Top 5 Holiday Shopping Season Threats for Retail and Hospitality

A electronic tablet displays holiday shopping text

This blog is part of the RH-ISAC holiday guidance blog series. For more blogs in this series, visit

The holiday season brings out more than decorations, carols, and hot chocolate. The drastic influx in retail activity as people scurry to cross items off their shopping lists means that hackers come out in droves and malicious activity intensifies around this time of year as well.

Retailers should be aware of some of the most common threats facing their operations as the holiday shopping season kicks into full gear. Below are the top five threats that become prominent around the holiday shopping season as observed by retail and hospitality organizations.

  1. Digital skimmers
    You’ve probably heard of card skimmers: physical devices that are stuck onto ATMs and card terminals, which “skim” the information from any card inserted. Sounds bad enough, right? In the last couple of years, digital versions of this attack have emerged, and have grown increasingly dangerous recently. These can wreak even more havoc, by essentially doing the same thing, but more stealthily and on more online outlets’ checkout pages.

    You may remember Ticketmaster’s breach from a couple of years ago, they fell victim to such an attack (or, more accurately, one of their third-party credit card processing partners did). These skimmers usually operate by exploiting vulnerabilities in entire webpages and inserting malicious JavaScript that lies in wait for customers to enter their payment information. It’s a good idea to review the code on your website and reduce reliance on JavaScript, or ensure JavaScript code is secure. And it’s worth following up with any partners or providers of third-party code that processes customer payments to make sure they’re doing the same. Make sure you can identify and regularly scan all of the code on your website–particularly JavaScript, and make sure there’s nothing there that shouldn’t be.

  2. BYOD and internet of things (IoT)
    Retailers have implemented BYOD policies to further engage employees, save costs, and drive customer interaction. But employee-owned and operated devices can also open companies up to vulnerabilities from potentially unsecured devices being connected to their networks. If your business allows your employees to connect their devices to your network, make sure that both those devices and your network are secured, and that there are policies in place to keep employees’ personal devices as secure as possible.

    Likewise, more and more internet-connected devices are being put into use in retail environments. Like personal devices, they help keep both employees and customer engaged. But they come with their own security threats. Their network connections may not be secure, and they’re often left with easy-to-guess default passwords (and in some cases, their passwords are unchangeable). And companies sometimes overlook these devices when compiling asset lists, so they may not be patched and upgraded as often as they should be. As with BYOD devices, companies need to pay attention to any device that’s connecting your network to your customers or to the internet at large, and make sure there are policies and safeguards in place.

  3. Ransomware
    Ransomware–software that prevents access to critical systems or files until a ransom is paid–has been a growing threat to retail businesses over the last couple of years. The threat of ransomware hitting point-of-sale devices in particular is a threat that leaves many retailers worried. There’s ongoing debate within the cybersecurity world as to whether it’s worthwhile to simply pay the ransom if you’re hit, but by far the best solution is to minimize your chances of getting hit in the first place. Patching and updating all systems and devices regularly are the best ways to minimize your chances of getting hit. It’s also a good idea to back up all your systems regularly–and store the backups offsite or somewhere segmented and isolated from your production systems–so that if you are victimized, you may be able to simply restore your systems rather than pay the ransom and risk not getting access anyway.

  4. Social engineering
    There is an ever-growing list of social engineering tactics designed to get you or your employees to open your own systems up to attacks. Phishing and spear phishing (using emails disguised as originating from legitimate sources to get recipients to click infected links or provide sensitive information) is still a major threat. These include Business Email Compromise (BEC) scams, wherein the hackers pretend to be suppliers, attorneys, or even executives of your company in order to dupe employees into providing passwords, account information, or even initiating wire transfers to fraudulent accounts. The best way to stop this threat is by training: set up thorough and engaging cybersecurity awareness training for your employees, and make sure they have the tools and resources available to them to report suspicious emails or other threats. Additionally, instituting policies that mandates off-line confirmation for financial transactions can be immensely useful.

  5. Internal threats
    A consistent threat against retailers this time of year, unfortunately, comes from their own employees. While malicious activity on the part of employees is not unheard of, more frequently, it’s often a lack of awareness or negligence that causes problems. The threat of social engineering is made much more real by the fact that some employees either don’t know how to be vigilant, or don’t bother being so. Proper management and HR techniques should be applied to resolve problems with malicious or disengaged employees. But a key component in preventing ignorance is education. Cybersecurity training isn’t just for headquarter employees: retail employees need to know best practices, and know what to look out for on a day-to-day basis, both physically and virtually.

There are plenty of other threats facing retail outlets during the holiday season and year-round, but these are among the most dangerous and prevalent. Take steps to protect yourself from these threats, and you’ll likely have a happier holiday than most.

RH-ISAC will be sharing tips throughout the holiday season in a holiday guidance blog series. Below are holiday guidance blogs already posted. Visit the RH-ISAC blog for more industry relevant blogs.

Holiday Guidance Blog Series:

  1. RH-ISAC Holiday Tips Featured on Dark Reading
  2. 8 Tips for the Holiday Season
  3. Biggest Holiday Risk Factors
  4. Positive Trends in Retail and Hospitality Cybersecurity

More Recent Blog Posts