April 7, 2021 By C.J. Haughey 5 min read

In February 2020, the world’s biggest retailer, Amazon, fended off the largest distributed denial of service (DDoS) attack in history. As peak traffic volume hit 2.3 Tbps, e-commerce security experts declared this attack as “a warning we should not ignore.”

DDoS attacks are nothing new. Every day, security teams deal with these malicious attempts to overwhelm their companies’ websites with bot traffic. In the last year, the landscape shifted in favor of attackers, as many companies switched to a remote working model. For instance, 95% of IBM staff currently works remotely. Also, increased social distancing drives more people to shop online.

Now, the internet is thriving with new opportunities — for businesses and threat actors. Explore common e-commerce security threats and see how your company can safeguard against future DDoS attacks.

Growing Threats to Retail Cybersecurity

In the U.S. and Canada, there has been a 129% year-over-year growth in e-commerce sales. This surge in sales is a double-edged sword for retail businesses.

Just as they have a bigger platform to grow their business, they are also thrust into the spotlight in front of threat actors.

Retail Security Threats: More Powerful DDoS Attacks

In 2000, 15-year-old Michael Calce, known by the online alias ‘Mafiaboy,’ launched one of the most significant DDoS attacks in history. He took down Yahoo!, E*TRADE, Amazon and eBay from his home computer. Since then, DDoS attacks have soared above 2 Tbps and show little signs of slowing down. As more companies function online through remote working, the chances for threat actors to target companies through DDoS attacks have risen.


‘Hacktivism’ offers protestors a way to promote a political agenda online, including if they disagree with a specific brand or business.

While the COVID-19 pandemic defined much of 2020, it is not the only global issue today. There is growing unrest about the environment, banking fraud and the negative impact of capitalist behaviors on the world.

Major retail brands like Amazon are easy targets for activists. A sophisticated DDoS attack can potentially cost the target company up to $2 million.

Vulnerable VPN Servers Enable Retail Security Threats

Although the high-volume attacks grab the news headlines, bad actors can also strike a lower volume to avoid triggering any alerts in e-commerce website alarm systems.

Workforces all over the world rely on VPN services for remote login purposes, as many employees are working from home. With their growing importance, VPNs could be an opening for an attacker. In theory, threat actors could use a targeted attack to take an entire workforce offline, which would cause massive disruption to a company.

Lack of On-Site Security Staff

When the world transitioned to remote work, many employers faced the prospect of losing valuable in-house staff, including IT professionals. Without security staff on-site, it is harder to organize an effective response effort in the wake of an attack.

Omnichannel Marketing

Using several avenues like social media, email and direct mail to convey brand messaging, your business can connect with prospects at multiple touchpoints in the customer journey.

This approach is an excellent marketing strategy. However, it also provides several access points for threat actors to intercept messages between retailers and customers.


Fraudsters exploit people in many ways online. For example, they may use phishing email scams where threat actors masquerade as a retail store in order to obtain sensitive data from customers, like addresses and bank account details.

E-Commerce Website Security Strategies

As retail security threats continue to rise, companies must take more precautions to protect their data. After all, an attack on a vulnerable system could easily compromise consumer data, and may also damage the brand’s name.

Historically, a DDoS attack is one of the biggest challenges for retail cybersecurity teams because perimeter defense measures don’t work. Here are seven steps you can take to protect your business from retail cyber attacks:

1. Devise a DDoS Policy Against Retail Cyber Attacks

When a DDoS attack hits, your first step in response can determine how everything ends. All retail businesses need to set out clear guidelines for their staff, so they know what to do during an attack.

Educate your workforce, and establish outage repair and response strategies before an attack hits. By taking a proactive approach to setting protocols, you give your team a clear incident response strategy to follow. This, in turn, is critical in order to minimize the damage.

2. Establish Your Traffic Baseline

By developing good practices for keeping an eye on traffic, you can train staff to recognize the signs of a DDoS attack. Through this regular surveillance, your IT team can understand the website baseline for normal traffic and will be able to detect any unusual or suspicious traffic spikes quickly.

3. Educate Your Customers About E-Commerce Security

Retail cybersecurity tends to have an internal focus on company practices and employees. However, it’s important to think about the customers, too. Take steps to educate your customers about safe online shopping practices.

With diligent communications, you can ensure they aren’t using weak passwords, sharing sensitive data, or visiting any suspicious links or websites that could compromise their accounts or your business.

4. Boost E-Commerce Security With Multiple Defense Layers

While perimeter security will not thwart a DDoS attack, it is good practice to implement multiple levels of protection strategies. You can utilize several layers of defensive techniques, such as:

  • Firewalls
  • VPN
  • Anti-spam
  • Anti-malware programs
  • Content filtering
  • Load balancing
  • Two-factor authentication

5. Use APIs to Boost E-Commerce Website Security

In e-commerce, customer data enables retail websites to improve their targeting. From retargeting ads to custom product recommendations, it’s easy to see the value of collecting data. However, it’s wise to use third-party gateways for payment processing. With an application programming interface (API), you have another layer that protects customer data and your company if an attack does happen.

6. Use Cloud-Based Providers for Traffic Overflow

As DDoS attacks get more powerful, it’s more likely that on-premises hardware will fail during an attack.

Even the world’s biggest companies would be wise to enlist the help of third-party DDoS mitigation services with cloud-based servers. These experts can then rapidly derail attacks to save a lot of time and money in the recovery effort. The cloud has much higher bandwidth and greater resources than private networks.

If an attack does happen, these providers can use their cloud servers to handle massive traffic overflow, ensuring your website doesn’t crash. Better yet, a cloud-based app will absorb malicious traffic before it hits your system.

7. Run Simulations to Test Your E-Commerce Security

After you have security measures in place and staff prepped with their incident response plan, you can run tests to mimic real-world DDoS attacks. Doing this also enables a retail company to gauge their current security posture. As part of this process, conduct multiple tests and analyze the response to assess ongoing risks and find flaws in your defense.

It’s Time to Prepare for Retail Cyber Attacks

DDoS attacks are no longer solely the domain of hacktivists seeking to simply disrupt a website’s services. Instead, e-commerce companies can be a massive target for refined attacks that attempt to steal data and hold it ransom.

Retail businesses must make e-commerce security a priority, starting with educating their staff and implementing a robust incident response strategy.

More from Retail

5 ways to improve holiday retail and wholesale cybersecurity

4 min read - It’s the most wonderful time of the year for retailers and wholesalers since the holidays help boost year-end profits. The National Retail Federation (NRF) predicts 2022 holiday sales will come in 6% to 8% higher than in 2021. But rising profits that come at the cost of reduced cybersecurity can cost companies in the long run when you consider the rising size and costs of data breaches. The risk of data breaches and other cyber crimes can make this shopping…

Cost of a data breach: Retail costs, risks and prevention strategies

3 min read - Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure. The good news for retail is that the cost of a data breach in the sector remains low compared to…

Lessons learned by 2022 cyberattacks: X-Force Threat Intelligence Report

3 min read - Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today