PhishingAre Naïve Consumers Turning Merchants Into Victims?

February 9, 2023 | 11 min read

This image was created by artificial intelligence using the following prompts:

A fish on the hook laying on a laptop on a desk, colored red and teal, all other colors muted, wide angle shot, plain simple background, hyper-realistic, masterpiece, cinematic lighting, insanely detailed, unreal engine lighting


In a Nutshell

Fraudsters are always inventing new ways to seize customer data… but that doesn’t mean they don’t still play the classics. Untargeted, mass phishing schemes still suck in hundreds of thousands of consumers each year. Consumers aren’t the only victims, though. In this post, we look at the direct and indirect impact all this phishing has on merchants as well.

What is Phishing? Is There Anything Merchants Can Do to Stop It?

No single innovation of the modern era has changed the face of retail more than the internet. 

Over the last three decades, the ability to browse and buy online has transformed our entire concept of shopping. Of course, every silver cloud has a dark lining. Internet fraud attacks, such as phishing scams, have become a serious problem.

It’s bad enough when fraudsters target businesses directly, but in these cases, merchants must also deal with the fallout from consumer-oriented phishing attacks. In this post, we’re taking a look at how phishing affects businesses, what you can do to mitigate risk, and why the whole thing may be largely out of your hands.

What is Phishing?


[noun]/fiSH • iNG/

Phishing is the act of impersonating a trustworthy party, or sending messages purported to be from a trustworthy party, to trick individuals into revealing personal information.

Phishing scams have been around as long as eCommerce has existed.

The term “phishing” refers to a specific type of cyberattack that’s typically done through email. A hacker uses bogus information and fake credentials to trick victims into giving away money or personal information (passwords, login details, credit card numbers, etc), or to deliver malware.

Merchants: get started today with better, more dynamic fraud protection.REQUEST A DEMO

One of the most recognizable examples is the infamous “Nigerian Prince” email. Here, a fraudster poses as a foreign royal and offers to pay recipients to help him recover or transfer his fortune. All the recipient needs to do is provide their bank account information which, of course, is hijacked by the scammer and used to drain their account.

The “Nigerian Prince” scam has long-since been exposed. It’s almost silly to think that anyone would fall for this obvious scam today. Phishing fraud is still out there, though, and cybercriminals have changed with the times. They’ve become increasingly savvy in their methods and technology.

Most Common Phishing Tactics

The ultimate goal of a phishing scam has remained the same over the years. The scammer is trying to trick the victim into giving up access to personal information. The target is typically financial data, but any personal account could be subject to an attack.

As we alluded to, though, the tactics have evolved a lot over the years. Nowadays, there is a wide range of different techniques used in phishing scams. Other tactics include:

Email phishing

Sending out generic messages with phony links, en masse, to unsuspecting consumers. This is a “wide-net” tactic; the idea is that most consumers will not fall for it, but if the fraudster casts a wide-enough net, a few victims will respond.

Account Suspension

The fraudster sends a message, prompting users to sign in to an account to verify their information in order to avoid account suspension. Little does the victim suspect that their response is what ultimately compromises the account.

Spear Phishing

A phishing attack by which the scammer targets a specific individual, using known personal details to get a response. In many cases, the scammer uses partial data to try and trick the victim into revealing more personal information.


This takes spear phishing one step further. The tactic is basically the same, but the scammer is targeting select senior executives within a company or organization. BEC tactics are often employed as part of a whaling scam.

Angler Phishing

Here, a scammer leveraging all types of personal details divulged through social media to target an individual. The scammer effectively triangulates between the victim and the victim’s existing online presence.


SMS phishing, or “smishing,” happens when a scammer lures in victims through text messaging or other SMS platform, and convinces them to click a link or provide information that compromises their identity.

Common Question Why do scammers engage in phishing?

Simple: it’s the path of least resistance. Criminals attack consumers using phishing tactics because it’s the easiest way to get usable consumer data. It’s much easier to trick an individual into clicking a malicious email link than to hack into and navigate an organization’s computer system.

Can Phishing Scams Target Businesses as Well?

Yes. Phishing scammers are not limited to targeting consumers; these tactics can be used to target businesses, too.

Back in May 2020, researchers uncovered a spear phishing attack on a German multinational corporation. This company was connected with a German government-private sector task force working to procure personal protective equipment (PPE) in response to Covid-19. The attack targeted more than 40 high-ranking company executives before it was discovered.

This type of scheme typically starts with a legitimate-looking email that appears to be from a high-level executive, or perhaps from an attorney representing a rival or third-party vendor. The email will include a request for some type of payment and stress the need for an immediate response. Unless the recipient is on the ball, they can easily be fooled. 

Think about it: what would be your first reaction if the CEO of your company sent an email asking you to take care of a payment “as a personal favor to me”? Or, you got a notice from a lawyer saying you needed to arrange a payment or face legal action against the company? Most people would at least be tempted to simply comply with the messages. This is why the scheme works.

Even if the plan falls through, the fraudster can score several useful assets that can help with future attacks. One response or click-through is all it takes for the crook to get a copy of the company’s latest email signature, for example. A scammer can use that signature to impersonate company figures, making future attacks seem more legitimate.

How Phishing Attacks Impact Merchants

As we discussed before, the majority of phishing schemes are aimed at consumers. The scammer wants to trick individual consumers into handing over their personal information.

But, even when consumers are the target of an attack, it’s ultimately merchants that may end up paying the price in many cases. If a phishing scammer targets your customers, you could end up seeing:

Lost Sales

If a fraudster is spoofing your website — using a cloned site to make consumers think they’re buying from you — you’ll never see any revenue from those would-be customers.

Lack of Data Integrity

If you’re tracking customer data points, having otherwise legitimate orders bypass your systems will skew your numbers. You may also see orders from fake cards created through phishing.

Reputational Damage

Your reputation will take a hit if victims blame you for non-delivery or for being scammed. That can shake investors’ confidence and leave a black mark on the perceived trustworthiness of your brand.

Loss of Customer Loyalty

If a fraudster uses a dummy version of your site to conduct a successful phishing attack, it will make even your most loyal customers think twice before doing business with you again.


If fraudsters buy from you via faux credit cards created from phished consumer data, you may be forced to refund the cardholder. Otherwise, you’re likely to get slammed by chargebacks


Chargebacks aren’t just “refunds.” They come with fines and added fees, and will negatively impact your chargeback ratio. This is true even if you can prove that you had nothing to do with the attack. You’ll also lose any merchandise you unknowingly shipped to a crook.

In a larger sense, all fraudulent activity increases the cost of operating your business. More fraud means lower margins for you, as well as increased investments in security, fraud mitigation, and identity protection. It can also undermine your ability to stay competitive.

Eventually, all these costs get passed to the customer in the form of higher prices. When that happens, the entire market suffers.

Phishing is only one threat merchants face from ever-more-sophisticated fraudsters. Let our experts show you the benefits of a custom, comprehensive prevention strategy.REQUEST A DEMO

What Can Merchants Do About Phishing?

There’s no question that phishing is dangerous. So, what can you do to protect yourself as a merchant?

For consumer-facing attacks, protecting your brand integrity is key. You need to be on the lookout for scammers that may be trying to impersonate you as a way to target your customers.

For example, URL hijacking (or “typosquatting”) happens when a fraudster buys a URL similar to a legitimate retailer’s. The fraudster then redirects traffic to the fake website to collect personal information from consumers who try to complete a purchase.

If you identify a scammer that’s targeting your customers, you can try sending a cease-and-desist letter. You can also report the activity to the FBI's Internet Crime Complaint Center (IC3). Finally, warn your customers about the activity via social media, to try and dissuade them from engaging with the scammer by accident.

What to Do if Your Business is Targeted

As for scams that directly target your business, there are a few prevention tricks you can adopt. Some organizations are implementing sophisticated “zero-trust” architectures, for instance. This strategy works from the premise that every outside contact is unsafe until proven otherwise. It may help, but it’s a major investment.

The most effective strategy is to simply remain vigilant. Create and adhere to comprehensive employee awareness programs. Teach employees to spot red flags for suspicious emails. Provide detailed instructions for what to do with potentially malicious requests. 

Employees should also be cautious of any information posted on social media that references company information. This would include potentially confidential company data posted on personal social media accounts.

Above all, merchants must stress that even slightly unusual emails can mean trouble. If there is any doubt, employees should not reply to an email. Instead they should bring the matter to the attention of superiors, as well as to your IT team.

We also recommend that no company business be conducted through free web-based email services such as Yahoo or Gmail. Any official emails should be through private servers.

The Importance of Cyber Resilience 

Knowing that phishing and other fraud attacks will happen, it’s important to think in terms of what experts call “cyber resilience.” 

Cyber resilience refers to an organization's ability to anticipate, withstand, recover from, and adapt to cyber-related attacks. In other words, a plan for dealing with inevitable schemes, while protecting online operations and mitigating risk.

Resilience isn’t just about defending against a single attack (such as phishing). It should include multiple layers of protection spread across hardware, software, networks, and data protection. Cyber resilience is like a health plan for your digital presence: a successful strategy enables your business to adapt to known and unknown crises, dangers, and threats.

Carefully designed security protocols give your business the ability to weather all types of cyber threats and data loss. An overarching solution should include:

  • Automated and ongoing data backups
  • Identity and access management
  • Threat identification and assessment
  • Employee fraud prevention & response training
  • Incident response planning
  • Data recovery and reintegration
  • Post-crisis business continuity

Cyber resilience can only be effective if it is achieved at all levels of the company. It is an ongoing, collaborative effort to keep your business operating during — and after — an attack. 

Fraud Management Requires a Multi-tiered Approach

Phishing scams hit merchants on multiple fronts. You could see loss of funds, loss of intellectual property, damage to reputation, and long-term sustainability threats. This includes attacks directly aimed at your business, but there will also be secondary damage from mass attacks targeting consumers.

While there are several steps you can take to safeguard your company against phishing attacks, you have limited ability to protect against the damage from consumer-oriented attacks.

And remember: phishing is just one of many fraud threats. In the end, what you need is a comprehensive, multilayer approach to fraud and cyber threats. For effective management and prevention, businesses need a comprehensive program that addresses fraud both before and after it happens.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
Please share a few details and we'll connect with you!
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form