It only takes one unaware or preoccupied employee to click on a malicious link or download a compromised attachment for a phishing threat to manifest into a successful attack.

Eyal Benishti, CEO, Ironscales

Eyal Benishti, CEO, Ironscales

In what likely sounds unbelievable to those outside of the cybersecurity community, the UK’s Dimension Data predicts that 50,000,000 cyberattacks will occur during the 2017 holiday season. That equates to approximately 1.66 million attacks per day during an approximately 30-day span, with the overwhelming majority expected to exploit email phishing as the attack vector of choice.

Since the last week of November, which most consider the “official” start of the holiday season, both businesses and consumers have already been publicly warned of a new PayPal phishing attack, malicious brand spoofing emails impersonating Walmart and Amazon deals and even fake charities soliciting donations. These seasonal phishing campaigns, which typically aim to achieve account takeover or some sort of financial fraud, are in addition to the 1.5 million new phishing websites already created each month.

A quick Google search on “holiday phishing scams” and similar search phrases reveals numerous articles from both this year and years’ past positioned towards helping consumers prepare and respond to holiday phishing emails. But there’s not nearly as much guidance offered for the millions of online retailers and e-commerce companies seeking to balance customer experience and shopping cart fulfillment with what’s essential for risk mitigation under today’s complex threat landscape.

Employees cannot assume that an email is benign simply because it has made its way through a layer of defenses.

Perhaps this is because the media supposes that many online retailers have done their due diligence and adopted the tools, technologies and best practices for risk management and phishing mitigation. History though, suggests otherwise. In fact, many argue that most companies—from big box retailers to mom and pop shops—are vastly underprepared to prevent, detect and remediate email phishing attacks.


As we’ve written about many times before, it only takes one unaware or preoccupied employee to click on a malicious link or download a compromised attachment for a phishing threat to manifest into a successful attack. Once inside a network or system, hackers have unfettered access to steal confidential business and consumer financial information, disrupt services, falsify order forms, slow down website speed and more. While it is unknown as to the exact dollar amount that seasonal phishing scams cost businesses in total, we do know that on average, phishing attack damages cost companies $1.6 million to remediate at minimum.

With an estimated 92 percent of consumers making at least one online purchase during the holiday season, there is no shortage of vulnerable targets for financially motivated threat actors. As such, e-retailers must implement additional best practices to harden their cyber defenses during the prime attack time of the holiday season. Here are a few tips to consider.

Best Practices for Online Retailer Risk Mitigation

Tip 1: Assume Your Cybersecurity Technology is Flawed – Traditional signature-based secure email gateways and filters are now easily bypassed by spear-phishing, spoofing and business email compromise (BEC) messages. This means that employees cannot assume that an email is benign simply because it has made its way through a layer of defenses. It’s essential that employees of e-commerce companies and online retailers that utilize such legacy technologies do not garner a false sense of security simply because its known that investments in cybersecurity have been made. As such, employees should expect tech glitches to occur, and in turn embrace a personal responsibility as a first line of defense to help identify, report and avoid phishing.

Tip 2: Simulate Phishing Attacks – Twice a week provide all employees—from the CEO to the intern—with tailored training and simulations using mock phishing attacks to increase awareness and responsiveness to social engineering techniques. Use gamified, interactive micro-learning (5 minutes or less) sessions to assess and strengthen each employees’ phishing recognition and classification skills using a technique that is not only fun, but helps employees to think and act as a virtual security team member.


Tip 3: Elevate Executive Communications – Today’s phishing attacks are so sophisticated and complex that even well-trained and cyber-vigilant employees can be easily tricked by spear-phishing and brand spoofing messages. In recognition of such risk, management and/or executive teams must continuously communicate with employees on the threats posed by cyber criminals. By doing so, employees will be continuously reminded of what’s at stake should an attack occur, and in turn remain hyper-aware and skeptical of messages that enter their inboxes.

In the long run, e-tailers should adopt a multi-layered and automated approach to prevent, detect and respond to phishing emails. Such a defensive system would combine ongoing micro-learning phishing simulation and awareness training, with mailbox-level phishing detection and real-time scanning of inbound emails against known attacks; automated incident response, and real-time automated actionable intelligence sharing. But in the meantime, such companies can significantly reduce risk by implementing phishing attack simulations, elevating executive communications and assuming that current cybersecurity safeguards are flawed.

Ironscales is a provider of phishing mitigation technologies.