US Retailers Expose Customers to Email Scams During Festive Shopping Period
Recent research from Proofpoint shows that 40% of major retailers are not actively blocking fake emails that imitate their brand
SUNNYVALE, California – November 21, 2024 – The start of the holiday shopping season is heralded by Black Friday. Just ahead of this annual event, Proofpoint Inc., a prominent cybersecurity and compliance firm, has unveiled new findings indicating that two-fifths of the top retailers are not adequately safeguarding consumers against email scams and online crime.
The study is centered on an evaluation of Domain-based Message Authentication, Reporting, and Compliance (DMARC) implementation by the leading 50 retailers in the USA. DMARC is a widely-used email protocol that aids in shielding domain names from being faked and abused by cybercriminals. It authenticates the sender’s identity before permitting a message to be delivered to the intended recipient, guaranteeing that the sender is legitimate. With three levels of security—monitoring, quarantine, and rejection—DMARC ensures that only verified senders can utilize a retailer’s domain for emailing. The ‘rejection’ policy offers the highest security by inhibiting fraudulent emails from entering the inbox.
The National Retail Federation (NRF) anticipates gradual growth in sales this season, predicting that Americans will spend between $979.5 billion and $989 billion. The NRF projects that online shopping, which is set to be the primary driver of retail sales growth, will trigger a surge in email interactions from retailers, providing an opening for cyber criminals to mimic brands for launching deceptive assaults. Email serves as a prominent marketing tool and a favored medium for cybercriminals to orchestrate extensive phishing campaigns aimed at stealing personal data or credit card specifics for identity and financial theft purposes
According to Proofpoint’s assessment of the top 50 retailers as per the NRF and their utilization of DMARC, the findings are as follows:
- 60% of online retailers in the US have incorporated the maximum protection level to block suspicious emails from reaching consumers’ inboxes, indicating a 12-point rise compared to 2023
- However, this implies that 40% of online retailers are not actively preventing fraudulent emails from reaching consumers
- One in 10 retailers have not set up any DMARC records at all
- 18% have established a monitoring protocol, allowing unverified emails to reach the recipient’s inbox; only 12% have enforced a quarantine policy to reroute unverified emails to spam folders
“Email remains the top choice for cybercriminals, and the retail sector continues to be a primary target. It’s heartening to see more retailers taking appropriate steps to shield their customers from email fraud this festive season compared to the previous year,” remarked Robert Holmes, group vice president and general manager of Proofpoint’s Sender Security and Authentication division. “Nevertheless, there is still ample room for improvement, especially since consumers are more susceptible as they compete to grab seasonal deals quickly.”
Google has also acknowledged the significant rise in verification adoption following the enactment of fresh email authentication regulations for institutions, resulting in 265 billion fewer unverified emails dispatched in 2024.
Proofpoint advises consumers to adhere to the following suggestions while shopping:
- Safeguard your passwords: Do not reuse the same password. Employ a password manager to streamline online activities while ensuring security and enhance protection further by activating multi-factor authentication.
- Stay alert to fake websites: Exercise caution with counterfeit websites imitating renowned brands. These deceptive sites might peddle fake or non-existent products, disperse malware, or attempt to steal funds and personal information.
- Beware of phishing and smishing threats: Maintain vigilance against phishing emails redirecting to unsafe websites seeking personal information like login credentials and credit card details. Also, exercise caution with SMS phishing (‘smishing’) and messages received through social media.
- Avert clicking on links: Refrain from clicking on links; instead, manually enter the known website address into your browser to access featured deals. When using special offer codes, enter them during checkout to validate their authenticity.
-
About Author
