UK shoppers at risk of email fraud this holiday shopping season

UK shoppers at risk of email fraud this holiday shopping season

Proofpoint research reveals more than a third of top UK online retailers are leaving customers at risk of email fraud

Proofpoint, a leading cybersecurity and compliance company, has released new research revealing that 40% of the top online retailers in the UK are falling behind on implementing basic cybersecurity measures, leaving customers, staff and partners vulnerable to email fraud during the annual pre-festive shopping season – which kicks off with Black Friday and Cyber Monday this month. 

Brits are expected to spend £800 million more during this selling period than in 2023 – but engaging in online deal hunting can leave shoppers vulnerable, with increased email communications from retailers providing cybercriminals with the perfect opportunity to launch phishing attacks and other fraudulent schemes. 

The findings are based on Domain-based Message Authentication, Reporting and Conformance (DMARC) adoption analysis of the top 30 retailers in the UK. DMARC is an email validation protocol, designed to protect domain names from being misused by cybercriminals, which authenticates the sender’s identity before allowing a message to reach its intended destination.

DMARC has three levels of protection – monitor, quarantine and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox. 

Key findings from the research include: 

  • Only 60% of the UK’s top retailers have implemented the recommended and strictest level of DMARC protection (reject), which actively blocks fraudulent emails from reaching their intended targets, meaning 40% are leaving consumers, staff and partners open to email fraud
  • 7% of the UK’s top retailers have no protection against domain impersonation, leaving consumers at a heightened risk of email fraud. The data indicates a lack of significant progress in improving email security year over year
  • This is a slight improvement on the findings in 2023, where 47% of the top retailers were not proactively blocking fraudulent emails from reaching customers

 “Black Friday-themed fraudulent emails often take advantage of recipients’ desire to cash in on increasingly attractive deals, creating tempting clickbait for users,” said Matt Cooke, Cybersecurity Strategist at Proofpoint. “These messages may use impersonated branding and tantalising subject lines to convince users to click through, at which point they are often delivered to pages filled with advertising, potential phishing sites, malicious content, or offers for counterfeit goods.

“As with most things, if an offer seems too good to be true or cannot be verified as legitimate marketing you’ve signed up for, recipients should avoid clicking on any links,” added Cooke.

While individuals are crucial in defending against email fraud, their actions also pose a significant vulnerability for organisations. DMARC is the only technology capable of not just defending against but eliminating domain spoofing and the risk of impersonation. Achieving full DMARC compliance allows organisations to prevent malicious emails from reaching inboxes, thus eliminating the risk of human interference.

Proofpoint advises consumers adhere to the below top tips to remain safe online while shopping for seasonal bargains:

  • Passwords need protecting:  Avoid reusing the same password. Utilise a password manager to simplify your online activities while ensuring security and further enhance protection by implementing Multi-Factor Authentication
  • Remain vigilant about imitation sites: Be wary of fake websites that imitate well-known brands. These fraudulent sites may sell counterfeit or non-existent items, distribute malware, or try to steal money and personal information
  • Avoid phishing and smishing threats: Remain vigilant for phishing emails that direct to unsafe websites aiming to gather personal data, such as login credentials and credit card details. Also, exercise caution with SMS phishing (‘smishing’) and messages received via social media
  • Don’t click on links: Refrain from clicking on links; instead, manually enter the known website address into your browser to access advertised deals. When using special offer codes, input them during the checkout process to confirm their authenticity 

Confirm before making a purchase: Deceptive advertisements, websites and mobile apps can appear convincing. Before downloading a new app or visiting an unfamiliar website, take the time to read online reviews and check for customer complaints

Browse our latest issue

Intelligent CISO

View Magazine Archive