Apple on Tuesday released a security update to address a zero-day flaw that it said has been exploited in "extremely sophisticated" attacks.
The vulnerability has been assigned the CVE identifier CVE-2025-24201 and is rooted in the WebKit web browser engine component.
It has been described as an out-of-bounds write issue that could allow an attacker to craft malicious web content such that it

Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks

Task scams are increasing in volume. We followed up on an invitation by a task scammer to get a first hand look on how they work.

Tasks scam are surging, with a year over year increase of 400%. So I guess it should have been no surprise when I was contacted by a task scammer on X recently.

Task scammers prey on people looking for remote jobs by offering them simple repetitive tasks such as liking videos, optimizing apps, boosting product interest, or rating product images. These tasks are usually gamified—organized in sets of 40 tasks that will take the victim to a “next level” once they are completed. Sometimes the victim will be given a so-called double task that earns a bigger commission.

The scammers make the victim think they are earning money to raise trust in the system. But, at some point, the scammers will tell the victims they have to make a deposit to get the next set of tasks or get their earnings out of the app. Victims are likely to make that deposit, or all their work will have been for nothing.

So when the task scammer contacted me on X to offer me a nice freelance job, I was keen to see where it would take me.

Beginning the message with emojis, Birdie started the chat…

Group invitation on X

> “\[emoji intro\] Hello, I am a third-party agency from the UK, specializing in providing ranking and likes services for Booking+Airbnb hotel applications. The company is now recruiting freelancers worldwide. You only need a mobile phone to easily get it done, and the time and location are flexible. The daily salary is 100-300€, and the monthly salary of formal employees is 3000-10000€. Note (this article is not suitable for students under 22 years old, and African and Indian employees cannot be hired due to remittance issues) For more details please see the WhatsaPP link: \[shortened bit.ly URL\]”

In this case, I was asked to contact the scammer on WhatsApp, but I’ve also seen the same campaign asking the victims to reach out on Telegram.

Invitation to a Telegram conversation

The Telegram invitation was a bit more limited (European and American female users only) but extended to a larger group of 150 accounts on X. What the ones that reached out to me had in common was that they all found my profile on X. Mind you, my profile is not some honeytrap, it clearly says I blog for Malwarebytes.

So, last week I was up for some distraction and decided to follow up on the WhatsApp invitation which was still live. I reset an old phone to factory settings and bought a burner SIM card. With that phone in hand, I set up a Gmail account and installed WhatsApp. I added Birdie Steuber to my contacts with the phone number I found by following the URL. Then I reached out asking if they still had openings.

The bait was taken within minutes: hook, line, and sinker.

introductions

So, Birdie is actually Tina from Sheffield in the UK. The job is available and does not require any special skills or experience. Tina tells me all you need is internet access and you can start working for booking.com.

Next is a long-winded explanation of what the job entails with another mention of the fortune you can make. I suspect the explanation is meant to be slightly confusing, knowing the general population would be embarrassed to ask for a better explanation and just will go ahead and carry out the tasks.

explanation?

More explanations about the job are followed by a quick query whether I will be able to buy USDT, the “hottest cryptocurrency in the world” as Tina described it. (It isn’t.)

USDT required

Tina then asks me to create an account on a fake booking.com website.

create an account on a fake booking(dot)com site

Here’s that site.

the fake booking site

Once I’d set that up, Tina set me up with a training account to learn the tasks. The actual tasks consist of clicking two buttons labelled “Start task” and “Submit” which gets mind-numbing really quick. But, hey, I was wasting a scammers’ time, so it was worth it.

That training account had a balance of over 1,000 USDT, probably to make the victim even more interested.

balance training account

What happened next is likely a demonstration of another tactic the scammers will use to get people to deposit more USDT: A lucky order!

lucky order

I was shown a prompt that I had run into “a 4% lucky order”, which Tina called a merge task that rendered a 4% commission.

Next followed an elaborate explanation on how Tina had to top up the balance to make up for the negative “Pending Amount” and asked me to contact customer support for instructions.

negative pending amount needs to be topped up

But to my surprise this was not what I was asked to do the next day when we continued our conversation. However, Tina quickly revealed how they were expecting to get 100 USDT from me.

> “I forgot to tell you, it takes 100usdt to complete a new round of 40/40 orders to reset 40 new orders. Because 100usdt is to optimize the hotel 100usd reservation fee. Once you complete the 40/40 order task you can withdraw all funds. This is to help the hotel increase the number of real bookings and exposure to earn commission income. The commission income per order is 0.5 per cent. 100usdt will probably get 40-60usdt after completing the 40/40 order task.”

After I completed my first 40 tasks, I was shown this notification letting me know I had reached the maximum number of tasks for the day, at which point I was expected to top op my account at my own expense.

Please contact customer service to recharge and refresh the task

Once I convinced Tina we had purchased 100 USDT, I was told to contact customer support for instructions.

The instructions were similar to the ones I received a day earlier. But at this point I had to terminate because I didn’t want to give the scammers any actual money.

Checking the balance on the account numbers they provided me with during our conversation showed there are likely others who are handing over money. And they very well may have many more accounts.

balance in the USDT accounts belonging to the scammers

These scams are likely designed to be confusing. The actual tasks were nowhere near as difficult as the explanation of what the job entailed.

In the end I revealed to Tina that I was the one that wrote an article about task scams, but Tina did not give up that easily. She kept trying to convince me there was money to be made.

If you’d like to read the whole conversation I had with Tina you can find it here.

****How to avoid task scams****

As I pointed out, all the task scam invitations I received came to me in the form of Message requests on X. So, that’s a good place to be very cautious. Once you know the red flags, it is easier to avoid falling for task scams.

*   Do not respond to unsolicited job offers via text messages or messaging apps
*   Never pay to get paid
*   Verify the legitimacy of the employer through official channels
*   Don’t trust anyone who offers to pay you for something illegal such as rating or liking things online

It’s also important to keep in mind that legitimate employers do not ask employees to pay for the opportunity to work. And as with most scams, if it sound to good to be true, it probably is.

If you run into a task scam, please report them to the FTC at ReportFraud.ftc.gov. 

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 I spoke to a task scammer. Here&#8217;s how it went 

Phishers are once again using the Docusign API to send out fake documents, this time looking as if they come from PayPal.

PayPal scammers are using an old Docusign trick to enhance the trustworthiness of their phishing emails.

We’ve received several reports of this recently, so we dug into how the scam works.

The Docusign Application Programming Interface (API) allows “customers” to send emails that come from genuine Docusign accounts, and they can use templates to impersonate reputable companies.

To pull this off, the phishers set up a Docusign account and then use the templates provided by Docusign to send out legitimate looking invoices from PayPal.

Because the emails come from Docusign they can bypass many security filters.

This is an example of how these emails reach the targets.

> We’ve identified an unauthorized transaction made from your PayPal account to Coinbase:
> 
> Amount: $755.38  
> Transaction ID: PP-5284440
> 
> To safeguard your account and process an immediate refund, you must contact our Fraud Prevention Team at:  
> +1 (866) 379-5160
> 
> Our representatives are available 24/7 to assist you in resolving this issue and preventing any additional unauthorized activity.
> 
> Your account’s security is our top priority, and we’re fully committed to helping you address this matter swiftly. We appreciate your immediate attention to this alert.

If you know this is a scam, you’ll likely see some red flags. The “From” address is a Gmail address which seems unlikely to be something that the genuine PayPal Customer Care department would use. Also, it seems weird that Docusign has been used to send a document that doesn’t require a signature.

Looking deeper, there are some more red flags. The “To” address does not belong to the receiver. It doesn’t even exist.

We tried to contact the scammer through WhatsApp, the Gmail address, and by phone, but didn’t get any replies.

I’ve you’ve received an email like this and want to verify if it’s genuine, go directly to Docusign.com, click ‘Access Documents’ (upper right-hand corner), and enter the security code displayed in the email. If you get an error message, that means the document was removed or never even existed. That’s a huge red flag.

**What can I do?**

If you see an unauthorized PayPal payment linked to a Docusign activity, and you suspect it’s fraudulent, you should immediately report it to both PayPal and Docusign. Contact their customer service departments and using their respective reporting features, as these platforms can be used by scammers to make unauthorized charges under the guise of a legitimate document signing process.

If you think you are the victim of this type of phishing:

*   Check your PayPal account: Log in to your PayPal account and review your recent transactions to search for and identify the suspicious payment.
*   Report the incident to PayPal: To confirm an unauthorized payment, go to the PayPal Resolution Center and report the transaction as fraudulent.
*   If you believe your PayPal account has been compromised, contact any bank for which an account is linked to your PayPal account to check for and report potential fraudulent activity.
*   Check your Docusign account: Review if there has been any recent activity to see if there are any suspicious documents or signatures you don’t recognize.
*   Report to Docusign: You can report suspicious activity through its “Report Abuse” feature or by contacting its security team directly.

Docusign says its team investigates and closes suspicious accounts within 24 hours of the activity being detected or reported. When suspicious accounts are reported, the vast majority of those accounts have already been detected by Docusign’s systems and are either under investigation or have already been closed. Once an account is closed, all envelopes sent from the account are no longer accessible by the recipient or sender.

Key points to remember:

*   Never click on suspicious links in unsolicited emails.
*   Verify the sender: Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive but it can help you spot some attempts.
*   Go directly to the DocuSign site (not following links in the email or sponsored search results) to check if the document actually exists.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 PayPal scam abuses Docusign API to spread phishy emails 

Firefox’s new Terms of Use spark user backlash over data rights. Learn how Mozilla responded to concerns about…

Firefox’s new Terms of Use spark user backlash over data rights. Learn how Mozilla responded to concerns about broad language and possible data misuse.

In the Internet era, where our online activities leave behind a trail of data, trust between users and the software they use is more important than ever. That trust is often buried in long legal agreements and complex terms and conditions, but it can quickly disappear if people feel their privacy is being violated. Mozilla, a company historically lauded for its commitment to user privacy, recently found itself at the center of such a trust dispute.

What happened is that the Firefox browser introduced new Terms of Use, which instead of promoting clarity, sparked a major controversy. The update meant to “formalize” user agreements, triggered a wave of user backlash, driven by language perceived as overly broad and potentially granting the company extensive rights over user data. Despite the company’s insistence that the terms were intended to clarify existing data practices and formalize user agreements, the unclear wording caused a lot of confusion and pushback.

The issue centered on a specific clause that granted Mozilla a “nonexclusive, royalty-free, worldwide license” to use information inputted or uploaded through Firefox. Critics, including figures from rival browser companies, interpreted this as an attempt to claim ownership of user data and potentially monetize it for purposes like AI development or targeted advertising. Mozilla, however, refuted these interpretations, stating that the new terms did not signify a change in how user data is handled.

> W T Fhttps://t.co/ifx7R9rBMV
> 
> "When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of… https://t.co/Zvbif4TWzz
> 
> — BrendanEich (@BrendanEich) February 27, 2025

In response to the intense criticism, Mozilla clarified its intentions and provided further explanations for the controversial wording as well as revised the clause with clearer wording. Here’s the difference between the original and revised clause:

**Previous:** “When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox.”

**Revised:** “You give Mozilla the rights necessary to operate Firefox. This includes processing your data as we describe in the Firefox Privacy Notice. It also includes a nonexclusive, royalty-free, worldwide license for the purpose of doing as you request with the content you input in Firefox. This does not give Mozilla any ownership in that content.”

Talking to TechCrunch, the company’s VP of Communications, Brandon Borrman, emphasized that the license was necessary to enable basic browser functionalities, such as processing user input. They stressed that the terms did not grant them ownership of user data or the right to use it beyond the scope outlined in their existing Privacy Notice.

According to Mozilla’s explanation of the reasoning behind the specific terms used, “Nonexclusive” was intended to indicate that users retain the right to use their data independently, “Royalty-free” reflected the browser’s free nature, and “worldwide” acknowledged its global availability. The company also confirmed that user data is not sent to third-party AI companies and that any data shared with advertisers is de-identified or aggregated.

The situation has raised fundamental questions about data ownership and the boundaries of digital consent. The initial confusion and backlash emphasize the potential consequences of poorly worded terms, even when intentions are benign. Still, Mozilla’s swift response and subsequent revisions demonstrate the company’s attempt to address user concerns and maintain trust.

1.  Mozilla Rushes to Fix Critical Flaw in Firefox and Thunderbird
2.  Mozilla permanently shuts down Notes & Send over malicious use
3.  Mozilla Faces GDPR Complaint Over New Firefox Tracking Feature
4.  Google & Mozilla ban Avast security extensions over data snooping
5.  Mozilla’s ‘Track This’ lets you choose fake identity to deceive advertisers

Mozilla Tweaks Firefox Terms After Uproar Over Data Use Language

Plus: The FBI pins that ByBit theft on North Korea, a malicious app download breaches Disney, spyware targets a priest close to the pope, and more.

As scam compounds in Southeast Asia continue to drive massive campaigns targeting victims around the world, WIRED took a deeper look at how Elon Musk’s satellite internet service provider Starlink is keeping many of those compounds in Myanmar online. Meanwhile, FTC complaints obtained by WIRED allege that an “OpenAI” job scam used Telegram to recruit workers in Bangladesh for months before the fraudsters suddenly disappeared.

WIRED published the inside story of Russian tech executive Vladislav Klyushin, who—at Vladimir Putin’s behest—was part of a notable US-Russia prisoner swap last summer after he was convicted and incarcerated in the US for insider trading that netted him $93 million. Earlier this week, TVs at the headquarters of the Department of Housing and Urban Development in Washington, DC, showed an apparently AI-generated video on loop of Donald Trump kissing Elon Musk’s feet. The words “LONG LIVE THE REAL KING” were superimposed over the video.

WIRED conducted an investigation into Telegram groups devoted to doxing and harassing women who joined “Are We Dating the Same Guy?” groups on Facebook. And, as female entrepreneurs in tech face ever steeper odds of gaining support for a business, a team of female founders got seed funding and completed a series A round in a matter of months for the cloud container security firm Edera.

But wait, there's more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Trump Administration Backs Off on Countering Russian Cyber Foes**

After years of Russian cyber aggression against the United States and its longtime allies—including repeated election meddling, hack and leak operations, disinformation campaigns, elaborate espionage, and brazen, disruptive cyberattacks—multiple recent actions from the Trump administration have recast the US stance on the cybersecurity threats posed by the Kremlin, downplaying the risks of Russian hackers as US adversaries. The about-face comes as Donald Trump and Russian president Vladimir Putin have increasingly strengthened their ties. Consistent US intelligence community assessments of Russia's activity in cyberspace and the threat it poses to the US would indicate, though, that such a change in approach could put the US at risk.

That deprioritization of the Russia threat has come in several different forms. US State Department deputy assistant secretary for international cybersecurity Liesyl Franz said during a speech in a United Nations working group last week that the US is concerned about digital attacks from China and Iran, but did not mention Russia. A recent memo distributed at the Cybersecurity and Infrastructure Security Agency laid out priorities for the agency, focusing on China and defense of US systems but omitted any reference to Russia. And on Friday, the cybersecurity news outlet The Record reported that, last week, Defense Secretary Pete Hegseth ordered US Cyber Command to stop all cyber operational planning against Russia, including offensive digital campaigns.

**Crypto Bounty Hunters Are Racing to Find and Freeze $1.4 Billion Stolen From ByBit**

Eight days have passed since the cryptocurrency exchange ByBit revealed that hackers stole $1.4 billion worth of Ethereum-based assets from the company, a heist that is by some measures the biggest theft of crypto in history. Now the race is on to track the stolen funds across blockchains, prevent its liquidation, or even recover it—and that race is being propelled by $140 million in bounties offered by ByBit itself. ByBit earlier this week launched a website where it’s inviting crypto sleuths to submit tips about the destination of its stolen Ethereum funds and offering as a reward 5 percent of the value of any funds that those tracers can identify and help to freeze or seize. ByBit has offered another 5 percent of the value as a separate reward for any crypto exchange or other platform that obtains the funds.

As of Friday, the website counted a dozen bounty hunters currently registered as part of that crypto-tracing effort and put the tally of paid-out rewards at around $4.3 million. The site also includes a leaderboard of tracers who have successfully identified tranches of the funds by following them across blockchains or frozen funds—as well as a list of crypto exchanges who have, by contrast, liquidated the stolen funds on behalf of the thieves. So far only one exchange, known as eXch, has been flagged as liquidating $94 million of the stolen assets. ByBit notes that eXch has refused to respond to its messages, and the exchange didn’t respond to a BBC request for comment.

**FBI Urges Crypto Industry Not to Launder ByBit Funds for North Korea**

Earlier this week, the FBI took the unusual step of publicly identifying the hackers behind that massive ByBit hack: TraderTraitor, a group of state-sponsored cybercriminals working on behalf of the North Korean government. The FBI asked the crypto industry not to launder the funds of those hackers, a part of the larger umbrella group widely known as Lazarus that has long plagued the cryptocurrency world and has stolen billions in both crypto and non-crypto assets. In its alert, the bureau also released a list of Ethereum addresses associated with the stolen funds in an effort to help the crypto industry identify and seize any part of the $1.4 billion before it can be cashed out. Crypto tracing firm TRM Labs wrote in a post Thursday that around $400 million of the funds have already been moved and may have been successfully liquidated.

**A Disney Staffer Opened the Door for a Slack Hack by Accidentally Downloading Malware**

In July, an entity calling itself “NullBulge” published a 1.1-TB trove of data stolen from Disney's internal Slack archive, tipping off a frenzied cleanup effort as Disney rushed to get a handle on leaked revenue numbers, employee information like passport numbers, and sensitive customer information. The breach occurred after a Disney employee, Matthew Van Andel, inadvertently downloaded malware onto his personal computer that collected his login credentials for a number of services, including, crucially, the password to his 1Password credential vault. “It’s impossible to convey the sense of violation,” he told The Wall Street Journal. Van Andel also had his credit card numbers and other personal data stolen, and then lost his job as well when a Disney audit of his work computer alleged that he had accessed porn from the device. Van Andel denies the accusation. The episode is just one in a series of breaches where malware that infects a worker’s personal computer can have major ramifications for the institution that employs them.

**An Italian Priest Close to the Pope Had His Phone Hacked**

Mattia Ferrari, an Italian priest who works with a migrant-rescue group and has a close relationship with the Pope, revealed this week that he received a warning from Meta that his phone had been hacked with sophisticated spyware from Israeli-based Paragon. The news follows revelations that Luca Casarini, the founder of the NGO Mediterranea Saving Humans, where Ferrari served as a chaplain, also had his phone compromised by spyware, as did Italian investigative reporter Francesco Cancellato. The string of spyware infections targeting Italian activists and a journalist raises the question of who might be carrying out the hacking operations, with opposition leaders calling on the administration of Italian prime minister Giorgia Meloni to address the issue. Meloni’s government has denied being behind the hacking incidents. Pope Francis, who is currently in critical condition with pneumonia, has mentioned speaking to Ferrari on the phone during a TV interview in January, raising the question of whether the spies who hacked Ferrari’s phone eavesdropped on a conversation with the pope himself.

The Trump Administration Is Deprioritizing Russia as a Cyber Threat

Strong eCommerce customer service builds trust, boosts loyalty, and drives sales. Learn key strategies, best practices, and tools to enhance online support.

Great online customer support starts with the fundamentals that make shoppers feel valued and understood when they can’t see your face or walk into your store. The basics include responding quickly across multiple channels, writing in a friendly human tone (not corporate-speak), and making it super easy for customers to find help when they need it.

Mastering these foundational elements builds trust with online shoppers and sets the stage for turning one-time buyers into loyal repeat customers. According to WOW24-7, an e-commerce customer service outsourcing provider, recent studies highlight the impact of customer service quality on online shopping behaviour. In April 2024, reports indicated that 79% of consumers may choose not to buy from a brand again after a poor post-purchase experience.

****What is eCommerce Customer Service?****

Generally speaking, e-commerce customer service is a special department that helps and supports online businesses as you are shopping online. Think of it as the digital version of that helpful store employee, but instead of being face-to-face, they’re helping you through chat, email, or phone when you have questions about products, shipping issues, returns, or just need advice before buying something.

****Advantages of a Good eCommerce Customer Service****

Good online customer service is a total game-changer! It builds trust (super important when you can’t see products in person), turns angry customers into happy ones (like when your headphones arrived broken and they shipped new ones overnight), and makes people spend more money.

Plus, happy customers tell their friends – “one of our customer’s customers switched to a new skincare brand just because her friend raved about how they helped her find the right products for her skin type.”

****How To Provide a Stellar Customer Service: Tips For Online Support********1\. Prioritize Multiple Communication Channels****

To provide excellent customer service, be available wherever your customers want to reach you. That means providing various channels of support, including social media support. 

Some people hate phone calls but love texting, while others want to shoot a quick email or DM you on Instagram. The best online stores let me choose – like that clothing shop that lets me track my order through text, ask sizing questions on chat, or call them about complicated returns. It shows they respect how you prefer to communicate instead of forcing you to use their one preferred channel.

So, good customer service plays a key role in customer satisfaction, and it should be multichannel customer support. And what about you, how many channels does your brand offer to contact your team?

****2\. Empower Your Team with Knowledge****

Make sure your support team knows your products inside and out – they can’t help customers if they’re clueless themselves. Indeed, the product knowledge is essential. Create a searchable knowledge base where your team can quickly find answers instead of saying “Let me check on that” for every question.

Our customer, a tea company, has weekly “sip and learn” sessions where staff try new products and discuss common questions, which has cut their average response time in half. The ability to deliver almost instant answers to the customers’ questions. That’s what we call a start for the exceptional customer service. 

****3\. Implement a Full Self-Service System****

Give customers ways to help themselves with detailed FAQs, video tutorials, and searchable help centers available 24/7. That is super important for customer retention.

One of our customers, an electronics ecommerce business has this amazing interactive troubleshooting tool that walks you through fixing common issues before the customers even need to contact them. Just make sure to keep these resources updated – nothing’s more frustrating than outdated information that wastes customers’ time.  

****4\. Track Key Metrics and Analyze Performance****

You can’t improve what you don’t measure, so keep tabs on response times, customer satisfaction scores, and first-contact resolution rates. Look for patterns in customer complaints to fix underlying issues – like when that clothing store noticed a spike in size questions and added better measurement guides. Set goals for your customer service team based on these metrics, but don’t obsess over speed at the expense of actually solving problems properly.

Moreover, track and analyze your customer reviews and work with both positive customer reviews and negative ones. Here’s a tip for you: the leading ecommerce platforms also work with the so-called ‘middle customers’ (the ones that are neither positive nor negative. They are the easiest ones to become your true brand enthusiasts. 

****5\. Personalize the Customer Experience****

Use customer purchase history and preferences to make interactions feel special and relevant. One ecommerce brand, a book subscription service, remembers what genres you love and what you have already read, making their recommendations useful.

Simple touches made by your customer service representative like addressing customers by name and referencing their previous orders make people feel valued instead of just another ticket number in the queue. That is crucial if you want to be the brand that comes with the best customer service for ecommerce. 

****6\. Proactively Address Customer Issues****

A great customer service company does not wait for complaints, it reaches out when its support agents know there might be a problem. For instance, a clothing store emails you before you even notice that your package was delayed due to weather, offering options and a small discount or a free trial. 

Therefore, your customer service agent must watch social media mentions of your brand to catch issues before they escalate into full-blown problems. This customer service strategy builds trust and loyalty. 

****7\. Embrace Technology and Automation****

If you want to offer good customer service experiences, use chatbots to handle simple questions and AI to route complex issues to the right specialist. Add the frequently asked questions section to let your customers find all the answers to their questions without waiting for your reply and the personalization to help them if they contact you. 

A simple example: there’s a tech shop that uses automation to send perfectly timed setup guides after purchase, preventing tons of support calls. Just make sure there’s always an easy escape hatch to reach your ecommerce customer service team when the bot can’t help. That’s crucial if you want to deliver an excellent customer service. 

****8\. Offer Easy Returns and Exchanges****

Make returns painless with prepaid labels, clear instructions, and quick processing. Yes, in the world of e-commerce, you have to provide the customer with the possibility to return in a fast, easy and free manner.

Here’s an example. There’s a shoe company that includes a return label right in the box and lets you start the return process with a single text message. And here comes an interesting fact: Good return policies increase sales because people feel safer trying new products. 

****9\. Solicit and Respond to Feedback****

Actively ask customers how they’re doing through quick surveys after purchases or support interactions. Every ecommerce business will benefit from customer service tools or special support software that collects data about the quality of service and customer communications. 

Just a simple case from our experience. There’s a coffee subscription that sends a three-question survey after each delivery, and when somebody mentioned their packaging was excessive in the comments, they changed it within a month. Show customers that the feedback matters by implementing changes and letting them know. There’s a necessity to adapt to the changing world of customer satisfaction. 

****10\. Invest in Ongoing Training and Development****

Keep your ecommerce customer support team sharp with regular product training and customer service skill development. My cousin works at an online beauty store where they spend Friday afternoons practising tough customer scenarios and learning about new product ingredients. Well-trained agents solve problems faster and make customers happier.

****11\. Foster a Culture of Customer-Centricity****

Make customer happiness everyone’s job, not just the support team’s. One of our customers, a small electronics brand, believes that excellent service is critical and so it invites its engineers to join support calls monthly to hear customer struggles firsthand. Then their support system analyses the available customer needs and the online shopping experience and thinks of ways to improve service to customers.

Celebrate team members who go above and beyond for customers, and use customer stories in company meetings to keep their needs front and center.

****An Effective eCommerce Customer Service: Key Takeaways****

Great online customer service is crucial as it talks to your customers directly. It’s all about being focused on customer wants, needs, and expectations. Plus, since great service is important for brand success, multi-channel customer support has become the new normal for companies who want to boost the customer’s lifetime value. Response speed matters hugely, but the quality and personal touch of those responses turn one-time buyers into loyal fans who spread the word.

The best online stores use the right software like Intercom and technology to handle routine stuff while freeing up humans to solve complex problems with empathy and creativity to improve their customer experience. Track what’s working (and what isn’t) through customer feedback and solid metrics, then actually use that info to keep improving. Remember that in the digital world where competitors are just a click away, exceptional service isn’t just nice to have – it’s often your biggest competitive advantage. 

Therefore, these are the eCommerce Customer Service Best Practices that help you improve customer service and provide an amazing customer service experience. Just remember that true customer service means the real care of your customers, not just words.

****Customer Service Channels FAQ********Why is customer service important for e-Commerce businesses?****

It’s your digital storefront’s personality! Without face-to-face interaction, it’s hard to make your customers happy. When one of our customers launched her handmade jewellery store, her amazing response time and personalized packaging notes turned first-time buyers into repeat customers who shared her store all over social media. Plus, in a world where switching to a competitor takes one click, great service is often the only thing keeping customers loyal.

****What are the key challenges of providing online customer support?****

The biggest headache is managing customer expectations for instant 24/7 help when you’re a small team (or solo entrepreneur). Then there’s the challenge of explaining products people can’t touch or try on, handling shipping issues you don’t directly control, and building trust without in-person connections. For instance, a hot sauce company can struggle with international customers who fail to understand the cause of shipping delays until they create a visual tracking system that shows exactly where packages are stuck.

****How can I improve response times for customer inquiries?****

*   Create templates for common questions so you’re not typing the same shipping policy explanation fifty times a day.
*   Set up auto-responses that acknowledge messages immediately even if you’ll answer fully later.
*   Use a smartphone app connected to your help desk so you can quickly answer simple questions while on the go.
*   You can dramatically cut response times by creating a shared Google Doc where all staff will document weird questions and answers for everyone to reference.

****What are the best tools for managing eCommerce customer service?****

For small shops, Zendesk or Freshdesk are solid starting points that won’t break the bank. Gorgias is amazing if you’re on Shopify since it shows order history right alongside customer conversations. Help Scout has a super clean interface that’s easy for non-tech folks. The gaming stores often Intercom so they can chat with the customers right on their website while they are browsing, which saves from abandoning the cart multiple times.

****How can I handle difficult customers effectively?****

First, take a deep breath and remember it’s rarely personal. Listen fully before responding – sometimes people just want to be heard. Offer concrete solutions instead of excuses. Know when to give a little (like a small discount) to solve a bigger problem.

One more tip to keep in mind: if you have a super angry customer about shipping damage, remember that customer service is important and it’s imperative to react instantly. So, immediately send a replacement with a small bonus. That can help you turn your angry customer into the biggest Instagram advocate.

****What role does automation play in e-Commerce customer support?****

Automation handles the repetitive stuff so humans can focus on complex problems. Think automatic order confirmations, shipping updates, and chatbots that answer basic questions like “What’s your return policy?” The smart plant shop I order from automatically emails care instructions based on what I purchased and sends reminders when it’s time to report – this prevents tons of support questions while making me feel taken care of.

****How can live chat improve customer satisfaction?****

Live chat catches customers right when they’re considering a purchase but have questions – like when I was about to abandon a pricey camera purchase until their chat agent explained why it was worth the investment. It feels more immediate than email but less intrusive than phone calls. 

****What are the best practices for handling returns and refunds?****

Make your policy crystal clear and easy to find. Don’t make customers jump through hoops – include return labels in the original package if possible. Process refunds quickly once items are received. Be flexible when it makes sense – that clothing store that gave me store credit past their return window earned way more of my money long-term. The best companies view returns as opportunities to learn product issues and improve, not as losses to minimize.

****How can I measure the success of my ecommerce customer service?****

Track obvious stuff like response time and resolution time, but also watch customer satisfaction scores (quick post-interaction surveys) and Net Promoter Score (would they recommend you?). Look at repeat purchase rates after service interactions – my favourite coffee subscription saw that customers who had a resolved issue spent 20% more in the following six months than those who never had problems. Also, track how many support tickets you get per 100 orders – this should decrease as you improve product descriptions and FAQs.

****What are some common mistakes to avoid in online customer support?****

The biggest fails include: making customers repeat their problem to multiple agents, hiding contact information so people can’t easily reach you, using robotic templated responses without personalizing them, promising unrealistic shipping/delivery times, and not following up after resolving issues. My worst experience was with that electronics store that transferred me three times, made me re-explain my issue each time, then promised to call back and disappeared forever – I’ll never shop there again!

Featured Image via Pixabay

1.  The Basics of Ecommerce Cybersecurity
2.  Enhance customer experiences with Generative AI
3.  How Payment Orchestration Enhances Business Efficiency
4.  Software Support: 7 Essential Reasons You Can’t Overlook
5.  Future of eCommerce: Emerging Tech Shaping Online Retail in 2024

eCommerce Customer Service Tips For Online Support: The Basics

While countries and companies are fighting over access to encrypted files and chats, our data privacy may get crushed.

Data privacy issues are a hot topic in a world where we apparently don’t know who to trust anymore.

A few weeks ago, we reported how the UK had secretly ordered Apple to provide blanket access to protected cloud backups around the world. This week, Apple decided to pull the plug on Advanced Data Protection (ADP) for UK users.

ADP is an opt-in data security tool designed to provide Apple users a more secure way to protect data stored in their iCloud accounts. Enabling ADP would ensure that even Apple could not access the data, which would mean that Apple was unable to hand over any information to law enforcement.

Something similar happened when Sweden’s law enforcement and security agencies started to push legislation which would force Signal and WhatsApp to create technical backdoors, allowing them to access communications sent over the encrypted messaging apps. The proposed bill prescribes that companies like Signal and WhatsApp need to store all messages sent using the apps.

President of the Signal Foundation, Meredith Whittaker, told Swedish SVT News that the company will leave Sweden if the bill becomes a reality.

So basically, by seeking to obtain encryption backdoors, which are not likely to remain exclusive, these governments are undermining the data privacy options of their citizens. A backdoor can and will eventually be found by those that we absolutely didn’t want to snoop around in our backups and chat logs.

It doesn’t just affect the countries at the heart of the request. The US director of national intelligence is reportedly going to investigate whether the UK broke a bilateral agreement by issuing the order that would allow the British to access backups of data in the company’s encrypted cloud storage systems,

The bilateral agreement in question is the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) Agreement, which—among other things—bars the UK from issuing demands for the data of US citizens and vice versa. The CLOUD Act primarily allows federal law enforcement to compel US-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data is stored in the US or on foreign soil. Provisions in the act state that the United Kingdom may not issue demands for data of US citizens, nationals, or lawful permanent residents, nor is it authorized to demand the data of persons located inside the US.

Globally, governments and law enforcement agencies continue to seek more control over data through new legislations and rules. States regulate data to protect national security and provide domestic firms access to user (and anonymous) data to boost competitiveness, ease law enforcement’s qualms when accessing data, and ward off foreign surveillance.

But at the end of the day, the criminals that law enforcement agencies are after, will end up using expensive private phone networks, and the general population will be left with tools that have been broken on purpose. Backdoors that have been created will be waiting for cybercriminals to find the cracks and access our “encrypted” data.

Meanwhile, privacy is recognized as a universal human right while data protection is not. And it should be. Even if we think we “have nothing to hide” cybercriminals will find a way to use that data against us, if only to make their phishing attempts more credible. Let alone, trade and economic secrets that could fall into the hands of competitors or “unfriendly” nations.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Countries and companies are fighting at the expense of our data privacy 

Sweden’s proposal to mandate encryption backdoors faces backlash from Signal, cybersecurity experts, and even its military over privacy and security risks.

Swedish law enforcement and security agencies are advocating for legislation that would compel encrypted messaging services, such as Signal and WhatsApp, to implement backdoors.

This measure aims to grant authorities access to users’ communications for criminal investigations. However, this proposal has met with strong resistance from both the service providers and Sweden’s own military.

Meredith Whittaker, President of the Signal Foundation, has unequivocally stated that Signal would withdraw from the Swedish market rather than compromise its encryption standards. In an interview with SVT Nyheter, Whittaker emphasized that introducing a backdoor would undermine the app’s entire security architecture, stating, “If you create a vulnerability based on Swedish wishes, it would create a way to undermine our entire network.”

She further stated that Signal’s commitment to user privacy and data protection is paramount, and the organization would not acquiesce to demands that jeopardize this principle.

> Signal has announced that it will “leave Sweden” if the Swedish government mandates encryption backdoors. Many are celebrating this as a bold act of resistance. But what does it actually mean?
> 
> Signal has no offices or legal presence in Sweden. Will they block Swedish IP… https://t.co/ffkD1pyz9n
> 
> — Nadim Kobeissi (@kaepora) February 25, 2025

Interestingly, the Swedish Armed Forces, which have recently adopted Signal for secure, non-classified communications, have also expressed concerns regarding the proposed legislation. In a letter to the government, military officials cautioned that mandating backdoors could introduce vulnerabilities exploitable by malicious actors, thereby compromising national security. This stance highlights a discord between Sweden’s defence priorities and the objectives of its law enforcement agencies.

Justice Minister Gunnar Strömmer has defended the proposal, arguing that it is essential for law enforcement to effectively access electronic communications in the fight against serious crimes. The bill, which could be presented to the Riksdag (Swedish Parliament) as early as March next year, seeks to balance the needs of national security with individual privacy rights, a balance that is proving contentious.

William Wright, CEO of Closed Door Security, criticized the move, stating:

_“Building backdoors into software is akin to deliberately creating vulnerabilities. Once embedded, threat actors will focus on finding and exploiting them, putting millions at risk. History has shown that even government-backed backdoors, like those exploited in the Salt Typhoon attack, can be turned against the very institutions that created them. The long-term risks far outweigh any short-term benefits for law enforcement.”_

This development in Sweden is similar to debates in other countries. Notably, the United Kingdom recently demanded that Apple provide access to encrypted iCloud accounts. In response, Apple chose to remove the option for British users to protect their accounts with end-to-end encryption rather than compromise its security protocols.

These situations highlight the constant struggle between governments wanting access to private data for security reasons and the need to protect people’s privacy. As Sweden debates this proposal, the final decision could have a major impact, not just on encrypted messaging within the country but also on global conversations about privacy and digital security.

Signal Threatens to Exit Sweden Over Government’s Backdoor Proposal

An alleged job scam, led by “Aiden” from “OpenAI,” recruited workers in Bangladesh for months before disappearing overnight, according to FTC complaints obtained by WIRED.

A Bangladeshi worker was eager to get started at their new OpenAI job—completing basic online tasks in exchange for consistent income, while getting into cryptocurrency investing at the same time. After connecting with the startup on Telegram and creating an account through a ChatGPT\-branded app, they invested crypto into the platform and began a months-long job working for “Aiden” from “OpenAI.”

The work was performed through the website “OpenAi-etc,” and internal conversations were held on Telegram. It was simple: Invest some crypto, complete a few tasks, and earn daily profits based on what was invested.

Over the course of this worker’s time with the company, mentors continuously encouraged them to invest more money into the fund and recruit more Bangladeshi people to the team. When the worker convinced over 150 to join and the mentors split the growing team of “brokers” into a hierarchy based on seniority, it all felt very real. The total crypto-investment fund for their team was around $50,000. After a devastating cyclone hit Bangladesh in May, company leaders supposedly helped those in need, further earning the trust of employees.

All seemed well until the morning of August 29, 2024, when everyone woke up to find that the website, all of their money, Aiden, and the other fake OpenAI employees had vanished overnight. The job, of course, was never with OpenAI at all, former workers say.

“I’ve seen similar scams where, at the beginning, you think you are making profit, and then basically you invest more and more,” says Shirin Nilizadeh, an associate professor at the University of Texas at Arlington who focuses on security and privacy. “Then, suddenly, you lose everything.”.

The story of the scammed “OpenAI” worker is from just one of 11 complaints about OpenAi-etc submitted to the US Federal Trade Commission by workers from Bangladesh last year, seven of which mention “Aiden.” Analysis of the complaints, obtained by WIRED through a public records request, reveal a potentially widespread job scam that used OpenAI’s name recognition to allegedly trick low-wage workers out of their savings. While some people describe getting started with OpenAi-etc in June or July, others believed they were working for the company for around six months.

The first FTC complaint obtained by WIRED, lodged over two months before the August 29 rug pull, says the complainant was invited by OpenAi-etc to invest around $170 in crypto. The person mentions an American registration number for the business, confirming it was in good standing with Colorado regulators and listing a physical office in Denver. The complaint also highlights a legitimate-looking money service business registered with the US Treasury’s Financial Crimes Enforcement Network, which lists the company’s location as an office inside the Empire State Building in New York City.

A WIRED review of domain name system records for the now-defunct OpenAi-etc website shows that it appears to have been hosted by a China-based web hosting company.

Jay Mayfield, a senior public affairs specialist at the FTC, declined WIRED’s request to confirm whether the group is looking into OpenAi-etc, saying that investigations are nonpublic. Mayfield did not answer additional questions about what steps the FTC is taking to prevent similar scams or provide better assistance for international victims.

“Regrettably, I found no available source online to know more about this organization except for those registrations,” wrote the complainant. “They are collecting huge amounts of investment from third world countries in Asia.”

One of the FTC complaints alleges that over 6,000 people in Bangladesh were potentially impacted by the OpenAi-etc job scam. The ages listed in the FTC complaints range from teenagers to people in their fifties, with locations spread across multiple Bangladesh cities, from Dhaka to Khulna.

“My next trading date was 29 August, 2024,” wrote another complainant. “I made the trade with my whole amount in the evening. But, suddenly, the OpenAI company vanished. I didn’t withdraw any money but lost both capital and profit. Now, I am in a great economic crisis, as I am a normal school teacher.”

Niko Felix, a spokesperson for OpenAI, declined to answer questions about whether the startup was previously aware of the “OpenAi-etc” scam, or if they planned to take action against the fraudsters. But he did share that OpenAI is investigating the matter. The alleged scam website is no longer available online, and WIRED was not able to contact the people behind "OpenAi-etc" prior to publication.

A Telegram spokesperson using the name Remi Vaughn tells WIRED that the company monitors its platform for scams, such as those allegedly carried out by OpenAi-etc, which used the messaging app to communicate with people who believed they were working for the company.

"Telegram actively moderates harmful content on its platform, including scams," Vaughn says in a statement sent to WIRED through the messaging platform. "Moderators empowered with custom Al and machine learning tools proactively monitor public parts of the platform and accept reports from users and organizations in order to remove millions of pieces of harmful content each day."

The usual pattern of a crypto job scam is to trick people into depositing some kind of digital currency into a fake account the victim believes they have control over, until the perpetrator drains it one day without warning. While this specific rug pull used OpenAI’s branding to allegedly dupe its victims, a crypto job scam can happen with the name of any company that has enough widespread recognition for criminals to capitalize on.

“These social engineering scams are designed to lower our natural suspicion and to make us complicit in our own deception,” says Arun Vishwanath, a cybersecurity expert and author of _The Weakest Link_. “For job scams, they try to turn our ambitions and inherent trust in brands into a vulnerability.” Similar to so-called pig butchering investment scams, a key component often includes direct messages over a long period of time to cultivate a sense of trust with the targets.

Although comparable job scams happen all over the world, Vishwanath believes that Asian cultural norms of so-called high power distance, where there’s more acceptance of interpersonal hierarchies, are a contributing factor. "Authorities are expected to ask you things and make you do things," he says. "And you just comply." Scammers are taking advantage of this by imitating authority figures and leaning into the sense of urgency inherent to searching for a job.

Bangladeshi citizens on the difficult hunt for reliable work have increasingly been targeted by job scammers in recent years. Lies about international job opportunities have left throngs of would-be workers stranded in Malaysia, and at least three cases of kidney organ theft were reported by people lured to India with false promises of work.

‘OpenAI’ Job Scam Targeted International Workers Through Telegram

In the epic US-Russian prisoner swap last summer, Vladimir Putin brought home an assassin, spies, and another prized ally: the man behind one of the biggest insider trading cases of all time.

Tag

#sap