ecommerce store with your payment processing system and your back-office SAP systems.

Pick the ecommerce platform that suits you: When it comes to integrating your ecommerce store with your SAP systems, you have three choices. You can:

  • Use SAP’s solution, SAP Commerce Cloud
  • Use third-party ecommerce solutions, such as Shopify, Magento and BigCommerce
  • Use third-party ecommerce plugins for your CRM platform, whether Salesforce, Sitecore or another CRM

One key thing to remember when protecting your organization against cybercriminals is that ecommerce fraud typically starts with compromised customer data. Your first line of defense against cyberattacks is a robust defense against the phishing, malware, and other attacks that hackers use to steal customer login credentials and credit card numbers.

This first line of defense includes anti-virus for SAP solutions, protection against content-based attacks, and solutions that protect your web-facing SAP applications. By first protecting your customers against identity theft, you also protect them against ecommerce fraud.

Is Your SAP System Secure from Cyberattack?