Shape Security Spotlight: Key Takeaways – Retail Threat Briefing Webinar with RH-ISAC

In the era of Amazon and mainstream e-commerce, every online retailer has to deliver a compelling user experience across their web and mobile channels while protecting customers from cyberattacks and fraud. Recently, Shape collaborated with RH-ISAC to share attack data and analysis of the most prevalent threats for retailers and best practices on how Top 10 Retailers are mitigating these threats.

Watch the threat briefing video here or read a summary of the key points below.

Analysis of Top Online Retail Threats

Credential Stuffing
Credential stuffing is responsible for more than 99% of all retail account takeovers (ATOs). In one attack on a top 50 retailer, Shape identified over 13.8 million automated posts against a login endpoint, using 80,000 unique IP’s, sustained for 10 days. Prior to blocking, this retailer identified 328,000 account takeovers.

Gift Card Cracking
For some retailers Shape has observed that over 98.5% of their traffic to gift card endpoints is automated. Gift card cracking is popular because it’s relatively easy to monetize and often done anonymously. Criminals impersonate real users and steal valid gift card numbers by exploiting the retailers’ own applications for purchases, transfers and checking gift card balances.

Fake Account Creation
Fake account creation is often used for future fraud including promotions, points, fake reviews and surveys. In one client example, 16k fake accounts were attempted to be created in just a week. Stopping attacks requires the fast identification of automated attackers and manual fraudsters without adding any friction for actual customers.

Scalping bots obtain limited availability items, often resulting in items being sold out in minutes. A common scenario is bots buying up high demand concert tickets, congesting the main user flow for everyone else, resulting in a bad user experience and brand reputation damage for a retailer’s most loyal customers.

One client experienced a staggering 99.84% of scalping traffic as part of its total traffic leading up to the November Black Friday period. The scalping traffic was instantly blocked once it started routing through Shape. Again, fast implementation is key—especially during peak online shopping periods.

How are Top 10 Retailers Preventing Attacks

Here are some of the best practices we observed from the top ten retailers who have successfully protected their businesses from the most damaging threats:

  • The entire transaction flow matters—not just login
  • CAPTCHA is not a viable option to stop automated bot attacks
  • Omni-channel protection—across web, mobile and even personal assistants like Alexa—is required to mitigate evolving attacks.

For more details on the top threats to retailers and additional best practices watch the full video:


To learn more about Shape Security in retail visit

More Recent Blog Posts