Beware of These Email-Based Holiday Risks to Consumers & Retailers

December 09, 2022
an artist rendering of a laptop surrounded by wrapped gifts with an illustration of the digital netwaork that provisions online shopping above it on a mint green background with red accents

It’s that time of the year when buyers flood stores in search of the perfect gift. Retailers also go all out with attractive deals to draw in more customers during the holiday season. While millions of shoppers are looking for the best deals, cybercriminals are also lurking behind, looking for an opportunity to strike as both individuals and companies have their guards down. Holiday cyber risks are high for both shoppers and retailers – there is a 70% increase in dangerous cyberattacks like ransomware during the holiday season. The FBI also issued a warning in November, advising all organizations, executives and workers to proactively protect themselves from ransomware and other threats during the holiday season.


phishing in silver on a pink background on top of a skull and crossbones

Is your email security solution really getting the job done? This checklist helps you find out! GET CHECKLIST>>


Data is on cybercriminals’ shopping lists


The retail sector has always been an attractive target for cybercriminals and data thieves because retailers collect, process and store increasingly large amounts of valuable customer data, including Personal Identifiable Information (PII) and credit card numbers. Cybercriminals are adept in ferreting out loopholes in often complex retail infrastructure, including software vulnerabilities, lack of point-to-point encryption (P2PE) in PoS systems, use of Near Field Communications (NFC) for payments, zero-day exploits, and insecure third-party plugins.

The UK’s National Cyber Security Centre (NCSC) recently published guidance for retailers to help them avoid cybercriminal traps, especially retailers with a large online presence. NCSC emphasized the urgent need for retailers to add identity and access management (IAM) controls for customer accounts to prevent digital fraud. The guidance suggests two-factor (2FA) or multi-factor authentication (MFA), OAuth 2.0 or single sign-on, FIDO2 and one-time passcodes as effective methods of ensuring that consumer accounts are protected. NCSC said that UK shoppers lost nearly $20 million to digital fraud during the 2021 holiday shopping season. 


Get the guide that helps you detect & defeat dangerous BEC attacks to keep your company out of trouble! DOWNLOAD IT>>


Retailers & shoppers encounter 3 cyberattacks the most


Phishing Attacks: Phishing attacks are threat actors’ weapon of choice to launch cyberattacks on organizations. They send fake emails with malicious links or attachments that mimic emails from legitimate sources. Once the victim clicks on the malicious content within the email, the attacker can steal their information or install malware on their system to cause further damage. A frequently seen scam this year is a fake travel reservation email that looks like flight or hotel bookings from a travel site, notifying the victim about being charged twice for a transaction that’s actually carrying malware.

Social Engineering Attacks: In recent times, cybercriminals have increasingly been using social engineering techniques such as honey trapping, baiting, and watering holes to launch sophisticated cyberattacks that are wreaking havoc on organizations around the globe. Day in and day out, victims fall prey to cybercriminals’ devious social engineering lures that often bring the curtains down on their businesses. An example of social engineering attacks during the holiday season is the gift card scams that encourage victims to purchase gift cards or use the tried-and-true “you’ve won!” tactic. But, if you can’t pinpoint a sender, it is most likely a sign of a scam in waiting.

Supply Chain Attacks: Retailers work with numerous vendors to support different aspects of their operations, especially during the hectic holiday season. A single vulnerability on one of the vendor’s sides could lead to a supply chain attack for the entire network, jeopardizing the retailer’s cybersecurity posture. Retailers can also be vulnerable to shipping scams and non-payment scams, the most common variety of Business Email Compromise (BEC) attacks, as they contend with getting merchandise in stock. 


See 10 reasons why Graphus is just better than other email security solutions. SEE THE LIST>>


Best practices for protection against holiday cyberattacks


While cyberattacks have grown in sophistication in recent times, organizations must take some precautionary measures to protect their systems and data. Here are some ways to address cybersecurity flaws in retail or keep their impact to a minimum.

Implement IAM: This is the fastest and easiest way to protect user accounts as well as systems and data. According to Microsoft, 2FA/MFA stops 99% of cyberattacks. Look for solutions that offer additional protections like single sign-on (SSO) and simple remote management for quick incident response if there is a problem.

Encrypt all sensitive data: Ideally, retailers should not store their customers’ sensitive data, such as credit card numbers; however, if retention is a must, then all data must be encrypted, whether at rest or in transit.

Perform data backups: Data is an organization’s biggest asset. That is why cybercriminals are always looking to steal your data to either sell it on the dark web or use it for ransom. It’s critical for organizations to regularly back up all data from the e-commerce website, POS systems, and other applications.

Strengthen phishing protection: Keeping malicious messages away from inboxes reduces the chance of someone clicking on one. Mount the strongest possible defense against phishing. Email security solutions that use AI and automation catch 40% more dangerous phishing messages than traditional email security or a secure email gateway (SEG). It’s also important to offer users the tools that they need to frictionlessly report any suspicious messages that they receive quickly.

Security awareness training: A competent security program is a stepping-stone for organizations in blocking cyberattacks by cultivating their employees’ levels of security awareness. It gives employers the opportunity to add more eyes to their security team by empowering employees to recognize and avoid the common threats that they face every day. It’s also a smart investment that provides a big security boost without a major upfront cost. From teaching data handling best practices to preventing an employee from downloading a ransomware-laden attachment, security awareness training is the key to building a strong defense against today’s biggest cybersecurity threats.  

Use dark web monitoring: After stealing an organization’s data, more often than not, cybercriminals sell that data on the dark web. Therefore, monitoring the dark web for leaked or stolen information such as compromised passwords, breached credentials, intellectual property and other sensitive data can also help organizations take preventive measures before a threat actor uses it to fulfill their ill intentions.


AI is the secret weapon you’re looking for to boost business email security. SEE WHY>>


Graphus stops phishing before it starts


Graphus is the world’s first AI-driven email security solution that automatically protects organizations from email-based ransomware attacks. The patented AI technology of Graphus creates a wall between organizations and cyberattacks, mitigating phishing attacks before it reaches their systems. It automatically monitors communication patterns between people, devices, and networks to reveal untrustworthy emails, making it a simple, powerful, and cost-effective automated phishing defense solution for companies of all sizes.

  • Graphus blocks sophisticated phishing messages before an employee can interact with them.  
  • Puts 3 layers of protection between employees and dangerous email messages. 
  • Seamlessly deploys to Microsoft 365 and Google Workspace via API without big downloads or lengthy installs. 
  • Gives you actionable threat intelligence to help you gain insights into the effectiveness of your security, level of risks, attack types and more. 

See how Graphus could benefit your organization. Book a demo here.  

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus