The Top 4 Cyber Threats Haunting Retailers Today — and What to do About Them


Retailers lost a whopping $57 billion to online cyber attacks in 2017, eclipsing losses from physical threats like shoplifting and inventory shrinkage. The scariest part? Most of these threats are orchestrated behind the scenes, and most retailers don’t realize what’s happening until it’s too late. As fraudsters increasingly leverage automation tools to launch attacks and such attacks escalate in size and scope, it’s imperative that retailers get smart on how to recognize and prevent them before their bottom lines — and customer faith — are depleted. Here are four main threats that should be on all retailers’ radars.

Credential stuffing

Hackers take advantage of the fact that people reuse their passwords, so every big data breach is like hitting the jackpot for these fraudsters. They take the laundry list of stolen credentials and launch massive login attempts — with a 1-2 percent success rate. Once an account has been taken over, there are a number of ways a hacker can monetize the data they find, which may include exploitation of credit card information and personally identifiable information like driver’s license or social security numbers.

In retail, nearly 30% of login POSTs are attributed to credential stuffing. This means one out of every three online login attempts is from a fraudster attempting to steal a user’s credentials. Credential stuffing is difficult to eliminate for a single retailer in isolation because criminals adapt to defensive measures quickly, often within 12 to 24 hours. Some of them operate like organized crime syndicates with technical capability and abundant resources, and are able to invest in rapid response techniques motivated by the high profit margin. Because of this, it is more effective to defend against credential stuffing as part of a network of allied retailers. Technology such as machine learning and artificial intelligence should also be leveraged to scale detect and deflect capabilities.

Gift card cracking

Gift card cracking occurs when criminals correctly guess a valid gift card number and PIN that has an available balance. At that point, the criminals either transfer the balance to a card they control, or sell the card on a site that will reimburse them with cash.

How does a criminal guess a valid gift card number? It’s simpler than you may think. Fraudsters can discover sequential patterns in gift cards by comparing the numbers on two or more gift cards that are available in plain sight in retail stores. Once they narrow down the subset of digits that they have to try, automated attempts are then launched against the Check Gift Card Balance endpoint. Automated traffic to check gift card balance endpoints can be up to 100 times greater than the amount of human traffic.

Or, fraudsters will discreetly photograph or write down gift card numbers, in hopes that they will soon be purchased and loaded with funds. After that, all that’s left to crack would be the four-digit pin number. They then wait a week or two and try the gift numbers that they captured while at the store. By then — since the gift cards were at the top of the stack — the cards have usually been loaded with funds.

Gift card cracking is so popular because it’s so easy to monetize. Sites like or eBay give people money in exchange for gift cards — often 90-95% of the face value. There are also services that allow people to buy bitcoin using gift cards so that they can remain completely anonymous throughout the whole transaction.

To begin combating gift card cracking fraud, retailers should implement anti-automation technology to protect their check gift card balance endpoint from automated attacks. In addition, physical security of gift card numbers should be enhanced, for example, with improved packaging.

Fake account creation

With a fake account, a criminal can exploit stolen credit cards, defraud other users, reap new customer perks and much more. Fake account creation at scale requires either automation (programs that impersonate real users) or Mechanical Turks (low-wage workers). Either way, the traffic flows through the same channels as legitimate new customer accounts.

In one example, fraudsters attempted to create 16,000 fake accounts on a Fortune 100 retailer’s website in just one week. The attackers spread traffic across 2,000 different IP addresses from more than 30 countries and generated human-like mouse movements and keystrokes for each account, proving the lengths criminals will go to in order to avoid detection. Since these fraudsters move almost invisibly behind the scenes, it’s nearly impossible for humans to detect their malicious activity. Retailers must adopt technology that allows them to detect unusual mouse or keystroke movements, geolocation, web activity and more, so they can stop the attackers dead in their tracks before these fraudsters have a chance to gain entry.


Scalping bots take advantage of limited availability items, often resulting in items selling out in minutes. A common scenario is when bots buy high-demand sneakers or concert tickets in bulk, congesting the main user flow for everyone else. This not only results in a bad user experience, but it can tarnish a brand’s reputation among its most loyal customers. Unlike credential stuffing, fake account creation and gift card cracking, scalping attacks primarily target checkout portals.

So what is a retailer to do? Just as criminals share information and ingenuity across networks, so too must retailers band together to defeat them — both by understanding the threat and by developing cross-company defenses. While some may say this contradicts the competitive nature of retailers — or any business for that matter —  collective defense capabilities help retailers defeat many of the most dangerous online attacks. Such information-sharing worked for the financial services industry in helping to detect fraud; retailers should follow suit if they want to make a real dent in defeating their shared enemies.  

It’s also important for retailers to keep in mind that the entire transaction flow — beyond the point of login — matters when it comes to security. Attackers can commit fraud after the authentication phase in areas such as product pages, shopping carts and checkout pages. Retailers should implement technology to eliminate impersonators from the checkout flow so that only real human users can access limited availability items. Additionally, retailers must also offer omni-channel protection to mitigate evolving attacks. This means considering how to protect sensitive data across web and mobile platforms, and even personal assistants like Alexa and Google Home. Consumers shop across device and platforms these days and attackers can be found wherever customers exist. Adversaries always seek to identify the path of least resistance, so only an omnipresent protection can protect the customer’s shopping experience.

With the recent string of data breaches suffered at the hands of retailers, it’s more important than ever that companies have a solid defense and response strategy in place. It starts with becoming educated on the potential risks.

-Mengmeng Chen, Business Intelligence Lead, Shape Security

This ad will auto-close in 10 seconds