An innocent click, an unassuming purchase, an irresistible discount. Everything seems safe until the bill arrives with an amount you don’t recognize. Behind the scenes of e-commerce, while consumers enjoy digital convenience, an invisible war is fought daily against increasingly sophisticated scams.
In 2024, over half of Brazilians have already been victims of some type of fraud, according to Serasa Experian. And the impact is real: 54.2% reported financial losses, many without even noticing the moment of the scam. While frauds used to come en masse and crudely, today they are surgical, silent, and costly. The average scam ticket has grown by 30% and now exceeds R$1,300 per order.
Crime has evolved, and digital security must keep up. E-commerce is the new playground for cybercriminals. Data from Febraban shows that financial losses from digital fraud in Brazil reached R$10.1 billion in 2024, 17% more than the previous year. ‘The digital environment, especially for e-commerce, has become a minefield,’ warns Wagner Elias, CEO of Conviso, a specialist in application security.
And the enemy never sleeps. Threats vary from phishing attacks (accounting for 15% of cases) to the use of stolen credentials (16%), including malicious insiders, which, by the way, have an average breach cost of $4.99 million, the highest on the list.
Elias notes that some of the trending techniques are digital skimming and account takeover (ATO). In skimming, criminals inject malicious code directly into the payment page. In ATO, the scam is colder and more methodical: with leaked credentials, they access real accounts, change passwords, and make purchases. According to AllowMe, 72% of fraud in digital retail comes from these unauthorized accesses.
The preferred targets? Games, cell phones, IT, and electronics—products with high liquidity in the informal market and easy resale. The fraudsters’ favorite payment methods remain credit cards. The reason is simple: quick purchases, minimal verification, and discovery only when the bill arrives.
THE FIGHT
So what can be done? The answer lies in technology and, above all, in security planning from the start of application development. ‘The answer is in technology, yes, but most importantly, in how it is implemented. Waiting to think about security only after the system is running is a fatal mistake. It’s essential to include practices like PCI DSS from the start of development and invest in tools like WAFs to protect sites against real-time attacks,’ says Wagner Elias.
This is where tools like WAFs (Web Application Firewalls) come in, monitoring traffic in real time, blocking suspicious patterns, and protecting sites from attacks like code injection and unauthorized access. The use of AI (Artificial Intelligence) has also been crucial in anticipating malicious behavior, reducing breach costs by up to $2.2 million, according to IBM’s ‘Cost of a Data Breach 2024’ study.
Another essential point is compliance with PCI DSS (Payment Card Industry Data Security Standard), a set of international standards that help protect card transactions. ‘Companies handling payment data must, by obligation and business intelligence, follow PCI DSS strictly. That’s what separates a secure system from an open door to fraud,’ adds Elias.
Despite technological advances, the average time to contain a breach is still long: 258 days. In cases of stolen credentials, it can take up to 292 days—almost a year. Part of the blame lies in the shortage of specialized professionals, which increased by 26.2% last year and raised breach costs by $1.76 million.
However, the expert warns: those who bet on automation, security from the ground up, and attack simulations—so-called penetration tests—have a better chance of emerging unscathed or at least minimizing damage.
Reports from leading cybersecurity authorities confirm the effectiveness of PCI DSS and WAF protections: according to Verizon’s DBIR 2024, PCI DSS compliance reduces security incidents by 52%, while WAFs block up to 80% of web application attacks. IBM’s Cost of a Data Breach 2023 study reveals that companies using WAFs save $1.4 million per breach, and PCI DSS speeds up breach response times by 54%. When combined, these solutions can reduce financial losses by up to 75%, according to the Ponemon Institute (2024).
‘Thus, companies following PCI DSS standards have half the problems with data leaks, and Web Application Firewalls (WAFs) prevent 8 out of 10 hacker attacks. Those using both technologies together limit financial losses to just 25% of the amount typically expected after breaches,’ he explains.
In the U.S., a breach costs an average of $9.36 million, the highest in the world for the 14th consecutive year. There, 63% of companies already admit they will pass these costs on to customers, showing that investing in security isn’t just precautionary—it’s a matter of competitiveness and reputation. Elias concludes: ‘In times of booming e-commerce and valuable data, ignoring digital security is leaving money on the table, compromising revenue and reputation simultaneously. Besides also losing customer trust and brand credibility.’
