The Hefty Price Tag for Email Insecurity in Retail

From promotions and loyalty points to invoices and tracking, email underpins the vital network of communication between shopper and seller. And it isn’t going anywhere.

More than 300 billion emails were sent every day in 2020, and this is set to grow by an impressive 76 billion in the coming years. So surely the players in the retail industry – worth $25 trillion dollars – are doing everything possible to keep this channel secure?

Think again. As of March 2021, only 6% were fully protected against domain impersonation (i.e. fully DMARC compliant).

This means they are highly vulnerable to email impersonation and all the threats that come with it, such as business email compromise (BEC) and phishing attacks. These can result in the loss of capital, consumer trust, brand equity, and much more.

Below, we’ve totaled up what retail businesses, online stores, and eCommerce sites may have to pay if they don’t secure their domains and improve their cybersecurity posture.

$30 billion retail funds lost to cyber attackers year on year

No business is fully immune to the threats of cybercrime. But unfortunately for retail businesses, their handling of personal and sensitive data makes them particularly susceptible to impersonation attacks.

Most worryingly, almost a quarter of all cyber attacks are aimed at retailers and this is costing the industry more than $30 billion every year. This mammoth sum is likely made up of ransom demands, money lost to fake invoices, loss of retail sales due to damaged consumer trust, and even fines.

$28 million penalties for insufficient data safeguarding

Retail businesses are some of the largest holders of valuable customer data. With everything from credit card numbers to personally identifiable data and behavior insights, retailers are legally responsible for safeguarding this highly sensitive personal data. So unsurprisingly the penalty for not putting sufficient protocols in place to protect data privacy is high.

The UK’s far-reaching GDPR imposes fines of up to £20m (about $28m or €23.5m) or 4% of annual revenue for each data breach. While GDPR is a UK law, its policies apply to any company doing business with EU citizens. When it comes to global retail, that’s a lot of companies.

Irreparable damage to reputations and relationships

Shoppers take their trust in who they buy from seriously. 22% of customers will stop buying from a business after it has been attacked, and 67% admit that they trust a company less after a data breach.

As well as this, global communications firm Edelman found that protecting customer privacy and data was ranked the 6th most important factor in trusting a business.

So it’s hard to decide what’s more unnerving for retail and ecommerce businesses: their disproportionate share of cyber attacks or the irrevocable damage that occurs when things go wrong.

Permanent cracks in your supply chain

When your company isn’t DMARC compliant, it’s not just your business and brand at risk. Your customers, employees, suppliers and stakeholders are too. After all, these are the people who’ll be receiving malicious phishing emails in your name.

The responsibility to protect employees, customers and business partners is shared by all retailers, and it’s vital that they put the measures in place not just to cover their reputation, but also to protect those within their sphere of influence.

How retailers and eCommerce businesses can fight back

Different retailers will always have different priorities. Some consider their brand equity and relationships most important, while others believe their bottom line is the best indicator of their success.

But whatever a retail business considers most valuable, it’s clear that the overwhelming majority lack the security to protect this. While there are a number of different solutions for threats in the cybersecurity space, full DMARC configuration should be the retail sector’s first step for securing domains, brand reputations, supply chains and bottom lines from the cost of impersonation fraud. Security for your business is priceless.

With our free investigate tool you can check your DMARC setup today.

Check email DMARC setup

PUBLISHED BY

Sabrina Evans

3 Jun. 2021

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Certificates

TLS certificates are changing: What you need to know

Red Sift

Executive summary: TLS certificates are about to get significantly shorter-lived. Starting 15 March 2026, newly issued public-trust certificates will max out at 200 days—and just three years later, that lifespan drops to 47 days. Backed by Google, Apple, and Mozilla, this shift aims to make the web safer through fresher data, faster failover, and…

Read more
DKIM

The hidden threat: How misconfigured DKIM enables replay attacks

Red Sift

Email authentication isn’t just an IT concern. It protects your brand and customers. A single misstep can let attackers spoof your domain, send phishing emails, and destroy customer trust. One of the most dangerous methods? The DKIM replay attack. In this post, we’ll break down how undersigned DKIM keys and related misconfigurations open your…

Read more
BIMI

Why DMARC and BIMI are a business priority

Jack Lilley

Email threats aren’t slowing down, and neither should your authentication strategy. In our recent joint webinar with Marigold, “From DMARC to BIMI: Navigating the New Email Authorization Landscape,” we broke down what today’s evolving standards mean for both security and marketing teams—and how to take action now with our free Red Sift Investigate tool.…

Read more
ASM

Zoom stops zooming: Why active monitoring is essential

Billy McDiarmid

​On April 16, 2025, Zoom experienced a significant global outage that disrupted video conferencing services and access to its website for thousands of users, as well as their corporate email for all their employees. It was quickly identified as a domain name registration status problem. Despite being a critical name for Zoom, somehow, the…

Read more