An innocent click, an unsuspecting purchase, an irresistible discount. Everything seems safe until the bill arrives with an unrecognized amount. Behind the scenes of e-commerce, while consumers enjoy the convenience of digital, an invisible war is fought every day against increasingly sophisticated scams.
In 2024, more than half of Brazilians have already fallen victim to some form of fraud, according to Serasa Experian. And the impact is real: 54.2% reported financial losses, many of them without even realizing the moment of the scam. If in the past, frauds came massively and crudely, today they are surgical, silent, and costly. The average ticket of scams has increased by 30% and now exceeds R$ 1,300 per order.
Crime has evolved, and digital security needs to catch up. E-commerce is the new playground for cybercriminals. Febraban data shows that financial losses from digital fraud in Brazil reached R$ 10.1 billion in 2024, 17% more than the previous year. “The digital environment, especially for e-commerce, has become a minefield,” warns Wagner Elias, CEO of Conviso, specialized in application security.
And the enemy never sleeps. The threats are varied, from phishing attacks (representing 15% of cases) to the use of stolen credentials (16%), including malicious insiders, which have an average cost of $4.99 million per violation, the highest on the list.
Elias explains that some of the trending techniques are digital skimming and account takeover (ATO). In skimming, the criminal injects malicious codes directly on the payment page. In ATO, the scam is colder and more methodical: with leaked credentials, they access real accounts, change passwords, and make purchases. According to the AllowMe company, 72% of fraud in digital retail comes from these unauthorized accesses.
The preferred targets? Games, mobile phones, IT and electronics, products with high liquidity in the informal market and easy resale. Meanwhile, scammers’ favorite payment methods remain credit cards. The reason is simple: quick purchases, little verification, and only discovered when the bill arrives.
THE COMBAT
And what can be done? The answer lies in technology and, above all, in security planning from the beginning of application development. “The answer lies in technology, yes, but above all, in how it is implemented. Waiting to think about security only after the system is up and running is a fatal mistake. It is necessary to include practices like PCI DSS from the beginning of development and invest in tools like WAFs to protect sites from real-time attacks,” says Wagner Elias.
This is where tools like WAFs (Web Application Firewalls) come in, monitoring traffic in real-time, blocking suspicious patterns, and protecting sites from attacks like code injection and unauthorized access. The use of AI (Artificial Intelligence) has also been important in anticipating malicious behaviors, reducing breach costs by up to $2.2 million, according to the IBM study “Cost of a Data Breach 2024.”
Another essential point is the use of practices compliant with PCI DSS (Payment Card Industry Data Security Standard), a set of international standards that help protect card transactions. “Companies that deal with payment data need, by obligation and as a business intelligence, to strictly follow PCI. This is what distinguishes a secure system from an open door for fraud,” concludes Elias.
Even with the advancement of technology, the average time to contain a breach is still long: 258 days. In the case of stolen credentials, it can reach 292 days, almost a year. Part of the blame is the shortage of specialized professionals, which increased by 26.2% last year and raised the cost of breaches by $1.76 million.
However, the expert warns: those who invest in automation, security from the base, and attack simulations — the so-called penetration tests — have a better chance of coming out unscathed or at least reducing the damages.
Reports from leading cybersecurity authorities confirm the effectiveness of PCI DSS and WAF protections: according to Verizon’s DBIR 2024, compliance with the PCI DSS standard reduces security incidents by 52%, while WAFs block up to 80% of web application attacks. The IBM’s Cost of a Data Breach 2023 study reveals that companies with WAFs save $1.4 million per breach, and PCI DSS accelerates breach response time by 54%. When combined, these solutions can reduce financial losses by up to 75%, according to the Ponemon Institute (2024).
“Thus, companies that follow the PCI DSS standard have half the data leakage problems, and Web Application Firewalls (WAFs) prevent 8 out of 10 hacker attacks. Those who use both technologies together limit financial losses to only 25% of the value normally expected after invasions,” explains.
In the USA, a data breach costs, on average, $9.36 million, the highest in the world for the 14th consecutive year. There, 63% of companies already admit they will pass on this cost to customers, showing that investing in security is not just precaution: it is a matter of competitiveness and image. Elias concludes: “In times of heated e-commerce and valuable data, ignoring digital security is leaving money on the table, compromising revenue and reputation simultaneously. Besides, also losing customer trust and brand credibility”
