An innocent click, an unsuspecting purchase, an unmissable discount. Everything seems safe until the bill arrives with an unrecognized amount. Behind the scenes of e-commerce, while consumers enjoy the convenience of digital, an invisible war is fought every day against increasingly sophisticated scams.
In 2024, more than half of Brazilians have already been victims of some kind of fraud, according to Serasa Experian. And the impact is real: 54.2% reported financial losses, many of them without even realizing the moment of the scam. If frauds used to come in bulk and crudely, today they are surgical, silent, and expensive. The average ticket of scams has grown by 30% and is already over R$ 1,300 per order.
Crime has evolved, and digital security needs to catch up. E-commerce is the new playground for cybercriminals. Febraban data shows that financial losses from digital fraud in Brazil reached R$ 10.1 billion in 2024, 17% more than the previous year. “The digital environment, especially for e-commerce, has become a minefield,” warns Wagner Elias, CEO of Conviso, specialized in application security.
And the enemy never sleeps. Threats are varied, from phishing attacks (which account for 15% of cases) to the use of stolen credentials (16%), including malicious insiders, with an average cost per breach of US$ 4.99 million, the highest on the list.
Elias mentions that some of the techniques on the rise are digital skimming and account takeover (ATO). In skimming, the criminal injects malicious code directly into the payment page. In ATO, the scam is colder and more methodical: with leaked credentials, they access real accounts, change passwords, and make purchases. According to the company AllowMe, 72% of fraud in digital retail come from these unauthorized accesses.
Preferred targets? Games, cellphones, information technology and electronics, products with high liquidity in the informal market and easy resale. Meanwhile, scammers’ favorite payment methods remain credit cards. The reason is simple: quick purchase, minimal verification, and only discovered when the bill arrives.
THE FIGHT
So, what can be done? The answer lies in technology and, above all, in security planning from the inception of application development. ‘The answer lies in technology, yes, but above all in how it is implemented. Leaving security considerations until after the system is up and running is a fatal mistake. It is essential to incorporate practices like PCI DSS from the beginning of development and invest in tools like WAFs to protect websites against real-time attacks,’ says Wagner Elias.
This is where tools like WAFs (Web Application Firewalls) come in, monitoring traffic in real-time, blocking suspicious patterns, and safeguarding sites from attacks such as code injections and unauthorized access. The use of AI (Artificial Intelligence) has also been crucial in anticipating malicious behaviors, reducing breach-related costs by up to $2.2 million, according to the ‘Cost of a Data Breach 2024’ study by IBM.
Another vital aspect is the adoption of practices compliant with PCI DSS (Payment Card Industry Data Security Standard), a set of international standards that help protect card transactions. ‘Companies handling payment data must, both by obligation and business acumen, strictly adhere to PCI. This is what distinguishes a secure system from an open door to fraud,’ Elias concludes.
Even with the advancement of technology, the average time to contain a breach is still lengthy: 258 days. In the case of stolen credentials, it can reach 292 days, almost a year. Part of the blame is the shortage of specialized professionals, which increased by 26.2% last year and raised the cost of breaches by $1.76 million.
However, the expert warns: those who invest in automation, security from the ground up, and attack simulations – the so-called penetration tests – have a greater chance of emerging unscathed or at least reducing the damage.
Reports from leading cybersecurity authorities confirm the effectiveness of PCI DSS and WAF protections: according to Verizon’s DBIR 2024, compliance with the PCI DSS standard reduces security incidents by 52%, while WAFs block up to 80% of web application attacks. IBM’s Cost of a Data Breach 2023 study reveals that companies with WAFs save $1.4 million per breach, and PCI DSS accelerates breach response time by 54%. When combined, these solutions can decrease financial losses by up to 75%, according to the Ponemon Institute (2024).
“Thus, companies that follow the PCI DSS standard have half the data leakage problems, and Web Application Firewalls (WAFs) prevent 8 out of 10 hacker attacks. Those who use both technologies together limit financial losses to only 25% of the value normally expected after invasions,” explains.
In the USA, a rape costs an average of US$ 9.36 million, the highest in the world for the 14th consecutive year. There, 63% of companies already admit they will pass on this cost to customers, showing that investing in security is not just a precaution: it is a matter of competitiveness and image. Elias concludes: “In times of heated e-commerce and valuable data, ignoring digital security is leaving money on the table, compromising revenue and reputation at the same time. Besides also losing customer trust and brand credibility”.
