The online retail environment is teeming with potential threats including ransomware, malware, data breaches, and zero day vulnerabilities, leaving retailers to maintain a strong security posture while juggling profitability, market competition, and brand presence. From a security standpoint, this industry can be challenging to defend since multiple areas require stringent security such as third party vendors, troves of customer data, payment platforms, and financial databases. By understanding these variables, retailers can better be equipped against advancing cyber threats.
All of these challenges, security-related or not, amplify during the winter holiday season. The flurry of gift buying, last minute deals, last shipping dates, and bonus offers generates an environment well-suited to online scams and fraud.
Deceiving customers through brand impersonation
Most major retail brands have already been targets of online impersonation attacks, however it is ultimately the customers who face the consequences of these attacks. Leading up to and during the December holiday period, large phishing campaigns are launched, targeting victims who might find it difficult to resist appealing, but fake, offers. Impersonating well known entities via web properties and social media benefits malicious actors by allowing them to create the credibility and sense of security needed to fool their victims and maximize their impact during the holiday retail surge.
Spoofing attempts from trusted vendors
There’s a common misconception that a retailer’s main website is the only target for cybercriminals. However, the reality is quite different. The retail industry is also vulnerable to supply chain attacks via third party vendors that provide a chaining link to the main target.
Spoofed vendor portals are an effective link, leading customers and employees to believe that they are interacting with a trusted entity. Cybercriminals leverage various tactics such as malware, ransomware, and phishing to steal credentials, customer data, and financial information.
Retailers are increasingly dependent on third party vendors for outsourcing services. However, verifying the security posture of these vendors is essential before trusting them with customer sensitive data. A 2021 data breach at Bonobos, a Walmart subsidiary, exposed sensitive information of over 7 million customers. The breach originated from a third-party cloud provider and exposed SQL backup data worth 70 GB. The compromised data also included 7 million shipping addresses, 1.8 million customer accounts, and 3.5 million partial credit card records.
Fake websites and social media profiles
Adversarial infrastructure can be much more than meets the eye. It can even be challenging for experienced security researchers to identify them! There have been cases of established spoofs leveraging social media profiles, help desks, support systems, call centers, and “company representatives” to increase the success rate of a malicious campaign. This forms a multilayered cybercriminal infrastructure along with the phishing website. While the retail giants are aware of these phishing websites, the other components of the campaign are overlooked, making the retailers vulnerable to cyberattacks.
While phishing is familiar to retail industry security teams, the emergence of new technologies has led to a rise in novel techniques deployed by cybercriminals to conduct attacks.
Email Phishing
Email phishing refers to sophisticated fake emails targeting a victim’s inbox that intend to fool or scam the target in some way. The fraudulent email is either sent from a spoofed source or the content redirects the receiver to a spoofed source. During the holiday season, these links are disguised as legitimate offers and tend to impersonate the same tone and texture of the official website. They may employ tactics such as limited time sales, deep discount offers, special buy-one-get-one gift cards offers, and more. All bear a sense of urgency and are almost always fraudulent.
Cybercriminals don’t only target customers with phishing tactics. Retail employees are also in the criminals’ crosshairs.
In February 2024, Pepco, a large European discount retailer, was the victim of a likely business email compromise (BEC) attack that compromised phished employee and executive accounts to request money transfers. Security Week reported that Pepco’s Hungarian business unit lost over 15 million euros in the attack and that recovery of these funds appears to be unlikely.
Smishing
Phishing campaigns using SMS (Short Message Service), or “smishing”, are a technique in which SMS bombing, spamming, and API-based attacks are used to reach a wider audience. Messages, often used by retailers to communicate with their customers for marketing purposes, are strategically exploited by cybercriminals to embed phishing links or offers that are too good to be true.
In May of 2024, the FBI reported a sophisticated campaign led by the STORM-0539 group targeting retail employees based in the United States. The goal of the campaign was to manipulate these employees to generate fake gift cards and conduct financial fraud through smishing. The perpetrators were able to bypass multi factor authentication (MFA) to compromise email accounts, learn the internal gift card process, and then use those accounts and processes to produce fraudulent gift cards.
Quishing
“Quishing” is an emerging attack vector using QR codes to conduct phishing attacks. Since many financial transactions today are handled by simply scanning a QR code, phishing attacks targeting these codes are becoming more popular with cyber criminals. By simply inspiring curiosity, cyber criminals are able to fool many consumers using well-known retail brands as the catalyst for the engagement.
Attackers merely replace an existing QR code with a spoofed one or alter existing codes by the hacking websites that host them.
Although quishing is still a relatively new tactic, it has already demonstrated its potential by contributing to 12% of all phishing emails, as observed in a timely article in Infosecurity Magazine.
Helpdesk and Support Scams
Retailers often overlook the security vulnerabilities associated with customer support and service centers as compared to the main website. In such cases, cybercriminals set up phished ticketing services and platforms to request credentials, card information, or PII (personally identifiable information) to harvest customer information. Generally, this is easier than targeting the main website, especially since it is often overlooked as a vector.
The Singapore Police Force published an advisory highlighting mid-year scams that revealed the e-commerce sector to have the highest rates of scams in 2024. In addition, tech support scams made up 4.6% of financial losses, leading to a total of $17.8M in 2024 alone.
Supply Chain Disruptions
The retail industry depends heavily on outsourcing and third party vendors. A common attack scenario is the registration of a generic domain name with multiple subdomains to target different retailers serviced by this vendor.
Areas of outsourcing pertaining to the retail industry such as inventory management, accounts payable/accounts receivable, supply management, order fulfillment, and many others need to be also scrutinized for phishing to avoid potential impact to other brands.
In a recent phishing analysis by Retail Technology Review, a new trend was observed in the second quarter of 2024 in which 44% of emails that originated from a compromised email account, 8% involved supply chain.
Many retail websites rely on advanced machine learning systems that observe and learn customer purchase patterns to personalize their shopping experience. However, AI has also been adversely impacting the security of retailers.
There are cybercriminal forums devoted to discussing the use of retail brand phishing kits and methods to gain financial benefit from it. The data harvested from phishing is further used to perform carding attacks (performing unauthorized transactions).
This explains why cybercriminals are more interested than ever in leveraging AI to generate phishing kits. AI algorithms learn from current phishing detection methods and generate better kits. The primary cyber risk from AI for retailers is the availability it provides even unsophisticated cybercriminals to generate effective campaigns with a few simple prompts..
Phishing remains a compelling cybersecurity risk in 2024, and retail is just another sector for cybercriminals to exploit. However, Cyber Finance Guard highlights a staggering 117% increase in cyber threats, including phishing, that are targeting retail brands. Why has retail become a hotspot for cybercriminals to engage in malicious activities? Let’s understand the driving factors.
The Covid-19 pandemic changed retail forever by driving more retail sales online and opened new opportunities to conduct cyberattacks.To make matters worse, safe internet browsing skills have not kept up with these digital trends, making certain customer demographics in particular highly vulnerable to modern phishing techniques.
One of the reasons a lot of businesses don’t fully “grasp” cybersecurity is because threats are perceived as intangible. When real negative business outcomes are linked to an avoidable threat transforming into a real attack is when the importance of cybersecurity is realized.
In the AI-driven retail industry, both the shopping experience and the cyberthreats are customized for users. While on one hand, AI algorithms customize the buying experience by providing relatable information on brands and retail, it also enhances phishing by minimizing typosquatting, and improving brand specific tones to increase relatability.
Phishing attacks on the retail industry adversely impact brands both financially and reputationally and cause harm via fraudulent transactions and disrupted online sales. This is especially true during the holiday season, when a noticeable increase in special offers is used as a theme to reach more victims. However, it can cause long term revenue damage as the efforts taken by retailers to acquire a customer goes down the drain.
With frequent cyberattacks, constant concerns persist regarding their negative impacts on customer retention and experience. Customers will start to question every method of communication from the retailer including, websites, emails, SMS, and online ads.
Retailers may be held liable by legal or regulatory bodies in the case of consumer losses or privacy abuses due to cyberattacks resulting from improper cybersecurity controls. Top retail brands can also expect increased cyber insurance premiums, as insurers assess the cyber risk and vulnerability they pose.
However, insurers are likely to demand stricter security measures from their clients, as highlighted by Founder’s Shield. However, it is also worth noting based on analysis from Fitch Ratings that standalone and packaged policies increased by over 50% in 2022, reaching a total of $7.2 billion. They also detailed the rise in standalone insurance policies by a staggering 62% alone in 2022.
Additionally, the constant AI-driven phishing attempts on the retail industry require higher cost of security solutions to detect and evade attacks. Giant retailers can be scrutinized under data protection regulations like GDPR, CCPA, and other regional laws.
Mitigation Strategies
While phishing is not a new threat to retailers, industry-driven solutions that cater to the latest threat landscape are essential. To reach unaware and not-so-technologically advanced customers, retailers can run ads and email marketing campaigns and make them aware of common phishing trends seen in that particular industry. Consumers can conduct domain legitimacy verification and report phishing during holidays and peak shopping seasons – where customers are more likely to engage with retailers.
Advanced threat detection systems and automated solutions that constantly monitor the internet to preemptively disrupt attack campaigns before they are able to launch are necessary for the retail industry to deter such attacks. A single oversight can taint the customer experience and lead to severe brand harm or reputational decline.
Prioritizing predictive security solutions that provide insights on impersonation patterns and the threat landscape is essential so that retailers can prepare themselves. Solutions that promptly flag the websites and automate takedowns so retailers can preemptively disrupt impersonating websites.
Relying on preemptive security solutions and ensuring coordinated efforts between security teams, supply chain vendors, and customer service can help retailers defend against brand impersonations and sophisticated phishing attacks.