Unexpected Item in Bagging Area: The Biggest Online Threats for Retailers

Online sales and direct-to-consumer (D-to-C) shopping has transformed retail and the way today’s consumers discover and purchase goods and services. Challenger D-to-C brands such as Casper, Bonobos, and Stitch Fix have forced traditional brick-and-mortar brands to up their digital presence to ensure they don’t lose market share. With the majority of shopping taking place through e-commerce platforms and mobile devices, retailers need to be aware of the potential dangers that exist for themselves and their customers. One danger being the increased rate at which email, rather than direct mail, is being used by retailers for commerce and marketing initiatives.

There are four types of email threats retailers need to consider and prepare for: sender fraud, recipient fraud, CEO fraud, and business email compromise (BEC)/email account compromise (EAC). The reality, however, is that most retailers haven’t taken the necessary steps or employed the right technology to prevent such attacks. Our most recent report, which we conducted last month, looked at the retail sector ahead of Black Friday and Cyber Monday, and was based on whether the retailer had a basic email protocol in place which would protect it against the threat of email domain impersonation.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a globally recognized email standard that authenticates the sender and makes it easier for the receiving email client to determine whether an email is from a legitimate sender. In doing so, retailers would be able to protect their customers from fake order confirmation emails, transaction links and promotions.

Our report found that only 15 (12.5 percent) of STORES’ Top 100 Retailers of 2019 had that protection in place. Of those 15 retailers with their DMARC policy set in protection mode, nine of them had their policy set to reject — i.e., the strongest form of protection, meaning impersonated emails wouldn’t make it past the gateway. Those retailers include Walmart, Verizon Wireless, Kohl’s, Gap, Wegmans, Tractor Supply Co., Burlington Coat Factory, Ikea, and Williams-Sonoma. Rounding out the top performers were Amazon.com, Apple, Dressbarn, Lane Bryant, Wayfair, and Belk, which all had their DMARC policy set to quarantine, directing illegitimate emails to the junk folder.

Resistance towards adopting DMARC is likely to occur due to the daunting task of implementing the protocol, despite the protocol being a globally-ratified standard of verification that has been widely adopted by the major email players (Gmail, Yahoo, Microsoft, etc.). And while that adoption means that customer inboxes are already protected, the same can’t be said for all retailers.

If retailers also adopted the protocol, which has become less daunting with the amount of services available to help them, their emails would be validated and phishing attacks would be minimized. Not only would DMARC protect their reputation, but it would also improve the deliverability of their emails as email service providers begin to send more unverified emails into junk folders to safeguard their users.

With established regulations in place such as GDPR and CCPA, organizations need to be more careful than ever if they're going to avoid the fallout from a cyber attack, both on the public relations and financial fronts. Deploying DMARC protection is a straightforward and attainable defense against phishing attacks that retailers should be implementing to protect not only their own reputations and bottom lines, but their customers’ data and finances, too.

Rahul Powar is co-founder and CEO at Red Sift, a data-driven cybersecurity company on a mission to democratize the technology vital for organizations of any size or sector to defend against security threats.