The Hefty Price Tag for Email Insecurity in Retail

From promotions and loyalty points to invoices and tracking, email underpins the vital network of communication between shopper and seller. And it isn’t going anywhere.

More than 300 billion emails were sent every day in 2020, and this is set to grow by an impressive 76 billion in the coming years. So surely the players in the retail industry – worth $25 trillion dollars – are doing everything possible to keep this channel secure?

Think again. As of March 2021, only 6% were fully protected against domain impersonation (i.e. fully DMARC compliant).

This means they are highly vulnerable to email impersonation and all the threats that come with it, such as business email compromise (BEC) and phishing attacks. These can result in the loss of capital, consumer trust, brand equity, and much more.

Below, we’ve totaled up what retail businesses, online stores, and eCommerce sites may have to pay if they don’t secure their domains and improve their cybersecurity posture.

$30 billion retail funds lost to cyber attackers year on year

No business is fully immune to the threats of cybercrime. But unfortunately for retail businesses, their handling of personal and sensitive data makes them particularly susceptible to impersonation attacks.

Most worryingly, almost a quarter of all cyber attacks are aimed at retailers and this is costing the industry more than $30 billion every year. This mammoth sum is likely made up of ransom demands, money lost to fake invoices, loss of retail sales due to damaged consumer trust, and even fines.

$28 million penalties for insufficient data safeguarding

Retail businesses are some of the largest holders of valuable customer data. With everything from credit card numbers to personally identifiable data and behavior insights, retailers are legally responsible for safeguarding this highly sensitive personal data. So unsurprisingly the penalty for not putting sufficient protocols in place to protect data privacy is high.

The UK’s far-reaching GDPR imposes fines of up to £20m (about $28m or €23.5m) or 4% of annual revenue for each data breach. While GDPR is a UK law, its policies apply to any company doing business with EU citizens. When it comes to global retail, that’s a lot of companies.

Irreparable damage to reputations and relationships

Shoppers take their trust in who they buy from seriously. 22% of customers will stop buying from a business after it has been attacked, and 67% admit that they trust a company less after a data breach.

As well as this, global communications firm Edelman found that protecting customer privacy and data was ranked the 6th most important factor in trusting a business.

So it’s hard to decide what’s more unnerving for retail and ecommerce businesses: their disproportionate share of cyber attacks or the irrevocable damage that occurs when things go wrong.

Permanent cracks in your supply chain

When your company isn’t DMARC compliant, it’s not just your business and brand at risk. Your customers, employees, suppliers and stakeholders are too. After all, these are the people who’ll be receiving malicious phishing emails in your name.

The responsibility to protect employees, customers and business partners is shared by all retailers, and it’s vital that they put the measures in place not just to cover their reputation, but also to protect those within their sphere of influence.

How retailers and eCommerce businesses can fight back

Different retailers will always have different priorities. Some consider their brand equity and relationships most important, while others believe their bottom line is the best indicator of their success.

But whatever a retail business considers most valuable, it’s clear that the overwhelming majority lack the security to protect this. While there are a number of different solutions for threats in the cybersecurity space, full DMARC configuration should be the retail sector’s first step for securing domains, brand reputations, supply chains and bottom lines from the cost of impersonation fraud. Security for your business is priceless.

With our free investigate tool you can check your DMARC setup today.

Check email DMARC setup


Sabrina Evans

3 Jun. 2021



Recent Posts


Preventing certificate related violations in cybersecurity frameworks:  A guide to certificate monitoring…

Rebecca Warren

TLS is one of the most widely adopted security protocols in the world allowing for unprecedented levels of commerce across the internet.  At the core of the TLS protocol is TLS certificates. Organizations must deploy TLS certificates and corresponding private keys to their systems to provide them with unique identities that can be reliably…

Read more

Red Sift ASM & Red Sift Certificates: the missing link in your…

Billy McDiarmid

According to Gartner, Attack Surface Management (ASM) refers to the “processes, technology and managed services deployed to discover internet-facing enterprise assets and systems and associated exposures which include misconfigured public cloud services and servers.” This broad category of tooling is used within Continuous Threat Exposure Management (CTEM) programs, with many vendors within it having…

Read more

The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more