Hardware Retailing The Industry's Source for Insights and Information
By Luke Vander Linden, VP of Membership & Marketing, Retail & Hospitality ISAC
While cyberattackers are constantly shifting tactics, and with growing supply chains and AI advancements, retailers of all sizes should be on the lookout for new threats in 2025. Here’s what to watch for in the new year—and how to strengthen security.
Business Email Compromise (BEC) Attacks
A Business email compromise (BEC) is a cyberattack where scammers leverage social engineering techniques to compromise a legitimate work email account to execute more believable scams or steal money or sensitive information, such as intellectual property or personally identifiable information. Once they’ve gained trust, they trick employees into making critical cybersecurity mistakes, like authorizing fraudulent payments, handing over sensitive data or installing malware.
Large companies aren’t the only ones at risk of BEC attacks. Companies with fewer than 1,000 employees have a 70% chance of facing at least one BEC attack per week.
Retailers are particularly vulnerable; in 2023, they were the second most-targeted industry for vendor email compromised attacks, a BEC-attack subtype where cybercriminals pose as vendors.
Voice phishing Attacks
Voice phishing attacks are another type of phishing attack retailers should be wary of in 2025.
Like BEC attacks, voice phishing attacks use social engineering to dupe employees into divulging financial or sensitive data. Again, bad actors pose as trusted vendors, HR personnel, C-suite executives, IT teams and others.
Worse, deepfake technology makes modern voice phishing attacks more sophisticated and harder to detect, as advanced machine learning can mimic people’s voices with hyper-realism. In the last year, AI-driven phishing attacks increased by 60%—a trend that’s likely to continue.
SMS Phishing Attacks
Phishing attacks continue beyond emails or phone calls. Cybercriminals can also infiltrate your employees’ cell phones
via text message in an SMS phishing attack.
Once again, scammers pose as known sources, such as a boss or colleague, to trick employees into clicking on suspicious links, sharing log-in credentials or otherwise compromising security. As with deepfakes, AI makes smishing attacks more realistic and harder to thwart, enabling scammers to mimic personal writing styles with startling accuracy.
Supply Chain Attacks
As part of a broad supply chain, retailers often have multiple integrations with third-party vendors, like logistics providers, suppliers and payment processors. Some may even share login credentials.
While these integrations, optimized communication and data transfers, they also expose retailers to new threats. The supply chain is only as strong as its weakest link.
Should a retailer’s vendor become compromised, attackers can take advantage of the retailer-vendor
integration to gain entry to the retailer’s network. Once they’ve gained access, they can steal sensitive data, deploy ransomware and disrupt operation, or more.
For example, in the Solar Winds attack, hackers inserted a backdoor into the company’s Orion software, allowing them to infiltrate the networks of hundreds of organizations nationwide.
Strengthening Cybersecurity: Tips for Small Retailers
Here are three practical, actionable tips for retailers to strengthen their cybersecurity:
Implement advanced authentication
To help protect against phishing and supply chain attacks, retailers can implement critical authentication measures, such as multi-factor authentication (MFA) and biometrics.
MFA adds a layer of protection by requiring users to input at least two verification factors to access their accounts. Beyond passwords, this can include submitting a code via SMS, an authenticator app or answering common security questions. By making it more difficult for hackers to compromise accounts, MFA can help stave off diverse cyberattacks.
Meanwhile, biometrics can be used independently or alongside MFA to further bolster retailers’ defenses.
Biometrics are an individual’s unique physical characteristics, such as their fingerprints, voice or eyes. They can serve as another method of identity verification to help block unauthorized access. With MFA, even if hackers successfully steal login credentials through a phishing or supply chain attack, they face another barrier to system access.
Increase Cybersecurity Awareness
MFA and biometrics are important safeguards, but they can be disruptive to implement, which makes cybersecurity awareness more important.
31% of employees have made errors that risk impacting their employer’s cybersecurity. Particularly for phishing attacks, where employees are the target of social engineering, they’re often a retailer’s first line of defense against cyberattackers.
Even more worrisome, they’re also what some cybersecurity experts call “the weakest link.” The problem lies in cybersecurity awareness—30% of employees “don’t think they personally play a role in maintaining their company’s cybersecurity posture.”
In 2025, cybersecurity education should be retailers’ top priority. For example, organize training about phishing tactics, password best practices and how to handle cyber incidents. With regular training, employees will be better equipped to detect, identify and deflect cyberattacks.
Join a Trusted Community
When it comes to cybersecurity, there is strength in numbers.
Start by vetting third-party vendors to ensure they uphold cybersecurity standards.
Then, educate staff with cybersecurity awareness training. Finally, join industry groups like the Retail & Hospitality ISAC (RH-ISAC), where you can connect with other retail organizations on cybersecurity issues. RH-ISAC has a program called LinkSECURE to assist retailers with ensuring their third-party vendors have robust cybersecurity practices. RH-ISAC also offers working groups to provide guidance and insights on security awareness training as well as other topics to help retailers best prepare for 2025.
