Retail Cybersecurity: Common Threats and How to Avoid Them

Shopping season is a hacker’s paradise for those who are looking to take advantage of overwhelmed companies and websites. The shopping period, with a raft of sale discounts and other offers, often sees an increase in website attacks. And while retailers may know that they are under increased pressure, they may not have the resources to bulk up their cybersecurity defences given their priority on customer service, shipping, and other necessary prerequisites.

It is thus important to shed light on the most common types of threats that retailers face during the shopping season and also offer some recommendations on how to stay secure and safe.

Retail Cybersecurity Challenges and Threats

Threat 1: Payment skimmers

Knowing that traffic and transactions are at an all-time high during busy shopping seasons, hackers seek to steal valuable payment data from unwitting customers and retailers alike. This can be done by compromising physical POS systems with malware. If retailers are using any legacy POS systems or haven’t updated them in a while, the devices may be vulnerable to known exploits.

With PoS systems and terminals likely to be inundated with a surge in customers, hackers know that this would be prime time to launch an attack in hopes of stealing valuable credit card data.

Threat 2: SQL Injection

Hackers can also compromise a retailers site to steal payment data at the time of an online purchase. This is often done via an SQL injection, which drops malicious code into a site that lurks and steals data. This allows hackers to steal payment data entered into a field without the customer or the knowing.

Magecart is one of the more notorious methods of attack that exploit unpatched Magento versions to drop malicious code to either steal payment data, redirect links to malicious sites, and more recently, mine cryptocurrency without the victim’s knowledge.

While this is an attack that can be leveraged at any time, savvy hackers may choose a time where the attack is likely to go unnoticed given the flurry of activity in stores and websites. If the retailer is inundated with alerts and other pressing issues, any alert that highlights a potential issue may be ignored, dismissed as a false alarm, or may not be addressed in time.

Threat 3: Fraudulent transactions

Cybercriminals can try and make a quick buck by committing shopping fraud in two main ways. They can either commit payment fraud, which uses a stolen credit card (stolen via the two methods described above, or via a data breach) to make a purchase.

This can hurt retailers as victims are likely to report the fraudulent purchases. The credit card company will then refund the purchase, passing the cost over to the retailer while charging them a fee for the whole process.

Return fraud is another commonly carried out tactic used by scammers and thieves. Done in person or online, scammers can return stolen merchandise or use altered receipts to get a refund for an item they never purchased (and that the retailer will never receive). Without the right authentication or verification process in place, scammers can continue to fake returns and reap cash until the scam is finally flagged.

Given that margins are likely to be tight during these large sale periods, a retailer may actually lose money because of these fraudulent tactics.

Hackers know to carry out these attacks during the shopping season to avoid detection. Without the right detection/monitoring systems, it’s hard to sift through a huge increase in transactions to spot a fraudulent one.