Consumers and retailers — watch for these end-of-year attacks

Print Friendly, PDF & Email

Criminals are active all year long, but cyberattacks always increase during the end-of-year holiday season. There’s nothing new or exciting about the reasons behind this increase, except for the fact that online shopping continues to grow and attackers target vulnerable demographics. Retailers and shoppers are particularly vulnerable during the holiday shopping season because shoppers are in a hurry, tired, and thinking more about the gift and less about the transaction. Retailers are under pressure to maintain accurate inventory, protect consumer data, and keep omnichannel operations functioning at peak performance levels. This environment makes it easy for mistakes to go unnoticed until an attack is discovered.

The Better Business Bureau (BBB) has published a “12 scams of Christmas” list that detail what the Bureau has identified as the most likely scams this season. Here are a few of the scams included in that list:

Misleading social media ads: These ads promote fake products, services, or charitable contributions. Victims send money without realizing the company is fake or the products are low-quality counterfeit products that are different from the ad. The BBB has resources on misleading adsfree trial offers, and counterfeit goods, so be sure to check that out before making a transaction.

Alerts about compromised accounts: These emails are crafted to look like Amazon, PayPal, or some other popular website. The message warns recipients of suspicious activity on their account and includes a link to a look-alike website that will phish the victim’s personal information and possibly install malware on the victim’s PC.

Brand impersonation sample caught and analyzed by Barracuda Email Protection

Fake shipping notifications: These follow the same formula as the alerts. Targets are informed that a delivery is on the way or has been missed. The message includes a malicious link for the victim to follow to resolve errors. The attacker wants the victim to dispute the purchase, track the shipment, or take some other action that involves clicking the malicious link. This is a reliable scam that attackers use every year, all year long.

Compromised retailers

Beyond the scams identified by the BBB are the attacks that use a compromised retailer to get consumer payment data or other personal identifiable information (PII):

Point-of-sale (POS) malware: This is the type of attack that hit Target in 2013. Attackers installed malware on the POS system after finding their way into the network through an HVAC service provider that had access to Target’s business network. The malware was designed to steal payment card information and send it off-site to the hackers’ servers. The malware captured 40 million customer credit and debit cards during the 2013 holiday season. The breach compromised the personal data of more than 60 million Target customers and by 2017 had cost Target almost $300 million. Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor experienced similar attacks in 2018 when the payment system of their parent company was breached.

Insecure web applications: Retailers rely on e-commerce, live-chat, web portals, and other web applications to connect with customers and suppliers. Insecure code and misconfigured applications compromise the corporate network and the person accessing the application. The 2020 Verizon Data Breach Investigations Report (VDBIR) revealed that misconfiguration of internet-facing assets is one of the fastest growing threats leading to data breach. Some examples:

  • Macy’s International was breached in 2019 when an unauthorized third party added unauthorized code to

“… the code allowed the third party to gain access to information submitted by customers on both the checkout page, where credit card data is entered, and the site’s wallet page, which is accessed through the shopper’s “My Account” menu.”

  • The Adidas US website was breached in 2018 by an “unauthorized party.” This exposed customer information, including login credentials, of “a few million” Adidas customers.
  • The corporate websites for Kay Jewelers and Jared the Galleria of Jewelry included a flaw that exposed information for orders placed online. Kay and Jared are owned by parent company Signet Jewelers. In October 2021, Signet fixed a nearly identical flaw in the website of subsidiary Zales Jewelry.

How to protect against end-of-year attacks

Email and web application attack examples are not “holiday” threats, but there are more of them during the holiday season. More customers are using retail web applications and POS systems, and retailers are sending more emails around transactions, gift cards, and product promotions.

Brush up on safe online shopping and tips on avoiding scams by visiting the BBB website. Retailers and other businesses should have complete email protection that defends the company from phishing, domain fraud, impersonation, and more. Protect websites and other public-facing applications with a web application firewall (WAF) that defends against bots, data leaks, OWASP Top 10, and other attacks.

Barracuda Email Protection and Barracuda WAF-as-a-Service can protect retailers and consumers from criminal attack and human error. For a free trial visit

Scroll to top