How Retail Security Teams Can Thwart Cybercriminals This Holiday Season
'Tis the season for online shopping to skyrocket, and that means 'tis also the season for cybercrime to soar. Now is the time for retail security teams to reinforce safeguards to protect consumers (and their companies). This year, we can expect to see more of the same threats from years past: sales poisoning, malicious emails touting sales that are too good to be true, fake websites, "malvertising," invoice scams, and more.
The problem is these scams are becoming more plentiful — and more convincing — by the minute as cybercriminals increasingly use artificial intelligence to carry out ultra-sophisticated attacks. Just a few years ago, creating a believable fake website or invoice scam might have taken malicious actors several hours to a few days. But now, with the help of AI, they can stand up a phony website or generate legitimate-looking invoices in a matter of seconds. Committing fraud has never been easier.
Shoppers are especially vulnerable to these attacks during the holidays because they're busy and distracted, making them less likely to be discerning about the information in emails, websites and ads. Additionally, the cognitive biases humans have year-round are amplified during this time.
Socially engineered attacks that exploit scarcity bias make shoppers feel the need to jump on deals before they’re gone without taking the time to ensure their validity. Similarly, hyperbolic discounting (i.e., our propensity to prefer immediate rewards over long-term benefits) can also influence consumers to make fast purchases or divulge personal information without much thought. Finally, the halo effect that causes us to trust reputable brands indiscriminately can be leveraged to create scams that appear to come from brands whose legitimacy we would never question.
Bearing all of this in mind, retail security teams need to be doing everything they can to thwart these threats. Here are a few protections they can put in place before the chaos of the holiday shopping season is in full swing:
1. Reduce reliance on passwords.
It’s been well-established that passwords alone aren’t a secure means of authentication; 59 percent of them can be breached in under an hour. If retailers want to protect customer accounts — and the customer experience — they need better alternatives. Smart retail companies understand this, and many now support more user-friendly options like Google One Tap and social logins. Passwordless authentication methods like magic links and passkeys are another way to strengthen security without adding extra friction for users.
Retail security teams that haven’t yet enabled these authentication methods should strongly consider doing so to support a better, more secure shopping experience not just during the holidays, but year-round. This can also help them stand out amongst their competitors which may not yet offer these options.
2. Implement step-up authentication where it makes sense.
Retail security teams can ramp up security further by implementing step-up authentication, especially for sensitive actions that could be a signal for account takeover. For example, users should be required to complete a multifactor authentication (MFA) challenge before changing information like their password, backup email, or delivery address.
Step-up authentication should also be triggered in other situations, like if a sale amount is unusually high or if the user is logging in from a new device. This is where passwordless authentication methods (e.g., passkeys and magic links) really shine by making MFA fast and easy for users. The key is to only require step-up authentication when it’s truly necessary so as not to overburden shoppers.
3. Educate and incentivize shoppers to participate in better security.
Educating and incentivizing shoppers can go a long way in strengthening security. This doesn’t demand a heavy-handed approach, either. Simple things like a pop-up explaining why step-up authentication is necessary for certain transactions can build trust with customers and encourage compliance. Another example could be including quick blurbs like, “We will never call you and ask for your OTP code,” in the form of pop-ups on the website or in the body of post-purchase emails.
Retail security teams can also run campaigns to motivate shoppers to turn on MFA, which may or may not include incentivization. For instance, retailers might conduct a holiday awareness campaign targeting customers who don’t have MFA turned on. They could explain the heightened prevalence and dangers of scams this time of year, and briefly touch upon the benefits of enabling MFA. To sweeten the deal, they might offer shoppers who turn on MFA perks like special discounts or early access to sales.
Between friction-free passwordless authentication methods, step-up authentication, and education and incentivization, retail security teams will be well-positioned to keep shoppers safe this holiday season. However, the work doesn’t stop there. Security is a year-round effort, and the retail companies that treat it as a continuous priority — not a seasonal scramble — will foster deeper trust and loyalty with customers.
Rishi Bhargava is co-founder of Descope, the drag-and-drop external IAM platform.
Rishi Bhargava is a co-founder at Descope, a stealth startup building something in the authentication space for application developers. In a career spanning over 20 years, Rishi has run product, strategy, go-to-market, and engineering for category-creating cybersecurity startups and large enterprises. Before Descope, Rishi served as VP of Product Strategy at Palo Alto Networks which he joined via the acquisition of Demisto, a security operations startup. Rishi was a co-founder at Demisto where, under his stewardship, the company created and later led a new “security orchestration” category within 3 years before being acquired. Prior to Demisto, Rishi was VP and GM of the Datacenter Group at Intel Security, launched multiple products at McAfee (acquired by Intel), and played a key role in product strategy and growth at change management startup Solidcore (acquired by McAfee).
