The retail industry is under attack from cybercriminals. Recent research shows that it’s only getting worse: according to Symantec’s 2016 ISTR report, retail was the most heavily exposed industry to phishing attacks in 2015, with 1 in every 690 emails fraudulent. The Anti-Phishing Working Group’s Q4 2015 phishing report shows that 24 percent of email attacks in that quarter were targeted at the retail sector—more than any other industry in that time period.
Unfortunately, the email threats facing retailers are not inspiring enough action. We surveyed the National Retail Federation’s Top 100 North American Retailers index and found that only 18 percent had taken initial steps toward proactively protecting their customers and enterprise from phishing attacks with a DMARC (Domain-based Message Authentication Reporting and Conformance) record.
Complacency is not an option when it comes to email fraud. Phishing costs brands worldwide $4.5 billion each year and 95 percent of all attacks on enterprise networks are the result of successful spear phishing.
Here are five actions retailers can take right now to protect their consumers and businesses from phishing attacks.
Action 1: Implement a DMARC record
DMARC is the most sophisticated email authentication standard out there—it not only guarantees that bad email gets blocked before it hits the inbox but it also gives you full visibility into what email is authenticating, what email is not, and why.
Implementing DMARC is now a necessity. Return Path’s guide, “Getting Started with DMARC,” is a great resource to help kick-start the process.
Action 2: Leverage email threat intelligence resources
While DMARC addresses email threats that spoof your legitimate sending domains, it does not protect your company or customers from attacks spoofing your brand using domains your company does not own (a.k.a. “brand spoofing”).
Unlike domain spoofing, which leverages a legitimate sending domain owned by a company (phish@retailbrand.com), brand spoofing uses a number of other tactics to trick customers into thinking that the email is legitimate and coming from a reputable brand (retailbrand@phish.com). Here’s an example of a brand spoofing attack targeting Amazon:
Traditionally, these attacks have been very difficult to mitigate—brands lacked visibility and relied on customers to report abuse. Now, it is possible to see all email attacks spoofing your brand, and react quickly to shut them down before your customers are compromised.
Action 3: Educate your customers
The reality is, some attacks are always going to get through. The more prepared your customers are, the better. Provide helpful resources on your homepage that educate customers on how to spot fraudulent activity and where to report it, like Walmart:
Action 4: Educate your employees
In addition to educating your customers, train your employees on how to spot a phishing email. Provide them with best practices, including:
- Do not trust the Display Name—the “From” field is easily manipulated
- Look before clicking on links—it’s easy to embed malicious URLs within trustworthy text
- Check for suspicious language including urgent requests
Our blog post, “10 Tips on How to Identify a Phishing or Spoofing Email” is a great resource for learning how to spot phishing emails.
Action 5: Become an R-CISC member
Collaborating with other retailers around the world is essential when it comes to cybersecurity. Becoming a member of The Retail Cyber Intelligence Sharing Center (R-CISC) is a great way to engage with and learn from your peers.
Created by retailers in response to the increased number and sophistication of cyber attacks against the industry, the R-CISC fosters collaboration on security, providing best practices and threat intelligence to its members. Next week, Return Path will sponsor the inaugural Retail Cyber Intelligence Summit that brings together top information security leaders and teams representing the most prominent retail and consumer services organizations throughout North America.
While there’s a lot more retailers can do to prevent phishing attacks targeting their customers and employees, these five actions are a great start. To dive deeper into the security challenges facing the retail industry and best practice for fighting back, download “The Retail Guide to Email Fraud.”