Retail braces for wave of holiday phishing, ransomware scams

Hackers are ramping up their phishing and ransomware campaigns targeting the retail sector as the holiday shopping season kicks off.

The big picture: The ongoing economic downturn is prompting more shoppers to look for online discount codes and more hackers to trick these consumers with phony deals, threat analysts tell Axios.

• Ransomware gangs are also predicted to target small to medium-size businesses that could be more likely to pay off hackers to prevent an operational outage during the holiday season.

Why it matters: While the retail sector has gotten better at defending its systems against cyberattacks in recent years, no company can ever be considered completely hackproof.

• Traditional phishing lures — where hackers impersonate retailers in emails to collect consumers' login information and credit card numbers — are nearly impossible for retailers to track unless a consumer reports them.

Threat level: This year's economic downturn and the return of in-person holiday gatherings are exacerbating the existing threats that retailers have long had to fight, says Ashley Allocca, a threat analyst at cyber intelligence firm Flashpoint.

• Each year, analysts see a bump in the number of retail companies listed on ransomware extortion sites, where gangs post a list of victims they've targeted that haven't paid up yet, Allocca says.
• Phishing is also one of the "most popular hacking services advertised within illicit communities" this year, according to a report from the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) published earlier this month.

Details: Hackers rely on employees and consumers being too busy during the holiday seasons to spot scam emails.

• Phishing campaigns can lead to consumers entering their credentials and credit card info into fake sites or employees accidentally downloading ransomware at their organization.
• Reports of imposter websites, which mimic well-known retailers and place fake product listings that consumers purchase, also rise during the holidays.

Flashback: Nine years ago, Target responded to a data breach affecting millions of customers' credit cards that woke the retail sector up to the cyber threats they face.

The intrigue: Retailers have increasingly dedicated more resources since those attacks to fight cyber threats, and the industry has several cross-sector resources to help track and detect threats.

• RH-ISAC hosts pre-holiday season workshops for retailers aimed at alerting them to the top hacking techniques, Muktar Kelati, senior director of cyber threat intelligence at RH-ISAC, tells Axios.
• Many retailers also train their customer service teams to better detect fraudulent refund callers and field calls from consumers who spot a phishing or imposter website scam, Kelati adds.
• Christian Beckner, vice president of retail technology and cybersecurity at the National Retail Federation, tells Axios most retailers now have a pre-existing relationship with the FBI, which helps companies get tips on hackers' new tactics and makes them more comfortable calling in investigators whenever they are hacked.

What they're saying: "We see a lot of groups capitalize on these world events," Allocca says about the upcoming shopping season. "People are going to be keen to spend money; they might be under pressure."

Be smart: Monitor bank statements, double-check sender emails and website URLs, and be suspicious of any deals that seem too good to be true, experts tell Axios.

• "If it feels suspicious, it probably is suspicious," Allocca says.

Sign up for Axios’ cybersecurity newsletter Codebook here.