Email Attacks on the Retail Industry: ‘Tis the Season

Written by

Email continues to be the number one threat vector. Whether it’s targeted, or at scale, it’s the method of choice for the majority of cyber-criminals, no matter the industry, region or time of year.

There’s good reason for this: Email-borne attacks can be considered relatively easy, cost-efficient and successful. With little effort and cost, attackers can gain access to a trove of valuable information. One particular industry that takes the spotlight for email-based attacks at this time of year is retail.

As hard as it is to believe, we are yet again in the midst of the holiday shopping season. Black Friday and Cyber Monday are upon us and are set to see record sales this year, with consumers in the UK expected to spend some £6 Billion. However, this year, as with many other events, these annual shopping days are set to look a little different, with the global pandemic driving consumers to shop online as opposed to in-store.

Over the next few days, shoppers will be scanning both the internet and their inboxes for the hottest deals. However, as always, opportunistic cyber-criminals will capitalize on the anticipation of email communication from retailers to potentially trick shoppers with fraudulent emails. All it takes is a vulnerable shopper – or supplier – and a cyber-criminal has won.

However, UK retailers are not fully prepared for this and are not adequately protecting customers. From domain-spoofing, to Business Email Compromise (BEC) attacks, consumers and suppliers must be vigilant at this time of year.

UK retailers’ domains are not protected

In a recent analysis, Proofpoint identified that only 11 percent of UK retailers have implemented the recommended and strictest level of DMARC (Domain-based Message Authentication, Reporting & Conformance) protection, which stops cyber-criminals spoofing their identity and decreases the risk of email fraud for customers. Worryingly, this leaves online shoppers at 89 percent of retailers in the UK open to email fraud.

A slim majority of UK retailers analyzed have taken the first steps to protecting their customers from email fraud, with 53% publishing DMARC record. This means 47% of UK retailers have no published DMARC record at all, leaving themselves wide open to impersonation attacks.

Cyber-criminals regularly use the method of domain spoofing to pose as well-known retail brands, by sending an email from a supposedly legitimate sender address. These emails are designed to trick people into clicking on links or sharing personal details which can then be used to steal money or identities and it can be almost impossible for an ordinary Internet user to identify a fake sender from a real one.

In addition to threats over email, consumers should watch out for “lookalike websites” which imitate familiar brands. These fraudulent sites may sell counterfeit (or non-existent) goods, be infected with malware, or steal money and login details.

Having a DMARC policy in place, protects employees, customers, and partners from cyber-criminals looking to impersonate a trusted domain. By implementing the strictest level of DMARC – “Reject” – organizations are able to actively block fraudulent emails from reaching their intended targets.

These types of fraudulent emails can take all forms and include a plethora of content, but the aim remains the same – to siphon money or valuable data from the unsuspecting victim.

Compromising communications

Perhaps the most notorious of impersonation attacks on the cyber landscape of late are Business Email Compromise (BEC) and Email Account Compromise (EAC) attacks; and no industry is exempt.

Dubbed cybersecurity’s priciest problem, social engineering driven cyber threats such as BEC and EAC are purpose-built to impersonate someone users trust and trick them into sending money or sensitive information. When targeting an organization in the retail sector, cyber-criminals do not only see success from tricking consumers/customers, they can also target suppliers.

The retail industry has a relatively complex supply chain. From manufacturers, to courier companies, data is shared across the board – mainly through the most popular digital channel: email. A cyber-criminal can compromise a suppliers’ email account and hijack a legitimate conversation with a retail employee, in order to trick the retailer into paying an outstanding invoice into the wrong account – one belonging to the cyber-criminal, as opposed to the supplier being impersonated.

Proofpoint has also seen BEC/EAC attacks using gift card scams where attackers will try to convince the target victim to send money to them using popular retail gift cards rather than through wire transfers. In gift card scams, the attackers will frequently impersonate the CEO or other high-level executive in the business as part of the scam.

Attackers abuse gift cards in BEC/EAC attacks because it is a quick and easy way to for them to get money from their targeted victims: the victims don’t have to navigate complicated wire transfer instructions, they just go and purchase gift cards from well-known, recognized and trusted retailers.

This is yet another example of how well known and trusted retail brands and being impersonated for financial gain. These attacks are becoming more refined, and we anticipate an increase throughout the holiday shopping period.

Secure seasonal shopping

While online shopping has been steadily overtaking the high street for quite some time now, this year is like no other and may therefore potentially pose a greater digital risk than ever and a larger attack surface.

The holiday season is just another reminder of the high targeting of the retail sector and the ease at which cyber-criminals can trick unbeknown consumers into financial gain on their part.

This Black Friday, consumers must remain vigilant when shopping online and look out for potential phishing attacks, lookalike sites and other threats. Retailers, like organizations in all sectors, should look to deploy authentication protocols, such as DMARC to shore up their email fraud defenses.

Cyber-criminals will always leverage key events to drive targeted attacks using social engineering techniques such as impersonation and retailers are no exception to this – no matter the time of the year.

What’s hot on Infosecurity Magazine?