How do you effectively fight phishing on your marketplace or platform?

• Phishing increases and becomes more refined

• Raising awareness during the onboarding process helps to protect users 

It is the most popular form of cybercrime: phishing. And with Black Friday, Cyber Monday, Santa Claus and Christmas coming up, the number of victims will increase in the upcoming month. To protect the reputation of your marketplace or platform, you want to guarantee your users with a safe platform and fight as many phishing scams as possible. Read here what you can do and what we do to support your users.

Cybercriminals who use phishing are working with very refined methods. By posing as a legitimate party, they try to steal sensitive data such as usernames, passwords, credit card and bank details to abuse them. They mostly use fake login pages or payment pages that are indistinguishable from the 'real' ones. It's very unfortunate but due to this approach, the results are often successful.

3 recommendations to protect users of platforms against phishing 

Unfortunately, it's impossible to guarantee that your users will not become a victim of phishing. However, the recommendations mentioned can help you to protect your users as well as possible.

1. Start to create awareness during the onboarding process

Immediately warn users about the dangers involved in online trading when they are in the onboarding process. It may not be the welcome message you had in mind for your new buyers and sellers. But by communicating about the risks from the very start, you acknowledge the priority of safe trading for your marketplace or platform.

A typical example of phishing that we often receive reports about at Online Payment Platform, is the request to perform an identity verification and/or bank verification by transferring 0.01 euro cents. These are verifications that take place via the bank and require logging into the banking environment. If a user logs in to his or her banking environment via this link, the cybercriminal has achieved his or her goal: he/she has the login details and can carry out transactions with that bank account. Therefore, it's a very good idea to remind the users of your platform that legitimate verification requests can only come from the payment service provider you are working with.

It is also smart to provide the most important do's & don'ts and/or points of attention during the onboarding process. For example; 'how can a user recognise the URL of a legitimate payment request?'

2. Communicate about new phishing scams 

Phishing is difficult to recognise because it is often applied in very advanced and devious ways. Make sure that you share good examples of phishing cases on your platform or marketplace. Might there be a popular phishing scam during a certain time, then make sure to send a notification or update to your users.

We are currently receiving many reports about phishing cases where false communication about the shipment is used. The buyer receives a message that looks like it's coming from PostNL. The message includes that the parcel is ready, but the shipment has not yet been paid for (while this is the case). Many users click on this link in good faith without noticing that they pay to the cyber criminal.
To fight this form of phishing, Online Payment Platform is working closely with PostNL. We share these phishing links so they are taken offline quickly. In addition, new examples of phishing types are shared with users to make sure they are warned.

Below, you can see how an actual false phishing page looks;

3. Specify what users should do when they are a (potential) victim

If users of platforms or marketplaces think they are being approached with a non-legitimate request, encourage them to report it as soon as possible. Our support department has a policy to prioritise (potential) phishing reports coming from our customers' platform users. By urgently dealing with these reports, we prevent more victims from being harmed.

We regularly speak with users who have received a suspicious request and are sceptical to click on a link they have received. In these situations, we ask for a screenshot or we ask them to send us the link so we can check it. If the link appears to be non-legitimate and actually is phishing, we will report this to the authority where the site is registered. Then, the site will be taken offline as soon as possible.

If, nevertheless, users have clicked on the link, accepted the request and discovered that they are victims of phishing, it is important to contact the bank immediately in order to block the payment activities. By doing so, the cybercriminal cannot proceed any further.

Click here to read the full article on Emerce (in Dutch)