Blog

Social Engineering Attacks Costing Retailers Millions: How to Protect Your Business in 2025

by ZeroFox Team
Social Engineering Attacks Costing Retailers Millions: How to Protect Your Business in 2025
15 minute read

Recent cyberattacks on British retail giants Harrods, Marks & Spencer, and Co-op, have demonstrated how deceiving employees often proves easier than hacking sophisticated technical systems. By leveraging social engineering attacks in retail environments, bad actors quickly disrupted operations, compromised customer data, and caused widespread damage to the reputations of iconic brands. 

A key takeaway from these attacks is that considering cybersecurity to be solely an IT department problem is a dangerous miscalculation. Unlike digital security infrastructure, humans remain inherently vulnerable to manipulation. Whether it's a worker processing supposedly routine vendor payments, responding quickly to an urgent-seeming email, or providing apparently harmless company information over the phone, each employee interaction provides an opportunity that skilled social engineers can exploit to open doors to sensitive systems and customer data. As a ZeroFox threat intelligence expert explains: "Over time, more and more employees are being granted more and more digital privileges in order to do their job. This puts everyone within an organization at the leading edge of the attack surface."

Read on to discover how to defend your organization against the cybercriminals who exploit human psychology to bypass retail cybersecurity and harm brands.

When Human Trust Becomes a Vulnerability

While the attacks on Harrods, Marks & Spencer (M&S), and the Co-op were the ones which hit the headlines, the retail industry as a whole suffered 235 ransomware and digital extortion attacks in Q1 2025 alone, with 38 percent of those impacting businesses in North America.

Attacks like these often rely on sophisticated deception techniques to manipulate staff, circumvent strong technical defenses, and breach corporate systems. The cybercrime group Scattered Spider has been heavily implicated in the UK incidents. While not definitively confirmed, security researchers have expressed confidence that this group was behind the recent UK retail breaches based on the tactics, techniques, and procedures (TTPs) observed.

In the M&S attack, perpetrators reportedly posed as employees and targeted third-party suppliers, convincing IT support personnel to perform password resets through advanced impersonation and spear-phishing strategies. This provided access to vital infrastructure, leading to ransomware deployment and widespread operational disruption. 

Investigations into the Co-op breach confirmed the use of social engineering methods, such as impersonating staff members to reset passwords on key accounts, leading to credential theft and access to sensitive systems and member information for 6.5 million individuals. Once inside, malicious actors moved laterally within the network to extract further data. 

ZeroFox’s head of Global Intelligence points out that while technical defenses improve continuously, "It's always been the case that the human element of a network is considered the most vulnerable," 

“Digital attack surfaces are generally becoming more secure from a non-human standpoint, but there's always going to be a lag between the types of TTPs threat actors are deploying and the reaction from the blue team."

“Human beings have emotions, they are curious, they are scared of things, they anticipate things,” he notes. 

“These are all factors that can be leveraged."

The financial impact of such attacks extends far beyond immediate losses. When the Co-op was attacked, it had to shut down IT systems, leading to inventory shortages across many of its stores, harming customer trust, and reducing consumer spending. Recovery took weeks.

However, Marks & Spencer suffered a more severe disruption, forcing the retailer to shut down automated systems, halt online sales for over three months, and switch key services like payments, Click & Collect, and loyalty programs to manual processing. The incident resulted in empty shelves and customer inconvenience along with an estimated £300m ($403m) profit loss for 2025/26, with up to £1bn ($1.4bn) temporarily wiped off its market value. Hackers also stole personal customer data, raising phishing risks and prompting mass password resets. Recovery was slow, with some services only restored after months, leaving M&S struggling to repair customer trust through apologies, compensation, and investment in stronger cybersecurity measures.

However, despite the media attention, these attacks don’t represent a new trend, but an ongoing, persistent threat.

"These were unusual in the sense that there were three very prominent retail chains in the UK compromised in a short space of time," head of ZeroFox Global Intelligence observes.

“But what the media picked up on doesn't reflect the raw numbers when we're looking at the hundreds or the thousands of victims across time. Retail is consistently the 2nd or 3rd most targeted industry behind manufacturing and technology on a quarter by quarter basis.”

The Opportunistic Nature of Social Engineering Attacks in Retail

Threat actors employ various techniques to prepare for attacks, from purchasing compromised credentials on dark web marketplaces to searching for organizations with weak security postures.

Attacks are also commonly enabled by the vast quantity of information circulating online. 

"The amount of data which is available to people who would seek it to enhance their social engineering activity is ever-growing, and lots of that pertains to people and organizations and networks,” head of Global Intelligence explains.

This includes information scraped from staff and C-Suite social media accounts, previous data breaches, and publicly released corporate information.

“As soon as they get hold of this type of information, a threat actor is able to massively increase the efficacy and their chance of success in a social engineering attack.” 

For retailers, with their extensive customer-facing operations, this presents particular challenges. 

"There are lots of customer-facing aspects to the retail industry," he notes. "They interact with customers much more so than some other sectors like manufacturing or technology…that offers more possibilities for a threat actor to insert themselves between two parties."

However, the good news is that these attackers can be successfully discouraged.

"Most cybercriminals are opportunistic," he explains. "They're not waking up thinking, 'Hey, I’m going to target this specific retailer just because I hate these guys.' They're looking for low-hanging fruit."

So, attackers go from target to target until they find one that's vulnerable.

"It's a constant game of evaluating an organization, deciding they don't have enough information, then moving on to another company which is vulnerable to a business email compromise attack or an executive impersonation," head of Global Intelligence explains. 

"From an organizational standpoint, that presents a massive opportunity to not be that low-hanging fruit."

How AI is Transforming Social Engineering Attacks in Retail

While social engineering has long been a threat, the emergence of generative AI has made attacks both more sophisticated and more accessible to criminals.

At the low end of the effort scale, AI enables mass phishing campaigns that no longer contain the telltale signs employees are trained to spot.

"Threat actors are often not native English speakers, so, traditionally, small things like grammatical errors or poor spelling would raise suspicion in the mind of an employee,” the intelligence expert explains. “However, those red flags completely disappear in a lot of cases with the use of free AI tools. So, straight away, that negates how many people detect a phishing message."

What’s more, simplified off-the-shelf cybercrime packages specifically designed to help amateurs get started in cybercrime are spreading. "For example, things like phishing-as-a-service platforms deliberately target people that want to maybe break into this kind of activity but don't have the technical expertise to do so," head of Global Intelligence explains. These services drastically lower the barrier to entry, enabling a whole new class of threat actor.

For the most ambitious attackers, deepfake voice and video technology enables unprecedented levels of deception to bypass measures like multi-factor authentication (MFA). In one notable incident, a Hong Kong finance worker was manipulated into transferring $25 million to a scammer after deepfake technology was used to impersonate the company's CFO and other employees in a video call.

While such dramatic deepfake incidents might not make headlines frequently, when asked about their prevalence, the ZeroFox intelligence expert is direct: "I wouldn't call them rare because they're very easy to do, and they're very hard to spot."

"That said, high profile incidents that leverage something like a deepfake of a CFO or CEO do require quite a few failures on the organization's part," he explains. "But it happens more than we hear about, much more."

The implications are sobering. When asked if even security professionals now suspect every video call might be a deepfake, the intelligence expert admits that some paranoia is justified: "Anyone who works in industry should be thinking of these things, I know I do."

When Digital Threats Become Physical Dangers

Perhaps the most chilling aspect of modern social engineering is its potential use in preparation for physical attacks. While the ZeroFox intelligence expert is cautious about discussing specific cases, he acknowledges the very real convergence of digital and physical security risks.

"We see it taking place in dark web forums, we see discussions of physical threats and ambitions to do people harm," he reveals. "Often these are aimed at executives."

Much of the danger lies in how seemingly innocent information can be weaponized. 

"A lot of people think certain information is not sensitive because you can find it out online," he explains. 

"You can find out someone’s full name and job title on the internet. Maybe you don't consider that precious or sensitive information. But when threat actors use social engineering to put together various pieces of trivial information, such as pattern of life information, favorite restaurants, family routines, it becomes much more valuable, much more sensitive, and much more dangerous."

He warns that executives who maintain extensive online presences are essentially handing over "the keys to those that would do you harm."

"The more information that you put out there about yourself, especially if you are a high-profile individual who may be susceptible to people with opposing ideologies, then you are making it much easier for them to find you and interact with you in a negative way."

Why Retailers Hesitate to Act

Despite the dangers, ZeroFox head of Global Intelligence believes some organizations do not fully appreciate the threat posed by social engineering or how a cybersecurity solution can mitigate it because they believe it's “quite conceptual”. 

“Many people’s understanding of social engineering can be relatively vague,” he says. 

“But it's actually not. It boils down to understanding the attack surface, your endpoints, and your people, and knowing what part of the networks these people have access to."

Other common objections to tackling social engineering attacks in retail include:

  • "We’re too busy to worry about cybersecurity": The fast-paced retail environment leaves little time for additional responsibilities, and managers worry that security protocols to combat social engineering will slow down customer service.

    But as the expert points out: "Threat actors understand that mindset. They understand who thinks they don't need to worry about cybersecurity because they already have a department for that, and they are going to target you because of that. It could be your downfall."
  • "We have to think about budget limitations": the intelligence manager points to the irony of this excuse, noting that education and awareness training is "much, much cheaper" than digital attack surface protection, and certainly less expensive than paying ransoms to prevent further damage.

    "The budget limitations objection is always a strange one when you look at the payoff. There's a good chance that companies have already invested lots of money into their attack surface security. That's many times more expensive than implementing some education and awareness and security culture training to prevent social engineering."
  • "We haven't been targeted yet, our current security seems adequate": If social engineering attacks haven't happened yet, it's tempting to assume existing measures work. This false sense of security often persists right up to the moment when threat actors strike.

    "For example, you can’t know if you've been targeted unless you actively monitor for compromised credentials," he warns. "If your attitude is, we haven't been targeted yet, so we won't be, then you're essentially sitting on a ticking time bomb."

A Proven Path to Improving Retail Security

So, how can you effectively protect your business from social engineering attacks in retail? 

Retail Cybersecurity Education

The first step lies in helping staff understand how attackers target the gray space between technology and human behavior. ZeroFox’s head of Global Intelligence is unequivocal about the first line of defense: 

"When it comes to preventing social engineering attacks in retail, employee education and encouraging awareness, will massively improve an organization's resilience, that's absolutely not a cliché."

"If people understand that they are an integral part of the attack surface, alongside things like phishing communication auditing, and red team pen testing, that will negate a huge proportion of the threat from social engineering attacks," he advises.

Protect Beyond Your Perimeter

The next key challenge is to shift your perspective from reactive to proactive security

While traditional cyber-security deals with everything inside the corporate perimeter, modern threats emerge in the external spaces where businesses must operate—on social media, through email communications, and across digital marketplaces. This public attack surface requires specialized protection.

"Unless we're talking about an insider threat, all cyberattacks begin in spaces outside your control," he points out. "By ignoring threats until they reach your attack surface, you're limiting your organization to being reactive and defensive and essentially to mitigating the damage when an attack may already be underway."

That’s why ZeroFox concentrates on identifying and mitigating threats well in advance of an attack reaching your network. 

This approach combines AI-powered detection with expert human analysts to neutralize attacks before damage occurs, including threats like:

  • Compromised Credentials:

    "We monitor the deep and dark web for compromised credentials," the intelligence expert explains. 

    "This is key, because these are often the first sign of a social engineering attack. A large proportion of attacks can be identified before they reach the attack surface by spotting those compromised credentials within a data breach, or by observing network access being purchased in a dark web forum. Once we detect them, we work out which of these credentials are old, which accounts have been closed, and which grant live access to given accounts."
  • Malicious Domains: 

    The retail industry is heavily customer facing, so threat actors creating fake customer service platforms or IT help desk sites to harvest credentials is "one of the most essential aspects of retail social engineering campaigns," the intelligence expert notes. To combat this, ZeroFox provides extensive malicious domain monitoring, protecting over 10,000 brands across retail and other industries, monitoring more than 65 million domains annually, and completing over 1 million takedowns per year.
  • Brand Impersonations: 

    Threat actors target brand assets through impersonations, fake reviews, and account takeovers, stealing data, and damaging trust. ZeroFox’s multi-channel monitoring strategy combines surface web, social media, and dark web surveillance to identify brand abuse, unauthorized accounts, and look-alike domains.
  • Physical Threats:

    ZeroFox's physical security team offers comprehensive digital and physical security for executives, focusing on threat detection, reputation management, and real-time monitoring.

    It uses AI to identify and remove impersonations, exposed personal data, and fraudulent online content, enhancing overall safety.

    Continuous tracking of the dark web and threat environment helps prevent cyberattacks, data leaks, and physical risks to high-value individuals.

Retail Cybersecurity Checklist: Taking the First Steps

Here’s a checklist to help you begin protecting your organization against social engineering attacks in retail:

  • Assess your external attack surface. Analyze and document where your brand appears online and what vulnerabilities exist. Keeping track of your endpoints and understanding what part of the networks your people have access to forms the foundation for effective protection.
  • Prioritize high-risk areas. Focus initial efforts on protecting executive communications, customer-facing domains, and employee credentials. These represent the most common entry points for social engineering attacks.
  • Harness rapid takedown capabilities. When fake accounts or phishing sites appear, every second counts. Automated takedown services can remove threats before customers encounter them.
  • Integrate threat intelligence. Keeping on top of current attack trends helps you stay ahead of ever-evolving tactics. Real-time intelligence enables better security decisions.

What Your Upgraded Security Posture Looks Like

Instead of constantly playing catch-up with cybercriminals or dealing with the aftermath of devastating attacks, ZeroFox means your security infrastructure anticipates threats and neutralizes them before impact, protecting your business, your customers, and your brand’s reputation. Let’s take a look at what this upgraded security model looks like in practice:

Rapid Threat Elimination

ZeroFox’s advanced software means threats such as fraudulent websites impersonating your brand are removed within hours, not days. AI-powered platforms identify and dismantle phishing infrastructure at its source—taking down malicious domains, fake social media accounts, and spoofed websites before they can harvest customer credentials or damage your business.

Intelligence That Prevents Attacks

ZeroFox's team of 100+ threat analysts conduct research at both global and individual scales, providing contextualized intelligence specific to your organization's risk profile. Instead of scrambling after breaches occur, actionable threat intelligence helps you prepare before attacks materialize. By monitoring dark web forums for compromised credentials, tracking threat actor discussions, and identifying emerging attack patterns specific to retail, security teams can implement targeted defenses, patch vulnerabilities, and adjust controls before threat actors can exploit them.

Employees Become a Human Firewall

With targeted training and updates on emerging social engineering tactics—from phishing to pretexting—retail staff learn to verify identities, recognize suspicious requests, and report threats immediately. When employees understand how attackers operate, they can spot and stop attacks that technology alone might miss, transforming them from potential victims into your strongest security asset.

Security Enables Growth, Not Constraints

Properly implemented, security becomes a business enabler rather than a barrier. 

With robust protection in place, retailers can confidently expand their digital presence, adopt emerging technologies, launch new online services, and engage customers across multiple platforms without fear of exploitation.

With 65% of consumers report losing trust in a brand when they are targeted in a scam, comprehensive security also protects revenue streams. By preventing attacks, retailers maintain customer trust, protect brand reputation, and avoid the financial losses associated with fraud and remediation efforts.

The Moment of Truth

From sophisticated phishing attacks to coordinated social media impersonation campaigns, it’s likely that every retailer will eventually face a critical security test. However, the right solution can make all the difference between a catastrophe and a minor incident. While unprepared retailers may take weeks or months to discover they have been targeted and breached, organizations with proactive monitoring and rapid takedown capabilities can block attacks within hours, before any serious damage occurs.

"You just need to be harder to target than your competitors," the Manager of Finished Global Intelligence at ZeroFox explains. "If they approach your organization looking for a way in, and they can't find one, most of the time they're going to just go on to the next one. You need to be that organization."

Take Action Before Threat Actors Do

So, the question isn't whether you’ll face social engineering attacks in retail businesses, it's whether you'll be ready for them when they arrive. Every day without comprehensive protection leaves your brand exposed in the digital spaces where customers engage and threat actors lurk.

Don't wait for a breach to reveal vulnerabilities in your security posture, schedule a demo to see how ZeroFox can protect your retail business from social engineering attacks. Let our experts assess your current vulnerabilities and demonstrate how automated protection and expert intelligence can transform your security posture.

See ZeroFox in action