Nov 22, 2022 - Technology

Retail braces for wave of holiday phishing, ransomware scams

Illustration of a paper bag with handles held by a fishing hook on a line

Illustration: Natalie Peeples/Axios

Hackers are ramping up their phishing and ransomware campaigns targeting the retail sector as the holiday shopping season kicks off.

The big picture: The ongoing economic downturn is prompting more shoppers to look for online discount codes and more hackers to trick these consumers with phony deals, threat analysts tell Axios.

  • Ransomware gangs are also predicted to target small to medium-size businesses that could be more likely to pay off hackers to prevent an operational outage during the holiday season.

Why it matters: While the retail sector has gotten better at defending its systems against cyberattacks in recent years, no company can ever be considered completely hackproof.

  • Traditional phishing lures — where hackers impersonate retailers in emails to collect consumers' login information and credit card numbers — are nearly impossible for retailers to track unless a consumer reports them.

Threat level: This year's economic downturn and the return of in-person holiday gatherings are exacerbating the existing threats that retailers have long had to fight, says Ashley Allocca, a threat analyst at cyber intelligence firm Flashpoint.

  • Each year, analysts see a bump in the number of retail companies listed on ransomware extortion sites, where gangs post a list of victims they've targeted that haven't paid up yet, Allocca says.
  • Phishing is also one of the "most popular hacking services advertised within illicit communities" this year, according to a report from the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) published earlier this month.

Details: Hackers rely on employees and consumers being too busy during the holiday seasons to spot scam emails.

  • Phishing campaigns can lead to consumers entering their credentials and credit card info into fake sites or employees accidentally downloading ransomware at their organization.
  • Reports of imposter websites, which mimic well-known retailers and place fake product listings that consumers purchase, also rise during the holidays.

Flashback: Nine years ago, Target responded to a data breach affecting millions of customers' credit cards that woke the retail sector up to the cyber threats they face.

The intrigue: Retailers have increasingly dedicated more resources since those attacks to fight cyber threats, and the industry has several cross-sector resources to help track and detect threats.

  • RH-ISAC hosts pre-holiday season workshops for retailers aimed at alerting them to the top hacking techniques, Muktar Kelati, senior director of cyber threat intelligence at RH-ISAC, tells Axios.
  • Many retailers also train their customer service teams to better detect fraudulent refund callers and field calls from consumers who spot a phishing or imposter website scam, Kelati adds.
  • Christian Beckner, vice president of retail technology and cybersecurity at the National Retail Federation, tells Axios most retailers now have a pre-existing relationship with the FBI, which helps companies get tips on hackers' new tactics and makes them more comfortable calling in investigators whenever they are hacked.

What they're saying: "We see a lot of groups capitalize on these world events," Allocca says about the upcoming shopping season. "People are going to be keen to spend money; they might be under pressure."

Be smart: Monitor bank statements, double-check sender emails and website URLs, and be suspicious of any deals that seem too good to be true, experts tell Axios.

  • "If it feels suspicious, it probably is suspicious," Allocca says.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper