E-Commerce Surge Put Cyber Target on Retailers’ Backs
As e-commerce surged during the pandemic, so did retailers’ cyber risk. They are facing the challenge with new security awareness and tools.
Retailers welcomed the surge in online shopping during the COVID pandemic, especially in contrast to empty stores during lockdowns. In spite of the pandemic, inflation and well-publicized supply chain troubles, retail sales bounced back in 2021, and e-commerce was a big reason why. Online sales in 2021 were over 50% higher than in pre-pandemic days. According to one analysis of Commerce Department sales figures, $1 out of every $5 spent in retail during 2020 and 2021 was spent online.
But the extra sales haven’t come without headaches. More than two-thirds of retailers started seeing their security risks go up noticeably in 2020, according to the National Retail Federation (NRF), and 39% saw their largest fraud increases in multichannel sales channels, such as online shopping for in-store pickup. That’s 20 percentage points higher than the year before. With stores closed during lockdown, “criminals went where the opportunities were,” the NRF reported.
Data Theft and Retail Cybercrime
Retail crime comes in many varieties — from shoplifting to employee theft to organized crime heists — but cybercrime is a large part of merchants’ concerns. In a separate NRF poll, 76% said “cyber-related incidents” were a bigger security priority than five years ago; only mall shootings had become a higher priority in that same time span.
The retail sector attracts cyber thieves with its large amounts of customers’ personal and payment information that can be used to commit fraud. Nearly every data breach that hit a retailer in 2021 was financially motivated, according to the latest incident tallies from Verizon. The top categories of data compromised in retailer breaches were payment (43%) and personal (41%) information, followed by theft of credentials (33%), such as passwords to access computer networks.
While other sectors such as infrastructure and manufacturing are also assailed by corporate spies or state-sponsored attackers, retail is seen by cybercriminals as profitable low-hanging fruit for stealing data. It’s a business built on customer experience and accessibility, and merchants seek to avoid any friction that could lead to lost sales, making it ripe for phishing, brand impersonation and other tactics based on social engineering.
Retailers have improved their security posture after a number of high-profile data breaches in recent years, but the Verizon report warned against a false sense of security, saying: “This sector remains a target.”
Kinds of Retail Cyber Fraud
Online shopping has become a major front in the battle against retail crime. Some common retail cyber frauds include:
- Account takeovers: Fraudsters like stealing credit card information because it’s akin to printing money. And they like that online shopping is fast and efficient. Once armed with a customer’s credit card number, they can go shopping across a number of websites before the cardholder can react, then return the goods or sell them online for cash.
This variety of fraud intersects with return fraud, where thieves abuse brands’ lenient policies to return stolen or counterfeit merchandise for refunds and pocket the money. Return fraud is a particular thorn in retailers’ sides; according to the NRF, for every $100 in returns, merchants lose $10.30 to fraud.
- Gift card fraud: The ease of purchase and delivery of digital gift cards, which has made them such a popular item, also makes them attractive to criminals. Not only can fraudsters steal the balance on customer cards, but they can also resell valid cards online, clone new counterfeits for sale, or use cards as money laundering tools.
Retailers have added a number of features to track and protect gift cards. But their growing popularity — shoppers spent 27% more in gift cards during the last holiday season than in 2020 — makes them a tempting target.
- Brand exploitation: Also known as brand impersonation attacks, this fraud uses internet domain names that look very similar to the URLs of a known brand to mislead customers and direct them to fake websites. The unwary customers can wind up buying counterfeit goods (U.S. Customs seized $1.3 billion in such fakes in 2020 alone) or falling victim to malware and phishing attacks.
This kind of “URL phishing” is an increasing concern across all industries, but particularly in retail, since it’s not just costly, but can harm a brand’s image and consumer appeal. Brand impersonations have shot up nearly 170% since the start of the COVID-19 pandemic, and 42% of companies saw an increase in web domains that impersonated their brands, according to Mimecast’s State of Brand Protection Report.
Fighting Retail Cybercrime
Retail crime is increasingly a technology issue, both because the crimes have moved online and because the solutions are technological. As the NRF noted, 53% of retailers say they are allocating extra technology resources for loss prevention, that is, curbing all kinds of theft.
Security awareness training remains a primary line of defense against retail cybercrime. As the Verizon report noted, cybercriminals are increasingly targeting retail employees for social engineering attacks. As a best practice, retailers’ cybersecurity strategies should include regularly training staff to recognize and repel social engineering scams such as phishing and pretexting (attacks where they are tricked into thinking they are helping a customer or other staffer and instead compromise information or become infected with malware). These kinds of strategies will also require more communication between cybersecurity and loss prevention officers within retailers’ organizations.
Technology offers a variety of solutions to automate the process of managing cyber risk in retail organizations. Automation can scan and block emails containing fake URLs, leveraging intelligence feeds and URL blocklists to filter emails and websites associated with attacks. According to a recent Osterman Research survey, three out of four organizations are using those tactics to shortcut social engineering efforts. Artificial intelligence and machine learning can also check email traffic in real time to spot abnormal patterns and intercept suspicious messages before they reach the staff.
Some retailers have turned to brand protection services to automate the intensive work of hunting down fake websites. Jim Taylor, the chief information officer of Steve Madden Shoes, said his company used to chase down two counterfeit sites monthly, usually only if someone pointed them out to managers. The number shot up nearly five times once the company adopted a brand protection service. “Now we’re playing offense,” Taylor said.
The Bottom Line
Retailers will always face cyber vulnerabilities, especially as online and multichannel shopping continue to grow. Merchants will continue to be targets of cybercriminals because they are considered a profitable and soft target. But that doesn’t mean they can’t improve their security posture with technology tools and awareness training that protect both their own operations and their customers’ data.
 “Pandemic Led to Increase in Retail Security Threats, According to NRF Study,” National Retail Federation
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!