By NHI Mgmt Group Editorial TeamPublished 2025-07-17Domain: Governance & RiskSource: Abnormal AI

TL;DR: A new analysis of retail email threats found US organizations averaged 1,052 advanced attacks per 1,000 mailboxes versus 462 in the UK, with phishing peaking in Q2 and business email compromise spiking in Q1, according to Abnormal AI. Seasonal attack timing now matters as much as volume, because it exposes predictable gaps in identity trust and financial approval processes.


At a glance

What this is: This is an analysis of retail email threat seasonality, showing that attackers time phishing and business email compromise around predictable business cycles.

Why it matters: It matters because retail identity and access controls must account for human behaviour, vendor trust, and finance workflow pressure, not just static account permissions.

By the numbers:

👉 Read Abnormal AI's analysis of retail email attack seasonality and threat timing


Context

Retail email security is not just a filtering problem. It is an identity trust problem, because phishing and business email compromise succeed when employees, finance teams, and vendors treat familiar messages as authenticated business context.

The article argues that retail attackers exploit seasonal business pressure, especially in Q2 for phishing and Q1 for BEC. That makes access decisions, payment approvals, and vendor communication patterns part of the security control surface, not just the mail gateway.


Key questions

Q: How should retail security teams prepare for seasonal phishing spikes?

A: Retail teams should increase monitoring, user awareness, and escalation coverage before the seasonal peak arrives, not after the first wave of attacks. They should also validate that mail filtering, reporting, and approval workflows are aligned to the higher transaction volume seen in Q2. Seasonal readiness works best when it is operationally planned, not improvised during the incident.

Q: Why do business email compromise attacks work so well in retail?

A: BEC works in retail because it exploits trusted business routines such as vendor renewals, budgeting, and payment approvals. Those workflows already move quickly, and attackers only need one convincing message to create urgency or exception handling. Retail teams should assume that familiar format alone is not sufficient evidence of legitimacy.

Q: What breaks when retail teams rely on familiar-looking emails as proof of legitimacy?

A: The approval chain breaks first, because employees and finance staff may treat a message as authentic before it is properly verified. That can lead to credential disclosure, fraudulent payment processing, or data sharing. The weakness is not only technical filtering. It is the assumption that recognisable language or branding equals trusted intent.

Q: Who should own response when phishing or BEC targets retail payment workflows?

A: Ownership should be shared across IAM, security operations, finance, and procurement because the attack crosses all four domains. Identity teams control assurance, SOC teams control detection, and finance teams control the transaction decision. If those groups work separately, attackers can exploit the gaps between verification and action.


Technical breakdown

Why retail email attacks track business cycles

Retail email abuse is shaped by operational rhythm. Attackers watch for high-volume periods when staff are overloaded, seasonal workers are onboarded, and vendor mail is expected. That creates better odds for phishing because recipients are primed to act quickly, and for BEC because finance and procurement teams are processing more legitimate exceptions. The technical pattern is not random spam. It is contextual impersonation that relies on timing, message similarity, and workflow pressure to bypass human scrutiny and policy controls.

Practical implication: align email security, awareness, and approval controls to seasonal business peaks instead of running a flat year-round posture.

Phishing, BEC, and the identity trust layer

Phishing and business email compromise differ in the type of trust they exploit. Phishing aims to harvest credentials or deliver payloads by impersonating common business traffic. BEC goes further by abusing the organisation’s trust in named individuals, vendors, and payment workflows. In IAM terms, these attacks target the decision boundary where message authenticity becomes access, payment, or data-sharing action. Mail security helps, but identity verification, out-of-band confirmation, and approval separation are what stop a convincing impersonation from becoming a business transaction.

Practical implication: add stronger verification for payments, supplier changes, and staff onboarding emails during known high-risk quarters.

Why lean teams need seasonal detection models

Retail security teams often operate with limited headcount and heavy transactional volume, so detection logic has to be tuned for predictable surges. Seasonal baselining helps distinguish expected traffic from suspicious spikes, especially when adversaries exploit order confirmations, shipping updates, and vendor requests. The useful design pattern is not more alerts. It is risk-aware prioritisation across mail, identity, and finance controls so the highest-confidence abuse paths are reviewed first during the periods when staff are least able to absorb noise.

Practical implication: build seasonal baselines for email, user, and approval behaviour so alert triage reflects retail operating conditions.


Threat narrative

Attacker objective: The attacker wants to turn routine retail communication into credential theft, payment fraud, or data compromise while staff are least likely to question it.

  1. Entry begins when attackers use seasonal volume and familiar retail email formats to deliver phishing messages or impersonate vendors during periods of high operational pressure.
  2. Escalation occurs when recipients disclose credentials, approve fraudulent payment requests, or bypass normal verification because the message fits expected business context.
  3. Impact follows when attacker-controlled access or fraudulent instructions enable account compromise, payment diversion, or theft of customer and operational data.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
  • DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Seasonality is a governance signal, not just a threat metric. The article shows that retail attackers time campaigns to business cycles, which means identity controls should be judged against operating rhythm rather than static policy. When seasonal staffing, vendor churn, and fiscal events all increase message trust, the control gap is not only technical filtering but governance that fails to account for predictable human decision pressure. The implication is that retail identity programmes need time-based trust assumptions, not uniform treatment across the year.

Retail BEC exposes a named failure mode: trusted workflow impersonation. This is not generic phishing. It is the abuse of finance and procurement trust paths that assume a named sender or familiar process is sufficient evidence. That assumption breaks when attackers align with budget cycles, renewals, and staffing transitions. Practitioners should treat approval workflows as identity controls, because the real target is the business process that converts email legitimacy into financial authority.

Seasonal workforce expansion creates identity debt at the edge of the programme. Temporary and part-time staff are not simply an awareness problem. They enlarge the pool of low-context users who can be manipulated by familiar mail patterns and urgent requests. The governance issue is that onboarding speed often outruns behavioural assurance, especially when teams are trying to preserve transaction flow. Retail security leaders should treat seasonal hiring as a lifecycle event with identity risk implications.

Identity trust debt: retail environments accumulate unverified trust in email, vendors, and approvals faster than they can revalidate it. That debt compounds when lean teams rely on recognisable message patterns instead of stronger assurance. The result is a system that looks efficient until an attacker times the right message to the right quarter. Practitioners should read this as a structural warning about overreliance on familiarity as a control.

Human identity controls and email security now need shared ownership. The article makes clear that mail threats are not isolated security events, because they sit at the intersection of authentication, access, and financial authority. If the IAM team, SOC, and finance functions do not share seasonal response plans, attackers will keep exploiting the seams between them. The practical conclusion is that retail governance must connect identity, email, and payment workflows in one operating model.

From our research:

What this signals

Retail teams should assume that seasonal attack timing will influence control performance, not just user behaviour. A programme that looks adequate in a quiet quarter can fail under Q2 traffic and Q1 finance pressure, especially when approval paths are already overloaded.

Identity trust debt: the key risk is not only whether a message is malicious, but whether the organisation has built enough verification into the workflows that turn email into action. That is where retail exposure now concentrates, and it is why email security and IAM governance need a shared operating model.

The practical signal for practitioners is to align awareness, detection, and approval controls to calendar-driven risk windows rather than treat the year as operationally flat. Security teams that do this well will catch more abuse earlier and create less friction during normal trading periods.


For practitioners

  • Build seasonal control calendars Increase phishing monitoring, awareness, and approval scrutiny during Q2 for retail operations and during Q1 for BEC-sensitive finance and procurement activity.
  • Separate email trust from payment authority Require out-of-band confirmation for supplier bank changes, payment exceptions, and urgent invoice requests, especially when vendor communication volume is high.
  • Treat seasonal hiring as an identity risk event Add targeted onboarding checks, short role-based training, and tighter approval review for temporary and part-time staff during peak trading periods.
  • Use seasonal baselines for detection and triage Tune alert thresholds using normal quarterly patterns for mail traffic, vendor requests, and finance approvals so high-risk anomalies surface faster.

Key takeaways

  • Retail email attacks follow business rhythm, so seasonal controls are more effective than static year-round posture.
  • Phishing and BEC exploit different trust assumptions, but both succeed when familiar communication is allowed to stand in for verified identity.
  • The strongest defence is shared ownership across security, IAM, finance, and procurement so approval paths cannot be manipulated in isolation.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Retail email fraud exploits weak identity assurance in communication workflows.
NIST SP 800-63Email impersonation often succeeds when assurance is treated as implied trust.
NIST Zero Trust (SP 800-207)Zero trust applies to message-driven decisions, not just network access.

Strengthen identity verification in email-triggered business processes before action is taken.


Key terms

  • Business Email Compromise: Business email compromise is a fraud technique where an attacker impersonates a trusted person or organisation to trigger payments, data sharing, or account changes. In retail, it often targets finance and procurement workflows where urgency and familiarity can override verification.
  • Identity Trust Debt: Identity trust debt is the accumulation of unverified assumptions that a sender, workflow, or vendor is trustworthy simply because it looks familiar. In practice, it grows when operational speed is prioritised over stronger confirmation, leaving organisations exposed to impersonation and fraud.
  • Seasonal Attack Surface: Seasonal attack surface is the period when business processes, staffing patterns, and communication volume create a temporary increase in exploitable risk. It matters because attackers can time campaigns to align with higher trust, weaker scrutiny, and overloaded teams.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: retail email threat seasonality and advanced attack patterns. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-07-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org