From high-end brands like Cartier to national staples like the Co-op, 2025 has seen a surge in serious cyberattacks targeting retailer operations. Alongside prominent attacks on front-end brands, wholesale retailers and distributors are also heavily targeted, with victims including Peter Green Chilled in the UK and United Natural Foods in the US.
The data theft and supply disruption from these incidents can come with a hefty financial cost, as well as causing lasting damage to a brand’s reputation. For the victims and their customers, a serious breach can feel like a bolt from the blue, but these attacks are usually far from random, writes Mick Leach, Field CISO at Abnormal AI.
More attacks are now following the retail calendar, exploiting peak trading periods, seasonal pressures and operational distractions, to stack the odds in attackers’ favour. Retailers need to strengthen their defences so they’re not caught off guard when it matters most.
How criminal gangs have aligned with retail schedules
While all business sectors have their particular rhythms, few are as regular as retail. From seasonal promotions to holiday surges, the industry follows a highly predictable pattern every year—and the cybercriminals have noticed. While some cyberattacks are still launched more or less at random, the savvier and more organised cybercriminals are carefully aligning their campaigns with these cadences.
Our research has found clear spikes in email-based attacks targeting retailers during high-pressure periods. For UK retailers, Q2, which includes the lead-up to summer sales, averaged approximately 10% more malicious emails per inbox than the quieter periods. The trend was even more pronounced for phishing emails, with a 14% increase for the busiest times of the year. Phishing is by far the most common form of email attack, and is an effective weapon because messages are designed to blend into expected email traffic. The regular rhythms of retail business provide useful camouflage.
Notably, business email compromise (BEC) – impersonation attacks that specifically target and impersonate senior executives – saw a counter-rhythm to normal phishing. These advanced attacks tended to be most active during the first quarter of the year, coinciding with UK budgeting cycles and vendor contract negotiations.
Cybercriminals are timing their attacks to hit when retailers are most likely to be busy, with staff and systems stretched to the maximum and urgency overriding caution. It’s a tactic that many retailers still aren’t prepared to defend against.
Why retail is uniquely exposed to cyber threats
So why are cybercriminals putting so much energy into attacking retailers? Unfortunately, most organizations have many traits that are ideal for criminal gangs seeking illicit paydays.
The sector offers a treasure trove of customer data, including personal and financial information. Operations are also especially vulnerable to disruptive ransomware attacks that encrypt data and systems, as demonstrated by the recent spate of attacks.
Further, retail environments are typically fast-paced, resource-stretched, and highly dependent on digital infrastructure. Many retailers operate with lean IT staff and fragmented oversight across multiple sites and supply chain partners.
During seasonal peaks, temporary and part-time staff are often brought in to handle demand, adding complexity and making it harder to maintain consistent security awareness.
Finally, there’s the fact that retail is a sector heavily reliant on email. From order confirmations to supplier communications and internal logistics, email remains central to daily operations. Cybercriminals have become increasingly adept at hijacking these communications with realistic fake supplier requests, spoofed invoices, directives from senior management, and any number of other messages that blend into the expected daily inbox.
Suppliers are also specifically targeted with Vendor Email Compromise (VEC) attacks that exploit trusted customer and supplier relationships. These attacks either impersonate known contacts using email addresses spoofed to appear genuine or send malicious messages from real accounts that have been compromised.
These well-crafted fakes can bypass legacy email defenses and appear authentic even to seasoned staff members.
Timing isn’t just a threat—it’s an opportunity
The constant influx of malicious emails hitting retail inboxes won’t let up any time soon. However, if attacks are becoming predictable, so too can defenses. Retailers already plan staffing, promotions and logistics around seasonal peaks. Security strategies should be no different.
Aligning their defences with known risk periods enables organizations to give themselves the advantage. If retailers know there are likely to be more attacks in Q2, they can ensure their defenses are ready. This could include more intensive awareness campaigns, training for staff in the build-up to risk periods, and bringing in extra capacity for the Security Operations Center (SOC).
Likewise, organizations should be aware of the increased threat from BEC attacks during Q1, tightening up finance and procurement processes to reduce the chances of successful deceptive attacks.
Cybercriminals rely on distraction and fatigue to get through, so anticipating and proactively preparing for attacks robs them of the initiative.
Moving from static tools to smart, supported email defense
Along with clever timing and deceptive tactics, cyber attackers also have the advantage because traditional defences like secure email gateways and rule-based spam filters were built for an earlier era. Today’s socially engineered threats blend seamlessly into normal business, mimicking suppliers, hijacking conversations, and using flawless AI-generated language to avoid detection, so stopping them requires adaptive protection.
This is why behavioral AI is one of the most useful tools in combatting these modern attacks. The technology can analyze communication patterns, understanding who contacts whom, how often, and in what tone to establish a baseline of normal activity. Anomalies such as an unexpected payment request from a finance lead can be identified before the harm is done.
But technology works best when paired with people who feel empowered to act. Retailers also need to create a culture where staff can report suspicious messages without fear of blame, supported by clear guidance during peak periods.
A combination of intelligent detection and confident employees forms a defense that can adapt as quickly as the attackers, blocking malicious emails before they reach inboxes, and ensuring that if one does slip through, someone is ready to spot and stop it—regardless of when the attacker strikes.
Comments are closed.