It’s no secret that cybercrime is a growing threat to every organization, and retail companies are no exception. In fact, 80% of retailers experienced a cyberattack, according to a 2024 report, and 22% faced as many as 15 attacks. These incidents don’t just result in lost sales: they can significantly damage brand reputation and erode customer trust.
In particular, peak shopping periods like back-to-school and the holiday season create the perfect environment for cybercriminals to thrive — and carry out even more attacks. Consumers are busy, distracted and in search of deals, leaving even the most security-savvy shoppers vulnerable to scams that exploit the urgency and excitement associated with those times of the year.
Cybercriminals are keenly aware of this, and have become experts at using social engineering and playing on cognitive biases to craft ultra-effective attacks — whether it’s through fake websites, phishing emails or malicious texts — to trick shoppers into handing over their credentials and other personal information.
Furthermore, advancements in AI have made it easier and faster than ever to design and execute these scams. Cybercriminals can use generative AI to instantly create convincing product images, write phishing emails in perfect brand voice or even build fictitious customer service chatbots, making it that much harder for shoppers to identify scams.
Advertisement
But the onus isn’t on shoppers to recognize and thwart these attacks — it’s the responsibility of retail companies. Here’s how retailers can level up their security strategy to protect both their brand and their customers during peak shopping periods.
Reduce Internal Security Complexity
The biggest threat to retailers isn’t ransomware or shoppers that don’t follow security best practices — it’s the complexity of the very systems in place to protect them. IBM’s 2025 Cost of a Data Breach Report cites security system complexity as a top contributor to increased data breach costs.
Most retailers have adopted a plethora of security point solutions in an attempt to protect themselves and their customers, but they’ve neglected to address how to manage and integrate those solutions. As a result, detecting and containing attacks is more challenging and expensive — $207,914 more per data breach, per IBM’s report.
Instead of accumulating different security point solutions, retail companies should seek out a security platform that allows for integrations with IT systems so that they can “talk” between one another to more effectively mitigate risk. A security platform provides the visibility required to spot and connect the dots between suspicious activities, rather than sifting through siloed alerts. This lets retailers contextualize potential threats quickly so they can take action before they escalate.
Go Back to Security Basics
While technology has evolved dramatically in recent years, most cybercriminals are still using basic techniques to carry out their attacks — simply because they still work. Therefore, retailers should ramp up their security fundamentals to better protect their brand and customers.
For example, phishing attacks remain a go-to tactic for stealing credentials and other personal information from shoppers. There are multiple ways to catch phishing attacks before, during and even after credentials have been stolen, and the same techniques that have been used for decades still apply today.
Techniques like embedding beacons in website code and monitoring refer logs can clue in retailers on when fake websites are copying or redirecting their content. Additionally, retail companies can register lookalike domains to guide shoppers to their legitimate website, which gives cybercriminals fewer opportunities to exploit shoppers. If credentials are stolen, tools like two-factor authentication (2FA) and multi-factor authentication (MFA), behavioral anomaly detection, location-based validation and even biometrics can block unauthorized access.
Simplify Security for Customers
If security is burdensome or clunky, shoppers won’t hesitate to go elsewhere. In addition to preventing attacks, retailers need to focus on reducing friction for customers who want to enable stronger security. Ideally, protecting one’s information should be as simple as a single click to opt-in.
Robust authentication methods like 2FA and MFA, passkeys and magic links are crucial for protecting customer information — especially during peak shopping periods. However, it’s equally important for retailers to make these protections easy to opt-in and use. Otherwise, customers will avoid them in favor of easier, less-secure options.
To encourage adoption, retail companies should provide information on the benefits of opting in to these safeguards and ensure setup is seamless. They can even offer small incentives — like exclusive discounts or early access to sales — for customers who opt-in.
Cyberattacks in retail aren’t going anywhere. They’ll only continue to increase in volume, sophistication, and impact. By reducing complexity, doubling down on fundamentals and streamlining security for shoppers, retailers can better protect their business and their customers during peak shopping periods. Retail companies that take action now will be well-prepared to keep up with evolving threats and support better business outcomes overall.
Etay Maor is the Chief Security Strategist at Cato Networks, a founding member of Cato CTRL, and an industry-recognized cybersecurity researcher. Prior to joining Cato in 2021, Maor was the Chief Security Officer for IntSights (acquired by Rapid7), where he led strategic cybersecurity research and security services. Maor has also held senior security positions at Trusteer (acquired by IBM), where he created and led breach response training and security research, and RSA Security’s Cyber Threats Research Labs, where he managed malware research and intelligence teams. Maor is an adjunct professor at Boston College and is part of the Call for Paper (CFP) committees for the RSA Conference and Qubits Conference. He holds a Master’s degree in Counterterrorism and Cyber-Terrorism and a Bachelor’s degree in Computer Science from IDC Herzliya.
