Cybercriminals Shift Tactics as Credential Harvesting Tops Payment Data Theft in Retail
Cybercriminals are getting personal. Literally. According to KnowBe4's 'Global Retail Report 2025,' the greatest threat is 'credential harvesting' where personal information is stolen.
Researchers at the firm said that credential harvesting, 'which is often orchestrated through phishing attacks, has become the predominant threat, accounting for 38 percent of all compromised data in 2023, while payment card data theft dropped to 25 percent.'
More from WWD
January Digital Unveils 'January Growth' to Serve Fast-growing E-commerce Brands
Gen Z's Economic Impact Soars as Workforce Entry Boosts Spending Power to Over $1 Trillion
Survey Reveals 84% of Americans Fear Cybersecurity Risks in Online Banking
This research comes at a time when cybercrime is top of mind for retailers as well as consumers. It follows a report from CardRates.com that polled over 1,000 U.S. consumers about online banking and found that 84 percent of respondents said they are worried about cybersecurity.
This shift occurs as the total number of cyberattacks in the retail sector has jumped 56 percent. 'This puts retail in the top five industries targeted by cybercriminals,' the report's authors said, adding that the average cost of a single retail data breach 'reached $3.48 million in 2024, an 18 percent increase from 2023.'
'Our research reveals a critical shift in how cybercriminals are now prioritizing credential theft over payment card data,' said Stu Sjouwerman, chief executive officer of KnowBe4. 'Stolen credentials allow immediate access to personal accounts, bypassing security measures like passwords and two-factor authentication. The good news is that organizations implementing frequent security awareness training are seeing dramatic improvements, demonstrating that human risk management must be a core component of any retail organization's security strategy.'
The growth of cybercrime has a lot to do with how consumers shop. The report noted that more than 62 percent of all purchases are made with a credit or debit card. 'When a customer uses a card to make a retail purchase, whether online or in store, they are entrusting that retailer with their credit card and other personally identifiable information (PII), including their name, address and phone number,' the report stated. 'If they access their account on the web or through the store's point of sale (POS) system, the retailer also has their past purchasing information and tracking data including any changes of addresses, and other addresses they have sent packages to.'
Consequently, KnowBe4 researchers said it should come as no surprise that the retail sector has become 'a nearly irresistible trove for a growing number of cybercriminals. Unfortunately, new AI tools have not only enhanced the abilities of experienced cybercriminals, but also given state-of-the-art intrusion methods to relatively unskilled or novice attackers.'
Digging deeper into the research showed that North America's retail sector experienced the highest percentage of cyberattacks with 56 percent, while Latin America experienced the second highest at 32 percent. Europe experienced 11 percent of attacks.
The report also noted that the U.S. retail sector accounted for 45 percent of global ransomware attacks 'despite representing only 28 percent of market share, making retail the second most targeted sector.'
To combat these crimes, retailers need to reduce the 'human risk' factors, which include workforce education of phishing tactics and other measures.
'Conducting security awareness training and simulated phishing evaluations for one year or more can reduce the likelihood of employees falling for phishing attacks for organizations of all sizes,' the report's authors said, adding that there is a significant impact of security awareness and education. Training on employee susceptibility to phishing attacks dropped from 42.4 percent to just 5.2 percent in large retail organizations, 'while small and medium-sized retailers saw similar improvements, with rates dropping to 4.7 and 4.5 percent, respectively, after one year of continuous training.'
Best of WWD
Retailers Leverage First Insight for ESG Alignment
What Steph Curry's Sneaker NFTs Can Teach Fashion
Year in Review: Brands, Retailers Go Hyper-digital in a Challenging Landscape
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
27 minutes ago
- Yahoo
DOGE team can access Social Security systems, US Supreme Court rules
The Supreme Court cleared the way Friday for the Department of Government Efficiency to access Social Security systems containing personal data on millions of Americans. The court majority sided with the Trump administration in its first Supreme Court appeal involving DOGE, the team once led by billionaire Elon Musk. The three liberal justices dissented. The high court halted an order from a judge in Maryland restricting the team's access to the Social Security Administration under federal privacy laws. The agency holds sensitive data on nearly everyone in the country, including school records, salary details and medical information. The Trump administration says DOGE needs access to carry out its mission of targeting waste and fraud in the federal government. Musk had been focused on Social Security as an alleged hotbed of fraud. The billionaire entrepreneur, who has stepped back from his work with DOGE, has described it as a ' Ponzi scheme ' and insisted that reducing waste in the program is an important way to cut government spending. U.S. District Judge Ellen Hollander in Maryland found that DOGE's efforts at Social Security amounted to a 'fishing expedition' based on 'little more than suspicion' of fraud, and allowing unfettered access puts Americans' private information at risk. Her ruling did allow access to anonymous data for staffers who have undergone training and background checks, or wider access for those who have detailed a specific need. The Trump administration has said DOGE can't work effectively with those restrictions. Solicitor General John Sauer also argued that the ruling is an example of federal judges overstepping their authority and trying to micromanage executive branch agencies. The plaintiffs say it's a narrow order that's urgently needed to protect personal information. An appeals court previously refused to immediately to lift the block on DOGE access, though it split along ideological lines. Conservative judges in the minority said there's no evidence that the team has done any 'targeted snooping' or exposed personal information. The lawsuit was originally filed by a group of labor unions and retirees represented by the group Democracy Forward. It's one of more than two dozen lawsuits filed over DOGE's work, which has included deep cuts at federal agencies and large-scale layoffs. The nation's court system has been ground zero for pushback to President Donald Trump's sweeping conservative agenda, with about 200 lawsuits filed challenging policies on everything from immigration to education to mass layoffs of federal workers. Mass. weather: Weekend could bring flash floods, thunderstorms in some areas Karen Read trial: Key takeaways from week 7 as the retrial begins to wind down Recall alert: These window air conditioners could cause mold exposure Suspect in wrong-way crash that killed Endicott College sergeant extradited to NH Judge throws out 'unfunded mandate' lawsuits over MBTA Communities Act Read the original article on MassLive.
Yahoo
27 minutes ago
- Yahoo
US Supreme Court keeps DOGE records blocked in watchdog group's challenge
By Andrew Chung (Reuters) -The U.S. Supreme Court extended on Friday its block on judicial orders requiring the Department of Government Efficiency to turn over records to a government watchdog group that sought details on the entity established by President Donald Trump and previously spearheaded by his billionaire former adviser Elon Musk. The court put on hold Washington-based U.S. District Judge Christopher Cooper's orders for DOGE to respond to requests by Citizens for Responsibility and Ethics in Washington for information about its operations. The judge concluded that DOGE likely is a government agency covered by the federal Freedom of Information Act (FOIA). The brief, unsigned order said that portions of one of the judge's decisions "are not appropriately tailored" and that "separation of powers concerns counsel judicial deference and restraint in the context of discovery regarding internal Executive Branch communications." The court sent the case back to a lower appeals court to narrow the judge's directives. The court's three liberal justices - Sonia Sotomayor, Elena Kagan and Ketanji Brown Jackson - dissented from Friday's decision. In a separate case, the Supreme Court on Friday permitted DOGE broad access to personal information on millions of Americans in Social Security Administration data systems while a legal challenge plays out. DOGE has played a central role in Trump's efforts to downsize and reshape the U.S. government including by slashing the federal workforce and dismantling certain agencies. The watchdog group, called CREW, said its intention was to shed light on what it called DOGE's secretive structure and operations. Musk formally ended his government work on May 30 and his once-close relationship with Trump has since unraveled publicly, a split that followed Musk's recent attacks on the president's sweeping tax and spending bill and played out dramatically on social media on Thursday. CREW sued to obtain an array of records from DOGE through the FOIA statute, a law that allows the public to seek access to records produced by government agencies. It sought information on DOGE's activities over its role in the mass firings and cuts to federal programs pursued since the Republican president returned to office in January. "While we're obviously disappointed that the Supreme Court chose to revise aspects of our discovery requests, we're pleased that the court allowed discovery to proceed," said CREW spokesperson Jordan Libowitz after Friday's decision. Prior to Friday's order, Chief Justice John Roberts had imposed a temporary pause on Cooper's orders to give the court more time to consider the dispute. The Trump administration contends that DOGE is an advisory entity and not subject to FOIA. In response, CREW sought information to determine whether DOGE is subject to FOIA because it wields the kind of authority of an agency independent of the president. Cooper ruled in April that DOGE must turn over some records sought by CREW and that the group was entitled to question DOGE official Amy Gleason at a deposition. The U.S. Court of Appeals for the District of Columbia Circuit declined on May 14 to put Cooper's order on hold. The administration urged the Supreme Court to act, saying that the judge's orders intruded on the powers of the executive branch and compromised the ability of a wide array of advisers to provide candid and confidential advice to the president. CREW told the justices that siding with the administration in the dispute would give the president "free reign" to create new entities that would "functionally wield substantial independent authority but are exempt from critical transparency laws." In one of his decisions, Cooper said DOGE's operations have been marked by "unusual secrecy." In another, the judge said that the language of Trump's executive orders concerning DOGE suggests that it is "exercising substantial independent authority."
Business Wire
34 minutes ago
- Business Wire
Entwistle & Cappucci LLP Files a Securities Class Action Against KnowBe4, Inc. and Related Defendants
NEW YORK--(BUSINESS WIRE)--Entwistle & Cappucci LLP today announced that its ongoing investigation has led to the filing of a class action ('Action') against KnowBe4, Inc. ('KnowBe4'), certain of KnowBe4's directors, KKR & Co. Inc., Elephant Partners, Vista Equity Partners Management, LLC ('Vista') and certain of their affiliates (collectively, 'Defendants') on behalf of a class ('Class') consisting of all persons or entities that: (a) sold shares of KnowBe4 common stock from October 12, 2022 through February 1, 2023, including those who sold shares into the 'take private' acquisition ('Merger') of KnowBe4 by Vista and its affiliates on February 1, 2023; and/or (b) held shares of KnowBe4 as of the December 7, 2022 record date and were entitled to vote on the Merger. The Action seeks to recover damages on behalf of investors that were damaged as a result of allegedly false and misleading statements and omissions of material facts in the October 12, 2022 press release issued by KnowBe4 and Vista announcing the Merger, December 22, 2022 proxy statement and subsequent amendment issued by Defendants on January 18, 2023 ('Proxy'), and related filings with the U.S. Securities and Exchange Commission ('SEC'). Among other things, the complaint alleges the Proxy and other solicitation materials misled investors regarding the true value of KnowBe4's shares, omitted that KKR increased its equity rollover into the post-Merger entity after it learned of the Merger price, and failed to disclose advantages Defendants provided to Vista over other potential bidders during the sales process leading to the Merger. The Action was filed in the United States District Court for the Southern District of Florida and is captioned: Water Island Event-Driven Fund v. KnowBe4, Inc., No. 25-cv-22574. The complaint asserts claims under Sections 10(b), 14(a) and 20(a) of the Exchange Act and SEC Rules 10b-5 and 14a-9 promulgated thereunder. If you wish to serve as a lead plaintiff in this matter, you must file a motion with the Court no later than August 5, 2025. Any member of the proposed Class may move the Court to serve as a lead plaintiff through counsel of their choice, or they may choose to do nothing and remain a member of the Class. If you wish to discuss this Action or have any questions concerning this notice or your rights or interests, please contact: Robert N. Cappucci, Esq. or Andrew M. Sher, Esq. of Entwistle & Cappucci at (212) 894-7200 or via e-mail at rcappucci@ or asher@ About Entwistle & Cappucci Entwistle & Cappucci is a national law firm providing exceptional legal representation to clients in the most complex and challenging legal matters. Our practice encompasses all areas of litigation, corporate transactions, bankruptcy, insurance, corporate investigations and white-collar defense. Our clients include public and private corporations, major hedge funds, public pension funds, governmental entities, leading institutional investors, domestic and foreign financial services companies, emerging business enterprises and individual entrepreneurs.
