Retail Cybersecurity Trend 3: Email Phishing Scams

November is Retail Privacy Month

Despite the common knowledge around email phishing scams, they continue to wreak havoc on every major industry and even on individuals. The 2019 FBI Internet Crime Report had phishing scams as the most common complaint with 23,775, followed by nonpayment and extortion scams. Those complaints resulted in an estimated $1.7 billion in losses.

In 2020 the FBI Internet Crime Report noted adjusted losses of over $1.8 billion to Business Email Compromise (BEC) and E-mail Account Compromise (EAC). BEC/EAC is a sophisticated scam targeting both businesses and individuals performing transfers of funds. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. 

BEC involves businesses working with foreign suppliers and/or businesses regularly performing wire transfer payments. EAC is a similar scam that targets individuals. These sophisticated scams are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct the unauthorized transfer of funds.

Email phishing occurs when attackers send legitimate-looking emails to customers posing as a retailer. People open the email, click on a link, and soon enough, malware can be installed, and information poached from the retailer and their customers.

They can also occur when emails are sent to employees within an organization or to their vendors. What seems like an innocent email could be the gateway to a massive problem. One of the most famous was the Target Phishing Breach in 2013, which was the result of a Target HVAC vendor opening a bad email, which installed a Trojan program on POS systems that recorded credit card data.

Fraudsters are winning because of the number of emails individuals receive on a daily basis. Many of us have many email accounts, for various reasons. Sometimes, for expediency, we may forward emails from one account to another. Fraudsters count on it.

They also count on us not paying attention to the header or grammar errors and they add urgency: 

  • your account was suspended – click here to unlock your account
  • this is the invoice form your latest purchase, click to review
  • We have noted an irregularity with your account, login through <this link> to verify your account – and then here comes the CAPTCHA scam  etc.

There are so many ways in which malicious actors will try to trick us: a sense of urgency, familiar accounts, psychological pressure, and knowing that everyone is busy and over-extended (a nice way to say exhausted) and we will make mistakes in judgment.

I have recently received an email scam from an “old acquaintance”. I was away for the weekend and the email seemed friendly enough. It was asking for a time to contact me when we can talk. The second email was asking me to buy an Apple gift card and then I recognized the good old scam. This one did not have a link but still tried to trick me and make me give money to someone I didn’t know, one way or another.

In the retail chain, customers appreciate rebates and emails providing relief from their problems with an order or product. It is so easy to spoof that email, to make it appear from the source the unsuspected individual is expecting, and add a link to send them to the “refund” website.

This is why disclaimers in emails and appropriate awareness and education of retail staff and customer service make a big difference. Customers should be informed of your practices in every email. Tell them what is the correct way you will contact them through email and what information they should expect vs. what information they should verify.

At Managed Privacy Canada we have developed best practices and documentation to support retailers to thrive and reduce risks introduced through email scams.

✅ Our approach to practical privacy begins with your free 20-minute consultation. For more information, visit
✅ For privacy updates, follow us @ Managed Privacy Canada on Linkedin

Facebook: @ManagedPrivacy
Instagram: @ManagedPrivacyCanada
Twitter: @ManagedPrivacy

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on email

Sign up for our Newsletter