In the lead-up to Black Friday and Cyber Monday 2025, the retail sector in the US is facing a significant increase in cyber-attacks targeting both online and brick-and-mortar businesses. Threat actors have and are leveraging sophisticated phishing campaigns, malicious websites masquerading as legitimate retailers, and ransomware attacks timed to disrupt critical sales periods. According to recent industry reports, cybercriminals are exploiting the surge in online shopping traffic by deploying credential harvesting schemes and launching distributed denial-of-service (DDoS) attacks against major retail platforms.[1] Retailers are urged to implement robust cybersecurity measures, including employee awareness training, regular patch management, and network monitoring to mitigate these risks.
The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) recently released its 2025 Holiday Season Cyber Threat Trends report, highlighting a sharp rise in fraud and automated bot attacks expected to align with peak seasonal shopping demand across the retail, hospitality, and travel sectors.[2]
The report analyzes threat data from the past two holiday periods alongside current trends, showing that fraud has rapidly escalated to become the most widespread threat facing consumer-facing organizations during Q4. Areas of greatest concern include receipt and return abuse, loyalty and points fraud, refund scams, and bot-driven schemes that rapidly scoop up high-demand items before real customers can buy them.
Information provided by participating RH-ISAC member organizations shows rising concern about account takeover attempts, malicious look-alike domains, and fraudulent ads targeting customers during peak shopping days. Adversaries affiliated with groups such as ShinyHunters and Scattered Spider are expected to intensify extortion operations and exploit third-party vulnerabilities throughout the season. “The holiday shopping period continues to be the most active fraud environment that we face as defenders,” said Suzie Squier, president, RH-ISAC. “Fraudsters see opportunity in higher transaction volume and operational pressure. Collaboration and rapid intelligence sharing help our community stay ready for what’s ahead.” According to the report, RH-ISAC member organizations are preparing company-wide awareness campaigns, incident-response exercises, and expanded use of AI-driven tools to detect anomalous behavior during major shopping milestones such as Black Friday and Cyber Monday.
The report notes that automated attacks during the 2025 season may surge to unprecedented scale, with a predicted 520 percent increase in genAI-driven traffic during the 10 days prior to Thanksgiving. Frontline staff members will face additional challenges in distinguishing legitimate customer issues from fraudulent ones.
High-risk periods identified in the forecast vary by threat category but span mid-November through late December, including elevated spikes in:
- Account takeover attempts that will target retail and quick-service restaurant accounts
- Gift card theft and fraud linked to major sales events
- Retail bot attacks aimed at limited-availability items and loyalty member perks
The full 2025 Holiday Season Cyber Threat Trends report is now available to participating members of the retail, hospitality, and travel cybersecurity community. RH-ISAC continues to unite security teams with intelligence resources, best-practice sharing, and operational collaboration to reduce risk during this year’s busiest consumer period.[3]
A UK Case study – Large Retailer attacks back in May - Hackers linked to the Scattered Spider group infiltrated M&S’s giant retailer’s systems as early as February 2025, stealing Active Directory password hashes before deploying ransomware on VMware ESXi hosts. The breach paralyzed online sales, a channel generating £3.8 million daily, and disrupted inventory management, leaving shelves empty during peak spring demand. Concurrently, Harrods limited store internet access following intrusion attempts, while Co-op disabled back-office systems to contain its breach.[4]
These attacks support findings that 43% of the retail violations involve compromised credentials, a vulnerability exploited in the M&S case. Analysis further contextualizes the crisis, revealing that retail breaches now average $2.96 million in direct costs, with mitigation taking 19 days longer than any other sectors.
The psychological fallout extends far beyond financial metrics. A 2024 study tracking 2,500 breach victims found 68% reduced online purchases from affected brands, while 42% deleted accounts entirely. These behavioral shifts mirror other reports showing that 58% of consumers deem breached companies untrustworthy, and 70% abandon those brands post-incident.
At M&S, the attack’s timing during seasonal shopping spikes amplified reputational damage, analysts estimate a £700 million market value drop compounded by long-term customer attrition risks. Additional reports underscore the paradox facing retailers: while 54% of consumers prioritize price sensitivity, 63% now rank data security as their top digital shopping concern. This tension creates strategic dilemmas for companies balancing competitive pricing with cybersecurity investments.
Corporate Responses Under Scrutiny - M&S’s crisis management provides a case study in breach response efficacy. The retailer’s immediate system shutdowns prevented wider data exfiltration but exacerbated operational chaos. Conversely, Harrods’ limited internet restrictions allowed sustained online sales, demonstrating nuanced damage control.
The study emphasizes that prompt transparency, such as M&S’s same-day customer alerts, can mitigate 32% of trust erosion compared to delayed disclosures. Retailers are increasingly adopting AI-driven solutions, with automated threat detection reducing breach identification time by 40%. However, surveys reveal that only 29% of consumer goods firms have implemented such systems, leaving many vulnerable to advanced tactics like MFA bombing and SIM swapping.
Over in the UK, its National Cyber Security Centre’s involvement in all three breaches signals growing governmental pressure for cross-industry collaboration. Proposed measures include:
- Mandatory breach simulations for retailers handling payment data
- Standardized encryption protocols for customer databases
- Real-time threat intelligence sharing networks
Yet compliance gaps persist. While 78% of retailers updated incident response plans in 2024, only 41% conduct quarterly cybersecurity staff training, a critical vulnerability given that 57% of employees use work devices for personal shopping.
The Path Forward - Retailers must adopt zero-trust architectures as ransomware groups increasingly target supply chain vendors (evidenced by a recent breach impacting major banks). Behavioral analytics tools that detect anomalous data access patterns and AI-powered fraud detection algorithms are recommended, reducing false positives by 63%.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] Black Friday 2025: Surge in Retail Cyber Threats, Cybersecurity Industry Analysis, November 2025; “Best Practices for Retail Cybersecurity During Peak Shopping Events,” National Retail Cybersecurity Council, 2025.
[2] https://www.globenewswire.com/en/search/organization/RH-ISAC
[3] https://www.globenewswire.com/news-release/2025/11/03/3179482/0/en/RH-ISAC-Releases-2025-Holiday-Season-Cyber-Threat-Trends-Report.html
[4] https://cybersecuritynews.com/retail-chains-suffer-data-breaches/
Comments