For companies in the retail and hospitality sector, the holiday shopping season represents their busiest time of year, both for sales and fighting cybercrime threats.
This year is no different, with companies in the sector anticipating that phishing, fraud, credential harvesting, and the ever-evolving malware landscape will cast a shadow over their security posture in the coming months, according to a report published by Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) this week.
The 2022 RH-ISAC Holiday Season Threat Trends Summary report polled analysts and members of the industry group about what their security focus is this season — which is defined as the time between Oct. 1 and Dec. 31, when people tend to do their online shopping for holidays that are celebrated in much of the world — as well as what they experienced in the previous 2020 and 2021 holiday seasons. RH-ISAC associate member Flashpoint also provided research and data for the report.
While many threats plaguing the sector have remained consistent over the years, others are evolving rapidly as threat actors develop new malware and exploit fresh vulnerabilities, posing new issues and requiring both reinforcement and change in defense tactics with each season.
Phishing and Credential Theft
Retailers cited recurring threats as their biggest worries this year, with phishing — which the organizations noted is a year-round concern — a significant worry that remains consistent. In 2020, nearly 20% of retailers said phishing was the most frequently shared threat among their member exchange, Slack, and the core member listserv boards, while the number was 16% in 2021, according to the report.
Indeed, the holiday season tends to bring a host of socially engineered promotional campaigns aimed at fooling account holders to harvest their credentials and perform other nefarious activities, organizations noted.
Of more concern than phishing, however, is what is often a result of that threat activity: credential harvesting, which 42% and 37% say was the most-shared threat in 2020 and 2021, respectively. Retailers also worry about a rise by threat actors in the use of info-stealers that harvest customer data purchase don hacker forums, as well as customer account takeover that typically ramps up over the holidays.
