Skip to content

How the Retail Industry Learned the Hard Way: Finding Success in the Battle Against Phishing Attacks


May 24, 2017

9 minute read

shutterstock 223094779 1

For a long time now the retail industry has been a rich hunting ground for hackers.

In the past few years, even industry giants like Target, Home Depot, and Tesco have fallen prey to massive data breaches.

And sadly, retail data breaches cost considerably more than equivalent breaches in almost any other industry: $172 per lost record, compared to an average of $158. In the case of Target, total estimated costs came in at a whopping $150 million.

And to make matters worse, during the first six months of 2016 alone the volume of cyber attacks targeting retail institutions rose by over 46 percent.

So if you’re in the retail industry, you might be wondering what you can do to ensure your organization remains secure. Well first, you need to know where to focus your efforts.

You Can’t Do Everything

If you’ve ever attended a security conference, you likely left feeling even more worried about impending cyber attacks than you had previously.

And if you spoke to a few of the vendors, you probably got an idea of exactly how many different ways a hacker could infiltrate your organization’s network and steal your data. You may have even resolved to secure the necessary funding to radically improve your organization’s security profile.

But there’s a problem. There is no such thing as a perfectly secure network.

You can invest tens of thousands of dollars in endpoint security, vulnerability scanners, threat intelligence platforms, next generation firewalls, and outsourced security operations services… but you can never completely guarantee the security of your network.

So rather than spreading your resources thinly across a huge range of security functions and products, you’d be far better served to first identify where and how attacks are most likely to occur. And to do this, you need to understand why an attacker would choose to target the retail industry.

Of course, the answer is simple: profit. The retail industry processes millions upon millions of credit cards each year, and if the details of those cards can be harvested, they can be sold for a lot of money via underground markets.

Understanding this simple truth is the key to vastly improving your organization’s security profile. If the primary reason to attack your organization is profit, and there’s only really one obvious way for that profit to be made, you already know a lot about your likely attackers.

You don’t need to concern yourself with defending against foreign nation states or hacktivists. On a daily basis, you only really need to worry about petty cyber criminals–organized or otherwise–attempting to steal your customers’ credit card details.

What, then, does this mean for your security operations? Well that’s the best part. No matter what methods or technologies individual hackers ultimately favor, almost all cyber attacks on retail institutions start with a phishing campaign. In fact, according to Verizon, the majority of all data breaches start with a phishing campaign.

And knowing this is the first step to ensuring your organization doesn’t join the increasingly large list of breached retail institutions.

People: Security Asset or Liability?

Phishing is a popular attack vector for one primary (and obvious) reason: Tricking people is almost always easier than tricking computer systems.

Of course, a prospective hacker will still need to overcome technical hurdles in order to achieve their goals.

Consider POS compromise, a common attack vector in the retail industry. An initial phishing campaign may give the hacker preliminary access to their target network, but they’ll still need to use other tactics to traverse the network and exfiltrate their target data. This is typically done by exploiting known vulnerabilities and quietly installing covert, purpose-built malware products.

Naturally, then, you’ll want to employ a series of technological controls designed to identify and block these activities before any data can be stolen. On top of that, you’ll definitely want to use email security tools such as blacklists, whitelists, and spam filters.

But at no stage should you ever lose sight of your greatest vulnerability: people.

No matter how good your technical controls are, you will never be able to block every single incoming phishing email. And the grave reality is that if phishing emails are hitting your users’ inboxes, security incidents will surely follow. If just one of those security incidents escalates, you’ll have a full blown data breach on your hands.

This is where security awareness training comes in. Now that you know your people are the most likely initial target of incoming attacks, you know how important it is to train them accordingly. And believe me, with the right training, you can convert your greatest security liability into a tremendous asset.

Going Beyond “Awareness” Training

Let’s be honest, most security awareness sucks. It’s boring, uninspired, and achieves almost exactly nothing. In fact, if it weren’t for the need to remain PCI DSS compliant, it likely wouldn’t happen at all.

And you know what? The problem goes deeper. Even the name is wrong.

Who the heck cares about security awareness? What good did awareness ever do anybody? After all, most of us are aware that we should eat more vegetables and less junk, but instead of acting on that knowledge we try to forget about it while we take the kids out to McDonald’s and Krispy Kreme every weekend.

No. It’s time to quit thinking about security awareness training and focus on something more constructive: security behaviors. Specifically, we need to train users to identify and report phishing emails, instead of being fooled into clicking on malicious links or wiring thousands of dollars to a brazen hacker.

Above is an example of a BEC (business email compromise) phishing lure, which have been highly successful for hackers in recent years.


So how do you teach users to identify and report phishing emails? Easy. You phish them yourself.

Yes, you read that right. In order to improve your users’ security behaviors when faced with sophisticated phishing emails, you need to develop your own phishing campaigns and send them to every single one of your users on a regular basis.

Of course you’ll need to provide them with some training first, and explain how and why you’ll be systematically phishing them on a regular basis for the duration of their employment. You’ll need to explain how different phishing campaigns work, how to identify them, and that having malicious emails reported on a regular basis will drastically improve your organization’s ability to identify and quarantine future phishing campaigns.

But once all that is out of the way, it’s time to get phishing.

Making Success Easy

When a user receives one of your simulated phish, there are three possible outcomes: They can report it, ignore it, or “fall for it.”

Naturally, your job is to minimize the number of phishing emails that successfully trick your users into complying with a hacker’s wishes.

But there’s a problem. If users simply ignore your simulations, it’s difficult to know whether they have truly learned and mastered the principles you’ve taught them, or if they simply don’t have time to read every email thoroughly.

On top of this, training your users to report real phishing emails will provide you with a source of vital intelligence that can be used to enhance your technical security controls and inform your future simulations. It’s essential that your simulations closely resemble real-world phishing campaigns and make use of all the different tactics hackers employ to make their campaigns more believable, such as domain spoofing, or using holiday-themed messages.

For these reasons, you’ll want to make it as easy as possible for your users to “win” by reporting phishing emails instead of simply ignoring them.

To do this, I highly recommend adding a simple “Report Phish” button to your users’ email client. When they correctly identify a phishing simulation and think an email looks a bit suspect, users can simply click the button to send it directly to your security team.

This may seem like a trivial step, but don’t ignore it. The harder it is for busy users to reporting suspected phishing emails, the less inclined they’ll be to do so.

Why Failure is Actually a Great Result

As you start to phish your users, you’ll start to notice two key patterns. First, they quickly learn to spot and report your more basic simulated phishing emails. But second, at least to start with, they fail a lot.

What’s important to realize here is that this isn’t going to be an overnight process. To start with, you’ll be focusing on training your users to spot and report the most basic phishing emails, and even then, there will be a high level of failure.

Over time, you’ll be able to develop and send increasingly complex campaigns, and your users will learn to spot those, too. But again, each time you up the complexity, you’ll see high levels of failure.

But here’s the thing. That’s OK.

In fact, it’s exactly what you want to see, because this is where the second part of your security training plan comes in.

When a user is fooled by your phishing simulation, you have an opportunity. Here is a user who didn’t have a high enough level of training to identify this type and complexity of phishing email, and you have a ripe opportunity to change that.

As soon as a user has been fooled into clicking a link in your simulated phishing email, they should be sent directly to a webpage that explains how they could have been more security conscious, and teaches them how to correctly identify this type of phishing email in the future.

For instance, let’s assume you have sent out a simulated phishing campaign that looks like this:

This is a fairly standard phishing email with a moderate level of sophistication. Nothing too fancy, but it would definitely see some success in the vast majority of organizations.

If one of your users were to “fail” this simulation, they should immediately be provided with a multimedia training page that helps them identify and report phishing emails of this type in the future.

Then, to solidify their learning, each employee who “fails” a phishing simulation should be sent a second simulation of the same type later in the month. This additional campaign, which will naturally contain fresh content, will give those users an opportunity to use the additional training they have received. Again, if this second campaign is also failed, users should be directed to a follow-up training page.

With this approach, over time you’ll be able to gradually increase the complexity of your simulated phishing campaigns, and your users will start to become a real security asset. As an added bonus, you’ll also start to see a whole bunch of real phishing emails being reported, which can naturally be used to enhance your security profile even further.

Continual Improvement

As you may already have gathered, this process never truly ends. There are always more sophisticated simulation campaigns to be constructed, as well as new employees who will need to start from the very beginning.

And of course, no matter how well you do your job, you can never reach 100 percent resistance to phishing emails. Employee churn rates, busy schedules, and plain old fashioned mistakes will see to that.

But that’s OK. What you can (and will) do over time is drastically reduce the number of security incidents arising from phishing emails, enabling you to focus your incident response resources on a small number of critical cases.

This is where the concept of phishing susceptibility comes in. This is the rate at which phishing emails successfully trick users into following their instructions.

In my experience, organizations that don’t currently use the method I’ve described above tend to have phishing susceptibility rates somewhere around 30 percent. That means that three out of every 10 phishing emails successfully tricks a user into taking some sort of action.

But with time and patience, that number can be brought as low as one or two percent. That’s a huge improvement, and in a retail environment will have a profound impact on both the workload of incident response teams and overall cost to the organization.

And most important of all, if you implement this type of security training within your organization, you’ll drastically reduce the chances of being the next retail data breach headline.

About the Author

Dane BoydDane Boyd is the Lead Solution Manager for PhishLabs’ Employee Defense Training practice. He has helped dozens of enterprises transform their employees into a powerful layer of threat prevention and detection.

About PhishLabs

PhishLabsFounded in 2008 and headquartered in Charleston, South Carolina, USA, PhishLabs provides 24/7 cybersecurity and threat intelligence services that help organizations fight back against attacks targeting their employees and customers. PhishLabs is trusted by four of the top five U.S. financial institutions, seven of the top 25 global financial institutions, leading social media and career sites, and top healthcare, retail, insurance and technology companies. In addition to mitigating more than 7,800 phishing attacks per month, PhishLabs clients benefit from real-world actionable intelligence, analysis, and guidance from the PhishLabs R.A.I.D. research division, which is comprised of some of the world’s most respected malware researchers, reverse engineers, and threat analysts focused on monitoring global attack trends, dissecting cyber tradecraft, and tracking cybercrime. For more information, visit and follow @PhishLabs.