Fraud Management & Cybercrime , Ransomware , Social Engineering
Help Safeguard Retailers Against Social Engineering Attacks
Navigating the Complex Landscape of Evolving Threats and Cybersecurity ResilienceOver the last decade, social engineering cyberthreats have surged among retailers just as the sector's reliance on customer data, financial transactions and e-commerce platforms has intensified.
See Also: IDC Whitepaper I Business Value of Dell VxRail HCI
Social engineering, in which malicious actors exploit human vulnerabilities to obtain personal or financial information, can pose serious risks to retailers. As a result, chief information security officers and retail C-suite executives are often working to navigate a constantly evolving threat landscape, investing in robust cybersecurity measures, employee training and proactive defense strategies to help reduce risks.
Unfortunately, no company, regardless of size, is immune to the potentially disastrous effects of complex, sophisticated social engineering tactics.
New Cybersecurity Risks: A Click Away
In 2022, a multinational retail shipping giant fell victim to a massive SMS phishing attack, shining a spotlight on the pressing need for heightened vigilance and more robust cybersecurity strategies. Customers of the shipping service received deceptive text messages requesting payment before their packages could be delivered. An internal investigation revealed that cybercriminals had exploited the company's package look-up tools to access customer shipping information. Since then, multiple other retail shippers have also suffered SMS phishing attacks.
Phishing scams, which involve fraudulent attempts to obtain sensitive information by posing as a trustworthy entity, have been rapidly evolving and proliferating. David Naumann, a strategic marketing leader for Verizon, emphasized the vulnerability created by consumers' trust in retail brands. "If a bad actor launches a text-driven phishing attack, even a logical person might accidentally click on a fraudulent text because they're expecting a package. Attackers trick people because of the volume and number of customers who rely on these retail delivery services."
Impersonating Employees or Businesses
Attackers also use phishing emails to trick a company's employees into disclosing login credentials, which can give them access to systems that hold personal identifiable and account information. Once data is accessed and exfiltrated, the organization's employees and customers can be exposed to the risk of identity theft and fraud. Exploited PII can also create potential compliance issues, compounding woes for those hit with this type of social engineering attack.
Nick McMillon, a security solutions expert for Verizon, emphasized the threat posed by such attacks, including the planting of ransomware as a means of data harvesting. In August 2023, for example, a large Las Vegas casino group experienced a social engineering attack that resulted in the theft of personal information from members of its customer rewards program. The attack, targeting an outsourced IT support vendor, led to unauthorized access impacting thousands of customers.
To help defend against social engineering attacks, McMillon advocates for a multipronged approach that includes employee training, customer education, threat detection and trust enforcement. He emphasizes the importance of access control and encryption as vital components of a comprehensive defense strategy against social engineering, helping to improve the safeguarding of networks, applications, devices and identities.
Insights From Verizon's Research
As outlined in Verizon’s 2024 Data Breach Investigations Report (DBIR), key social engineering takeaways include:
- The retail sector recorded 725 incidents, with 369 retailers confirming data disclosure.
- Primary breach patterns include system intrusion, social engineering, and basic web application attacks, which account for 92% of the retail sector breaches.
- Driven largely by financial motives, external actors were responsible for 94% of retail sector breaches.
- Payment card information - 25% - and credentials - 38% - were the most commonly compromised data types in the retail sector.
- Nearly 3/4ths - 73% - of social engineering pretexting and phishing incidents were attributed to business email compromise (BEC) in the last year.
Social Engineering's Impact on Retailers
Social engineering attacks affect retailers in the following ways:
- Financial losses may result from fraudulent transactions, chargebacks and fines imposed by payment card networks for noncompliance with security standards.
- Operational disruptions, such as website downtime or system outages, may take place as a result of social engineering attacks on retail organizations.
- Reputational damage can also happen as customers can lose trust in the retailer's ability to protect personal and financial information, leading to potential lowering of sales and reducing brand loyalty.
- Legal repercussions may potentially include regulatory fines for data breaches, lawsuits from affected customers, and government investigations into the retailer's lack of compliance in following applicable data protection laws.
Retail Threats Ahead
New technologies, changing consumer behaviors and emerging attack tactics each play a role in the evolution of retail social engineering threats. As retailers adopt omnichannel strategies to integrate their online and offline sales channels, threat actors are likely to increasingly target these platforms with sophisticated social engineering attacks, from phishing emails to fake customer service calls and malicious websites.
What's more, the abundance of customer data coming from omnichannel platforms can create a greater risk of attack success. Attackers may tailor social engineering attacks to individual customers based on their purchase history, demographics and behavior, making them appear more valid and luring potential victims more easily to the bait - especially those in a hurry or for whom the consequences of inaction would seem concerning, even alarming.
Verizon offers integrated solutions that can help retailers - from employee awareness training to mobile security policy, security protection controls, detection and incident response, and ongoing testing and reporting.
Retail sector leaders who are working to harden their cybersecurity posture against this growing attack type can review a helpful resource on the topic from Verizon: Expert Guide to Lowering Social Engineering Risks.