How Retail Companies Can Prevent Cyber Attacks with EASM

In 2025, the Scattered Spider group shocked the retail sector with a barrage of ransomware attacks against well‑known UK companies, including Marks & Spencer (M&S) and Co‑op. The scale of these incidents—and the fact that three of the four people arrested in connection with the attacks were teenagers—highlighted the vulnerability of modern retail and its ever-expanding digital attack surface.

The Cost of a Retail Data Breach

Although Co‑op acted quickly to contain the threat by pulling key IT services offline, it suffered interruption of inventory and digital payments as a result. It took weeks for the company to return to something like business as usual. The breach ultimately exposed personal information for roughly 6.5 million customers and cost the group an estimated £206m, ($277m), in losses. 

The damage done to M&S was even more severe, with both in-store and online operations affected for months. The consequences included a 99% drop in statutory profit before tax for the first half of 2025, falling to £3.4m ($4.6m) compared to £391.9m ($527.9m) the previous year.

While these events made headlines, they represent just two examples within a broader surge in criminal activity aimed at retail. In the past year alone, 80% of retailers reported experiencing a cyberattack.

Retail organizations faced a doubling of average ransom demand from approximately $1m in 2024 to $2m in 2025 with 58% of victims paying to restore access to their data. Recovering from such an attack costs retailers $1.65m on average.

So, how can you ensure your retail cybersecurity is fit for purpose? How do you find and fix vulnerabilities before cybercriminals exploit them? Read on to discover how retail attack surface intelligene and EASM for retail can protect your organization.

Why Retail Cybersecurity Threats Happen

As public-facing businesses, retail organizations are highly visible, with broad attack surfaces, and are considered lucrative in terms of both finances and data. The sector offers a wide range of high-value targets for threat actors, including customer payment, credential, and behavioral data, along with the IP, operational, and financial business data of themselves and their suppliers and partners. 

Real World Examples of Retail Cybersecurity Incidents

As expected there was media fallout from the M&S incident outlined earlier. Addressing a UK parliamentary hearing, Marks & Spencer (M&S) chairman Archie Norman explained retail is especially vulnerable due to its “very wide attack surface”.

“We have 50,000 people working on our systems—colleagues in the stores, contractors working for us, some may be outsourced, some may be in India—so the attack surface is enormous, and the attacker, potentially, has only to be lucky once,” Norman said.

“You have all the preventions that you should have—dual-factor authentication, password control, everything like that—but there are 50,000 points of entry, so you have to assume that they can get in.”

“Part of the point of entry in our case also involved a third party. That is just a reminder that that attack surface is very hard to defend.”

Norman warned retailers that ​the “right thing to do if you are in our business is to assume that the perimeter is permeable,” reinforcing the need for visibility beyond traditional network boundaries.

On top of this, the industry relies on a fragile mix of specialized and outdated technology. 

Alison Griffiths, Conservative MP and Vice Chair of the Business and Trade Select Committee, told the Financial Times’ European Cyber Resilience Summit that the company’s continued reliance on legacy systems also contributed to the attack. 

“M&S, by their own admission, were quite slow to prioritize migration from legacy infrastructure into a cloud environment, which ensures some level of secure by design architecture,” she said. 

“This means that they had to rebuild their systems over four months, and, meanwhile, the door was wide open for the attackers to go in. Co-op was much further down the track of transforming its legacy infrastructure—and was significantly less impacted.” 

Retail Creates A Vast Attack Surface

Josh Mayfield, Senior Director of Product Marketing at ZeroFox, describes retail needing that vast external attack surface just to function, makes retail cybersecurity “unique and challenging”.

“In retail, it can be e-commerce or brick-and-mortar stores, you have a very complex supply chain, that means Nth parties that are all connected to all kinds of internal applications and portals that no consumer will ever see,” he says.

Multiply that by potentially tens of thousands of suppliers, partners, and channel connections, and retail operates across a chain of tightly interconnected dependencies.

“Any one of those little links could be compromised, and you just don't know it. So, by default, retailers are already in a rat's nest of complexity."

Jill Cagliostro, Director of Product Management at ZeroFox, adds that fast-growing businesses easily lose track of their own assets. 

"You have to find other ways to find assets, other than your employees telling you about them and hoping they follow the process," she says.

"One organization found out about a server they didn't know they owned because law enforcement knocked on their door and said, 'Hey, this thing has been serving malware for years.'” The company had no record of the server but eventually confirmed their ownership using forensic investigation techniques.

“You don't want to be the person who finds out about a website you didn't know you owned because law enforcement tells you it's serving malware."

The Public Nature of the Retail Industry

Retailers also interact with the public more than sectors like manufacturing, creating more opportunities for threat actors to insert themselves between you and your customers through counterfeit goods, spoofed domains, or fake mobile apps.

As mentioned by Norman, retail companies often have tens of thousands of employees, each representing a potential entry point. This puts employees at the "leading edge" of the attack surface, where they can be targeted via social engineering and phishing. What’s more, high turnover means that employees can be here today, gone tomorrow, amplifying the insider threat.

While retailers are under threat year-round, during events like Black Friday, their customers are more vulnerable because they’re primed to look out for any deals to take advantage of, even those that seem too good to be true.

"Psychologically, the defenses of the customers are much lower around this time. They'll believe any deal. Hey, get 80% off this Tesla—you might scoff, but I'm telling you, it's really successful," Mayfield says.

One way attackers exploit this window of opportunity is through content cloaking—scraping legitimate marketing content to make phishing emails and spoof websites look more authentic to customers.

Against this rapidly evolving threat landscape, security teams are under immense pressure to keep IT budgets under control while satisfying customer expectations for cross-channel touchpoints and technological innovations that deliver seamless, 24/7 service. Meeting these demands and guaranteeing security is a big ask. 

For example, when it comes to ransomware attacks, organizations most frequently trace the cause to previously unknown security gaps, as reported by 46% of victims. A close second at 45% is blamed on a shortage of in-company expertise, while 44% say attacks happened because they had no protection in place. 

Their struggle is intensified by adversaries who now have easy access to advanced tools like generative AI and "phishing-as-a-service" platforms that drastically lower the barrier to entry, enabling a new class of less technical criminals to launch sophisticated campaigns.

"Drafting a phishing email in a language you don't speak used to be really hard," Cagliostro explains. 

"It's why they were always laden with grammatical errors and typos. But with these new AI models that can generate really nicely worded, well-formatted emails, it becomes a lot easier to trick your victims."

Retail Cybersecurity Threats to Look Out For

Among the most common threats faced by retailers are:

• Phishing: These attacks are becoming increasingly sophisticated through the use of AI-generated emails that are professional, free of errors, and personally targeted based on information harvested from data breaches, corporate websites, and social media.
• Account Takeovers and Credential Stuffing: Threat actors use stolen credentials—often sourced from the dark web—to gain unauthorized access to corporate or customer accounts.
• Ransomware: This remains a primary threat used by actors to disrupt retail operations.
• Hacking and Vulnerability Exploitation: General hacking activities target "known unknowns" (identified vulnerabilities) and "unknown unknowns" (forgotten or unmanaged assets).
• Malware Distribution: Compromised or forgotten servers can be used by bad actors to serve malware for years without the company's knowledge.
• DDoS Attacks: Distributed Denial of Service attacks are a major concern, particularly for retail businesses that rely on constant uptime.
• InfoStealers and Botnets: These are used to steal login credentials directly from employee or customer machines.
• Command and Control (C2) and Data Exfiltration: Threat actors may open non-standard ports on an organization's assets to communicate with compromised systems or steal data.
• Man-in-the-Middle and Card Skimming: Attackers use code injection to perform flicker redirects, stealing credit card information as it is entered into a vulnerable website.
• Fraudulent Apps, Spoofed Domains, and Typo Squatting: Bad actors impersonate brands via fake mobile applications or register domains that look like a company's legitimate site to host phishing kits, scam customers, or distribute malware.
• Content Cloaking: Threat actors host a retailer’s actual marketing content on their own malicious servers to bypass email filters and trick victims.
• Deepfakes: Synthetic images, videos, or calls are used for personal "zero day" attacks against individuals or to enable financial scams.
• Counterfeit Goods: This part of the attack surface involves actors selling fake products under a company's brand, draining revenue.
• Insider Threats: While often secondary to external actors, retailers still face risks from within their own perimeter.
• Kinetic/Physical Threats: The attack surface has expanded to include physical risks, such as protests targeting retail stores or corporate headquarters.
• Threats Against Executives: Modern risks include personal threats to top-ranking staff members, ranging from the exposure of personal data like Social Security numbers or driver's licenses to physical attacks.

Retail Cybersecurity Best Practice: How Can Your Organization Protect Its External Attack Surface Against External Threats?

Gartner reports that 83% of organizations lack even an accurate inventory of their exposed assets, never mind a way of protecting them. While traditional retail cybersecurity has long focused on defending everything inside your internal network, 96% of retail cyberattacks now originate outside that traditional perimeter. 

To address the shift, retail businesses must move from a reactive posture toward External Attack Surface Management (EASM) and retail attack surface monitoring that provide an "outside-in" perspective.

What is External Attack Surface Management?

External Attack Surface Management (EASM) refers to a set of security disciplines focused on identifying and managing internet-facing assets. It shows organizations what an adversary sees when scanning for vulnerabilities and extends beyond internal security controls.

What is Attack Surface Intelligence (ASI)? 

While EASM focuses on visibility, Attack Surface Intelligence (ASI) extends EASM by adding threat intelligence and disruption capabilities that enable threat-informed exposure management. 

ZeroFox’s ASI offers the solution by fusing EASM with Cyber Threat Intelligence (CTI) and Digital Risk Protection (DRP), to provide action over observation. For retail organizations, ASI provides a "threat-informed" defense that goes beyond simply knowing an asset exists by implementing the core cycle of Discover, Validate, and Disrupt.

Organizations that implement ASI as the foundation for a Continuous Threat and Exposure Management (CTEM) program are three times less likely to suffer a breach. It moves the retail cybersecurity team from "studying" risk to actively eliminating it at scale.

Here’s how EASM for retail and ASI work together to ensure robust retail cybersecurity:

• Finding Unknown Assets

EASM continuously crawls the internet using automated browsers that click through links and map connections—similar to how search engines index websites. This uncovers all known and unknown assets, including forgotten servers, abandoned marketing sites, and test environments that were never decommissioned. 

• Detecting Phishing Infrastructure

EASM combined with ASI identifies when threat actors have established connections to legitimate retail marketing systems and are scraping content to host on phishing servers. Attackers who host authentic retailer content on their malicious infrastructure can bypass significantly more email filters, dramatically increasing their success rates. This detection becomes especially critical around Black Friday when customers actively seek deals and are more susceptible to fraudulent offers. 

• Monitoring Supply Chain Connections

EASM for retail maps the complex web of connections between you and your suppliers, distributors, and partners—revealing exposure points that security teams typically cannot see from inside the organization. When a supplier experiences a compromise, retailers gain visibility into which of their systems were connected and potentially affected.

• Finding Spoofed Domains and Counterfeit Operations

EASM provides brand and domain protection by discovering typosquatting domains, fake websites, social media profile impersonation, and counterfeit goods operations running under the retailer's brand. These threats directly impact revenue and damage trust, making them a significant component of your external attack surface that requires ongoing monitoring.

• Tracking Certificate and Configuration Issues

EASM monitors for expiring certificates and server misconfigurations that could interrupt customer transactions or create security vulnerabilities. Expired certificates create friction for customers trying to make purchases and can signal to attackers that infrastructure is poorly maintained.

• Enabling Automated Credential Resets

Thanks to ASI, when customer credentials appear on the dark web, EASM-integrated systems can trigger automatic password resets before attackers exploit them for account takeovers. This approach disrupts threat actors' ability to use stolen credentials rather than simply alerting security teams after the fact.

• Catching Command-and-Control Activity

EASM detects unauthorized ports and services appearing on retail infrastructure—often indicators of active compromise. Attackers who gain access frequently open non-standard ports for data exfiltration or command-and-control communications. This detection method catches compromises that might otherwise go unnoticed, particularly on assets that were stood up without proper registration and monitoring.

• Identifying Threat Actor Targets

ASI-informed vulnerability prioritization uses threat intelligence to determine which exposures are truly dangerous by correlating them with adversary behavior and active exploit lists, such as the CISA KEV. Assets attracting active threat actor attention get prioritized for remediation, while those not currently under threat can be addressed later. For example, if threat actors are currently using a new "zero-day" exploit against a specific Linux version, ASI will instantly prioritize any retail assets running that software. This prevents security teams from wasting resources on low-risk exposures while critical vulnerabilities go unaddressed. 

• Uniting Digital and Physical Security

ASI bridges the gap between cyber and physical risk. For a retail chain, this means being alerted to physical threats, such as protests or violence, near specific store locations discovered during the attack surface mapping. 

Cagliostro explains how ASI enables a proactive approach to kinetic threats:

“You're looking for not just the typical risks, but the newer kinds, and not just to detect them, but to disrupt them,” she says

“So, rather than just hearing there's a protest after the fact because you see it on the news, you get notified ahead of time so you can activate a standard operating procedure for risks like that, maybe have your staff close the shutters.”

“Similarly, when there start to be threats made on the internet against your executives, you have a notification process that lets you take action before anything escalates.”

• Proactive Disruption for Superior Retail Cybersecurity

Most EASM for retail solutions stop at discovery and alerting—they tell you about problems but leave remediation entirely to your team. But ZeroFox’s core differentiator is delivering action instead of mere observation. By eliminating risks at scale, ZeroFox turns intelligence into operational outcomes that actually reduce the attack surface rather than just documenting it.

ZeroFox ASI proactively removes malicious content and exiles bad actors from the internet thanks to:

• Active Threat Removal

ZeroFox maintains a Global Disruption Network that actively removes threats rather than simply reporting them. When threats like phishing sites, fraudulent domains, or impersonation accounts are identified, ZeroFox works directly with hosting providers, social media platforms, and registrars to take them down, and continuous monitoring makes sure they stay down. This eliminates threats at the source rather than relying solely on internal defenses to block them over and over again.

• Blocking at the Point of Detection

Rather than just routing threat data into your team’s SIEM for analysis and eventual action, ZeroFox enables blocking malicious domains and phishing infrastructure immediately upon detection. Being proactive disrupts threat actors before they can execute their attacks, for example, by preventing phishing emails from ever reaching employee inboxes and stopping customers from landing on fraudulent sites.

• Brand and Impersonation Takedowns

When someone impersonates a retailer's brand, creates fraudulent social media accounts, or posts unauthorized content, ZeroFox handles the takedown process directly. The platform works with the relevant companies to get malicious content removed, saving security teams from navigating multiple independent reporting processes.

Stop Studying Threats. Start Eliminating Them.

The retail enterprise is digital by default, and traditional perimeter-based security is no longer sufficient. EASM provides the visibility retailers need, while ASI enables action informed by real-world threat activity.

ZeroFox Attack Surface Intelligence connects EASM with Cyber Threat Intelligence and Digital Risk Protection to help retailers discover unknown exposures, validate which ones matter most, and disrupt threats before they impact customers, employees, or revenue.
Ready to see what attackers see—and stop them before they strike? Get your free Attack Surface Assessment from ZeroFox today.