Industry News

90% of online retailers expose customers to phishing attacks – research

Phishing, one of the most common attack vectors that cybercriminals use to steal your data, remains a huge risk for online shoppers as we enter 2018. New data compiled by experts in email analytics shows that online retailers are exposing their customers to huge risks.

Email phishing is a method to steal sensitive information such as usernames, passwords, credit card information, etc. The recipient receives an email purporting to be from a legitimate party – i.e. their bank – asking them to log into their account, or supply their user name and password for one reason or another.

The fake email is made to look genuine to trick the victim into handing over the information straight to the attackers. Attackers then use those credentials to log into the victim’s accounts and online services and try to steal whatever they can – especially cash.

Phishing and spoofing attacks are most likely when companies lack strong email validation systems. And according to email analytics firm 250ok, nearly all top-tier online retailers in the U.S. and Europe fall embarrassingly in that category.

87.6 percent of root domains operated by top e-retailers in the United States and Europe are putting their consumers at risk of having their data stolen through the most basic form of social engineering – phishing.

The company analyzed 3,300 domains of the top 1,000 U.S. internet retailers and 500 EU internet retailers by revenue and found most do use some level of email authentication on their domains.

However, the vast majority are inconsistent in their approach across the multiple domains they control. Only 11 to 12 percent of top retailer domains meet the recommended minimum protocol for the email channel, according to the study.

“By failing to publish basic authentication records like SPF and a DMARC record for all of the domains they operate, retailers are blind to the potential abuse of their brands’ domain names,” said Matthew Vernhout, director of privacy at 250ok. “It leaves both the brand and the consumer unnecessarily exposed to phishing attacks that damage brand trust.”

Some 91 percent of all cyberattacks begin with a phishing email so, especially with the General Data Protection Regulation just around the corner, online retailers clearly have a huge problem on their hands. And they will have to deal with it by May, or else.

Last year, Google did a joint study with the University of California, Berkeley to better understand how hijackers trick users into taking over their online accounts. Researchers found that, between March 2016 and March 2017, cybercrooks ran off with 12 million credentials solely via phishing attacks.

About the author


Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware and cyber-security, and has worked in various B2B and B2C marketing roles. Filip currently serves as Information Security Analyst with Bitdefender.