With Black Friday just around the corner, the holiday shopping season is upon us and retailers will face their busiest time of the year. In the last six weeks of 2018, for example, UK retailers and US retailers saw sales of £79.7bn and $719.2bn, respectively, as shoppers rushed to scoop up the best deals. No wonder, this window is often referred to as the “Golden Quarter”.
But retailers and their customers may get more than they bargained for as this surge of shoppers makes the “Golden Quarter” a golden time for cybercriminals to launch phishing campaigns.
We often think about consumers as the main victims of retail-related phishing attacks in the holiday shopping season. And quite rightly; shoppers receive hundreds of emails from retailers promoting their latest deals around peak shopping days like Black Friday and Cyber Monday. It’s a ripe opportunity for cybercriminals, who are looking to steal personal data and payment details, to “hide” in the noise, pose as legitimate brands and prey on individuals who are not necessarily security savvy.
However, it’s also important to remember that retailers themselves are at greater risk of phishing attacks during this time, as well.
In fact, our latest report reveals that nearly two thirds of UK and US retailers (64%) receive more phishing attacks in the three months leading up to Christmas, compared to the rest of the year. Black Friday, in particular, is a prime time for seasonal scammers as UK retailers (56%) and US retailers (57%) saw an increase in the number of phishing attacks during the Black Friday / Cyber Monday weekend last year. Given that phishing attacks have only grown in frequency and severity since then, there is no doubt that phishing will continue to be a persistent threat for retailers this year too.
It’s also concerning to see that 70% of IT decision makers at UK retailers and 65% at US retailers believe their staff are more likely to click on phishing emails during the holiday shopping season.
The reason? Employees are at their busiest and working at a much faster pace, meaning they are less likely to check the legitimacy of the emails they are receiving. Hackers will take full advantage of the fact that security won’t be at the front of mind for busy and stressed retail workers, and will craft sophisticated spear phishing campaigns to encourage individuals to click on malicious links, download harmful attachments or wire huge sums of money.
On top of this, staff will also receive more emails at this time. Consider how many colleagues, temporary workers, customers and third party suppliers retail workers engage with during the holiday shopping season. Knowing inboxes will be filling up with timely requests and orders, hackers can easily deceive employees and get them to comply with their requests via spear phishing emails that convincingly impersonate colleagues, senior executives or trusted suppliers.
With the average phishing attack now costing a company $1.6 million, there are significant financial consequences for a retail worker being duped by a phishing attack. It’s understandable, then, that the IT decision makers we surveyed said that “data breaches caused by human error” are the number one threat to their business in the final quarter of the year. Phishing came in a close second, with one in five IT decision makers in retailers believing phishing is the greatest threat to their organization during the holiday shopping season.
Given the people-heavy nature of the industry, retailers are, sadly, an easy target for cybercriminals. Our report clearly shows that retailers need to do everything they can to build robust defenses and minimize incidents of human error that could lead hackers to steal data and compromise systems this holiday season.