The digital imposter threatening your online presence

In the latest twist on identity theft, hackers are clandestinely taking over business websites and then brazenly billing the customers who visit those sites as if the sites are their own.

“You need to visit your website at least once a month. Otherwise it could happen to you and you might not realize it for months,” says Jim Renaldo, director of sales and marketing for Renaldo Sales & Service, a propane equipment dealer.

Evy Hanson, owner of Leap Online Marketing, agrees: “Unfortunately, website security is becoming a prominent issue.”

Bill Wagner, director of digital marketing at ARI Network Services, a digital marketing company, also sees web security as a growing problem: “It seems there is a high-profile hack in the news every month.”

While any sort of website identity theft is alarming, the version that results in a hacker taking command and control of your propane business – and ultimately your business dealings – is especially brutal, according to Renaldo.

Under this scenario, hackers find a way to break into your website and take over all of the digital interfaces your business uses to operate that website. Simultaneously, the hacker also gets access to your business’ accounts payable and receivables software, as well as its email correspondence software.

With all of the tools in hand to do business as you, the hacker begins cutting deals with your customers via your website, instructing them to wire payments for goods and services to a new bank account, one that is owned and operated by the hacker. After a few quick deals and lots of laughs, the hacker vanishes, along with all of the cash that has been wired to his or her bank account.

Ultimately, the victimized propane business only finds out about the scam weeks or months later, when hordes of angry customers start calling, demanding goods and services that were never delivered.

Perhaps most unsettling about this new spin on cybercrime is that even the most strongly secured websites – properties maintained by technologically sophisticated, multibillion-dollar global corporations – are vulnerable.

Indeed, IT security researcher Arun Sureshkuma proved that reality with chilling clarity recently, when he demonstrated that he could hack any Facebook page – and take over that page as administrator – in less than 10 seconds.

Moreover, once established as administrator, Sureshkuma could have easily set up payment processing on the hijacked page for any sort of deals he felt like making, using popular payment processors like PayPal and Stripe.

Fortunately for all of the businesses that use Facebook to sell goods and services, Sureshkuma alerted the social media goliath to the security glitch, and it was immediately patched by Facebook. But his ruse underscored a hard reality: No business – no matter how seemingly strong and powerful – is immune to website identity theft.

In fact, more than 75 percent of popular sites on the web have unpatched vulnerabilities, according to a study from Symantec, an IT security firm. And all told, online fraud, including website identity theft, is rapidly escalating. Long term, it’s expected to reach $25.6 billion by 2020, according to Juniper Research.

As Sureshkuma so disturbingly demonstrated, while few websites are completely impenetrable against a determined hacker, every business at least needs to give itself a fighting chance against criminals looking to hijack its web identity.

Here’s what web security experts say you should do to ensure your propane business is not perceived by thieves as low-hanging fruit:

Bulletproof your website’s dashboard: Your site’s online dashboard – the place where you enter your website authoring software with an ID and password to make changes and updates – needs to be super secure.

Start with a strong ID and password by creating both at random.org’s random password generator. You can create passwords and IDs up to 24 characters long there that are extremely tough to crack. And you can add two passwords together if you’re looking for even greater security.

Meanwhile, be sure to have your web designer add a double-authentication requirement for entry into your propane business’ website dashboard. These kinds of authentication systems are already used by many banks.

You can also harden your website dashboard by limiting access to it from predetermined IP addresses only (every computerized device can be assigned a specific IP address by your web designer for identification purposes). Plus, you can have your web designer program your website so that after three wrong log-in attempts, the website will freeze and can only be accessed with intervention by a human from your IT department.

Get a free Google Webmasters account from Google: Offering a plethora of free tools for site owners, Google Webmasters can also often detect when your website has been hacked and will inform you of the hack via your account, according to Leap’s Hanson.

Secure your website folders: While all website files and folders should have proper permissions and ownership, this basic step is often overlooked. Ask your web designer to apply these controls. The move can deny attackers the ability to upload malicious files and execute code that can compromise not only your website, but your web server as well.

Keep your propane business’ website software up to date: One of the primary reasons web software companies continually update their software is to plug security holes. Unfortunately, these companies generally inform the public about the specific security holes they’ve plugged. So, if you don’t make the fix, a hacker knows where to look on your website for an easy way in, according to Leap’s Hanson.

Renaldo agrees: “People can get lazy about updating their website software,” only to discover when it’s too late that a hacker has broken in, changed the ID and password and completely locked them out of their own website.

Be doubly careful if your website runs on WordPress: When it comes to security, WordPress is unfortunately a victim of its wild popularity. The website authoring tool is so in vogue that it has become a favorite target of hackers. If a hacker finds a security hole on a WordPress site, he or she knows there are probably thousands – if not millions – of websites that are also sporting the same security hole.

Install a firewall on your propane business’ website: “A firewall routes web traffic through a separate server, determining whether it’s safe traffic or not before allowing it to go to your website,” Hanson says. “This does not cause a delay for the end user.”

Most modern web firewalls are cloud-based and provided as a plug-and-play service for a modest monthly fee.

Install a security plug-in: For WordPress users, there are a number of free security plug-ins, including iThemes Security and Bulletproof Security. Similar software exists for websites that use other content management systems.

Get your designer to use HTTPS protocol: Technically speaking, HTTPS – the start of all web addresses – guarantees to your visitors that they’re talking to the server that’s hosting the website they’re trying to reach. And it guarantees that no one can intercept or change content coming from the website – or transactions between the website and website visitor. Non-profit organization Let’s Encrypt helps businesses reduce the cost of the conversion to HTTPS protocol.

Auto-scan all devices you’re plugging into your business’ computer network: Have the person overseeing your computer systems secure your machines with software that automatically scans any device – such as a flash drive, external hard drive, etc. – for malware any time such a device is attached to your computer network.

Back up daily: Just in case the worst happens, be sure to keep everything backed up. The rule of thumb: Keep a backup of your website at your propane business, keep a backup in the cloud and keep a third “cold backup” or “air-gaped backup” that is not attached on your network. Essentially, this third backup is disconnected from your computer network as soon as it’s made on a daily basis.

Use a monitoring service: Services like SiteLock will monitor your website every day for malware, viruses, suspicious code, attempted break-ins and out-of-date software.

Have a major security talk with your web designer: Knowing about the safeguards above will enable you to talk intelligently with a web designer about your website’s security. Having the conversation communicates to your designer that you consider website security ultra-critical to your business.

Institute an ongoing education program for your employees: Ultimately, the biggest security weakness to any system is still the user.

Most employees are often unaware of best practices for password protection. Even users with strong passwords can’t know all of the scams that attackers implement. It is important for employees to know – through regular cybersecurity talks – that scams are designed to get a user to divulge sensitive information to an attacker.