Payment fraud: protect your shop

Paying directly online is easy. But if you have an shop, you also have to make sure that online payments happen safely. Use a secure payment system to make it difficult for criminals. Read this article to find out what you should pay attention to.

During the corona pandemic in 2020, online sales in the Dutch retail sector increased by 86%. (in Dutch). Online shops are started every day. In the 1st quarter of 2021, 69,000 new companies started, of which almost 10,000 were online shops. Unfortunately, this is also an interesting growth market for criminals. They try to steal from online shops or customers in all kinds of ways.

Secure website

If you own an online shop, you want to provide customers with reliable information and guarantee secure payments. This starts with your website, which you provide with an extra secure internet connection. You can recognise that extra security from an https web address. This means that the website is built with SSL/TLS certificates. Ask your IT supplier for software to combat cybercrime, and lay down liability and support in a contract. You can have your online shop certified (in Dutch) through the trade association. Such a certification clearly shows that you are following the rules. In the event of complaints, the customer also receives independent mediation from the trade association.

Secure payment system

Since 1 January 2021, all online transactions within the EU must apply a two-step verification according to the SCA standard. You can apply for online payment services on your website at your own bank or a payment service provider (in Dutch). These companies are specialised in providing payment systems. Online shops are obliged to offer the option to pay afterwards. You cannot force consumers to pay more than 50% in advance. With this pay after delivery' service, the payment service provider takes over the payment risk from you. The provider also ensures a secure payment process and can carry out a credit check (in Dutch) with the consumer in advance.

Fake shop

There are thousands of fake online shops in the Netherlands. The Foundation for Internet Domain Registration in the Netherlands (SIDN) is improving techniques for detecting criminal websites. In 2019, SIDN Labs (in Dutch) took almost 4,500 fake shops offline (in Dutch) with automatic scans. In 2020, SIDN developed an advanced Domain Name Ecosystem eXplorer (DEX system, in Dutch), which establishes links between various suspicious websites.

For example, fake online shops offering energy drinks or face masks cause damage to both customers and companies. After payment, customers do not receive the product they ordered. Companies whose data the criminals used for the fake online shop get angry reactions from suppliers and customers they do not know. Business identity fraud (in Dutch) is punishable by law. After reporting to the police, the provider of the domain name, the 'registrar', can take the website offline. Unfortunately, the criminals then continue to set up other fake online shops (in Dutch) to bait victims.

Take over customer account

Criminals can take over someone's account in several ways and put in fake orders, which is a well-known form is phishing (in Dutch). With this method a criminal persuades someone to hand over data. Through credential stuffing (in Dutch), criminals try out stolen usernames and passwords on other platforms. Criminals also sell leaked data to each other. Thuiswinkel explains more about criminal account takeover (in Dutch).

Payment process hacks

You can set up an online shop relatively quickly using software. Criminals target this software to sneak into your online shop unnoticed. And they are getting increasingly successful at this. Research in 2020 showed that cybercriminals leave a payment page visually unchanged, but can change the underlying data, such as the account number. These kinds of developments make a digital intrusion less noticeable.

New developments

The Cyber Security Assessment 2022 (in Dutch) by the National Coordinator for Security and Counterterrorism shows new forms of cybercrime in the Netherlands. You can read an overview of new (secure) payment systems such as PSD2 (in Dutch) in the annual report of the Dutch Payments Association.

Contact the Hack helpdesk

Have you been hacked or do you think you have been hacked? Visit (in Dutch) to find a step-by-step plan and practical solutions to prevent further damage.

Lees dit artikel in het Nederlands