In the latest twist on identity theft, hackers are clandestinely taking over business websites — and then brazenly billing the customers who visit those sites as if the sites are their own. While any sort of website identity theft is alarming, the version that results in a hacker taking command and control of your website — and ultimately your business dealings — is especially brutal.
Under this scenario, hackers find a way to break into your website, and then take over all the interfaces your business uses to operate it. Simultaneously, the hacker also gets access to your business’ accounts payable and receivables software, as well as its email correspondence software. With all the tools in hand to do business as you, the hacker begins cutting deals with your customers via your website, instructing them to wire payments for goods and services to a new bank account — one that the hacker owns and operates.
After a few quick deals, the hacker vanishes — along with all the cash that has been wired to his or her bank account. Ultimately, the victimized business or organization only finds out about the scam weeks or months later, when hordes of angry customers start calling, demanding goods and services that were never delivered.
Perhaps most unsettling about this new spin on cybercrime is that even the most strongly secured websites are vulnerable. “Security will always be an evolving arms race between the attackers and defenders,” says Adolfo Cruz, director, Parks, Recreation and Community Services Department, Riverside, California.
Indeed, IT security researcher Arun Sureshkuma proved that reality with chilling clarity last summer, when he demonstrated how he could hack any Facebook page — and take over that page as its administrator — in less than 10 seconds. Moreover, once established as administrator, Sureshkuma could have easily set up payment processing on the hijacked page for any sort of deals he felt like making, using popular payment processors like PayPal and Stripe.
Sureshkuma did alert the social media goliath to the security glitch, which it immediately patched. But, his ruse underscored a hard reality: No business, no matter how seemingly powerful and mighty, is immune to website identity theft. According to an April 2016 study from Symantec, an IT security firm, more than 75 percent of popular sites on the web have unpatched vulnerabilities. Online fraud is expected to reach $25.6 billion by 2020, up $10.7 billion from 2015, according to a 2016 study by Juniper Research.
“While no website is hack-proof — evidenced by the worldwide hacking group, “Anonymous,” hacking high-profile government organizations — there are a number of best practices that should redundantly cover your bases,” says Zack Poelwijk, a senior marketing consultant for Limelight Development, a web services firm. “The importance in this space is to be preventative, not reactive.”
Following is a list of preventative measures that web security experts suggest you take to make your website less vulnerable to hacking:
Establish an online security training program for employees — Sadly, too few employees realize the stakes when it comes to web security. Even in this day and age, when millions of IDs and passwords are regularly stolen from major corporations, the most commonly used passwords are “123456” and “password” — according to Splash Data, a cyber-security firm.
Bulletproof your website’s dashboard — Start with a super-strong ID and password by creating both at Random.org’s random password generator. There you can create passwords and IDs up to 24 characters long that are extremely tough to crack. You can also add two passwords together if you’re looking for even greater security. Be sure to have your web designer add a double-authentication requirement for entry into your website’s dashboard. Many banking customers already have double-authentication on their online checking accounts. They initially enter an ID and password for their checking account. But before they can log in, they need to retrieve and enter a special numerical code that the bank sends to their email account.
In addition, you can have your designer program your website so that after three or so wrong log-in attempts, the website will freeze and can only be accessed with intervention by a human from your IT department.
Consider alternatives to passwords — “The widespread practice of typing usernames and passwords to log on to the internet might soon become obsolete,” says Robin Murdoch, managing director of internet and social business for Accenture. “Consumers are increasingly frustrated with these traditional methods because they are becoming less reliable for protecting their personal data such as email addresses, mobile phone numbers and purchasing history.” So, here are some alternatives:
Microsoft’s Windows 10 can replace ID and password access to its Windows software with “Windows Hello,” software that offers users the ability to sign in using fingerprint readers or facial recognition — although the facial recognition option requires a high-end, depth-perception camera.
Google has a physical “security key” dongle, which users plug into their computer’s USB port to gain access to their Google accounts online.
Lawrence Livermore National Laboratory recently licensed an advanced anti-hacker software tool, developed for use by companies and organizations, that’s designed to pinpoint suspicious behavior by hackers once they’ve compromised a system’s ID and password and are freely roaming a computer network. “It is important to know what you have on your networks,” says Celeste Matarazzo, a principal investigator for cybersecurity at Lawrence Livermore.
Even more futuristic is Myris by Eyelock, a scanner that only grants access to a computer — and any number of websites you’d like to use with it — once it identifies the iris in your eye. The human iris is as unique as a fingerprint and the chances of the device making a false match are one in 1.5 million, according to the maker. Myris may sound like science-fiction, but it’s already on the market at big box stores like Best Buy, Staples and Fry’s.
Limit entry to your dashboard even further: You can also harden your website dashboard by limiting access to your website the dashboard from pre-determined, IP addresses only (every computerized device can be assigned a specific IP address by your web designer for identification purposes).
Be careful about what you expose on the web: “Currently, our website is not collecting data from our community and anything we put out is for public knowledge,” says Cory LeeAnn Long, recreation coordinator, Central Point, Oregon. “If we were to implement a more user interfaced-based website, we’d request the most advanced security features available while minimizing the impact on our users.
“Our biggest priority is data protection and that is one of the reasons why we’ve not stepped forward with implementing public profiles for our community members.”
Janet Donnelly, public affairs coordinator for Willamalane Park and Recreation, based in Springfield, Oregon, shares Long’s sensitivity to consumer data: “The security threat we worry about most is the potential threat to confidential consumer information,” Donnelly says. “That’s why we hired one of the best web development firms in our area to hand pick our web hosting firm. We also rely on national companies such as Active Communities and MailChimp to safeguard our customers’ data.”
Get a free Google Webmaster account from Google: Offering a plethora of free tools for site owners, Google Webmaster can also often detect when your website has been hacked and will inform you of the hack via your account, according to says Evy Hanson, owner of, Leap Online Marketing.
Secure your website folders: While all website files and folders should have proper permissions and ownership, this basic step is often overlooked. Ask your web designer to apply these controls. The move can deny attackers the ability to upload malicious files and execute code that can compromise not only your site, but your server as well.
Keep all your website software up-to-date: One of the primary reasons web software companies continually update their software is to plug security holes. Unfortunately, these companies generally inform the public about the specific security holes they’ve plugged. So, according to Hanson, if you don’t make the fix, a hacker knows where to look on your website for an easy way in, according to Leap’s Hanson.
Be doubly careful if your website runs on Wordpress: When it comes to security, Wordpress is unfortunately a victim of its wild popularity. The web authoring system is so in vogue, it has become a favorite target of hackers. One of the major benefits of Wordpress popularity for criminals: is if a hacker finds a security hole in on Wordpress site, he or she knows there are probably thousands— if not millions — of websites that are also sporting the same security hole.
Install a security plugin: For Wordpress users, there are number of free security plugins, including iThemes Security and Bulletproof Security. Similar software exists for websites that use other types of website content management systems.
Install a firewall on your website: “A firewall routes web traffic through a separate server, determining whether it’s safe traffic or not, before allowing it to go to your website,” Hanson says. “This does not cause a delay for the end user.”
Most modern website firewalls are cloud-based and provided as a plug-and-play service for a modest monthly subscription fee.
Get your designer to use HTTPS protocol: Technically speaking, HTTPS guarantees to your visitors that they’re talking to the server that’s hosting the website they’re trying to reach. It also guarantees that no one can intercept or change content coming from the website — or transactions between the website and website visitor. Let’s Encrypt, an open certificate authority service provided by the Internet Security Research Group (ISRG), helps businesses reduce the cost of the conversion to HTTPS protocol.
Auto-scan all devices you’re plugging into your business computer network: Have your IT department secure your system with software that automatically scans any device — such as a flash drive, external hard drive, etc. — for malware any time such a device is attached to your network.
Backup frequently: Just in case the worst happens, be sure to keep everything backed up. The rule of thumb: backup at your business, backup off-site and keep a third “cold backup” off your network — or a backup that is disconnected from your computer network as soon as it’s made on a daily basis.
Use a monitoring service: Services like SiteLock (www.sitelock.com) will monitor your website every day for malware, viruses, suspicious code, attempted break-ins and out-of-date software.
Have a major security talk with your web designer: Knowing about the safeguards above will enable you to talk intelligently with your web designer about your website’s security. He or she needs to know you consider website security ultra-critical to your business.
“Defense in depth remains the industry best practice,” says Cruz. “Tiering protection with the assumption that one or more defenses will fail at some point will reduce the number of breaches and will accelerate the defender’s detection capabilities.”
Long agrees: “Web security is always changing with trends and threats. Remaining creative and aware is probably the biggest and best approach to maintaining security.”
“It’s about redundancy, redundancy, redundancy,” Poelwijk says. “Individual practices all have their weaknesses. But together, they’re incredibly strong. For example, if the worst-case scenario happened and your website was hacked, you could simply revert back to the last clean backup.”
Joe Dysart is an Internet Speaker and Business Consultant based in Manhattan.