Retail email attack seasonality: what IAM teams need to prepare for

TL;DR: A new analysis of retail email threats found US organizations averaged 1,052 advanced attacks per 1,000 mailboxes versus 462 in the UK, with phishing peaking in Q2 and business email compromise spiking in Q1, according to Abnormal AI. Seasonal attack timing now matters as much as volume, because it exposes predictable gaps in identity trust and financial approval processes.

NHIMG editorial — based on content published by Abnormal AI: retail email threat seasonality and advanced attack patterns

By the numbers:

• US retailers averaged 1,052 advanced email attacks per 1,000 mailboxes.
• UK BEC volume drops 29% from Q1 to Q4.

Questions worth separating out

Q: How should retail security teams prepare for seasonal phishing spikes?

A: Retail teams should increase monitoring, user awareness, and escalation coverage before the seasonal peak arrives, not after the first wave of attacks.

Q: Why do business email compromise attacks work so well in retail?

A: BEC works in retail because it exploits trusted business routines such as vendor renewals, budgeting, and payment approvals.

Q: What breaks when retail teams rely on familiar-looking emails as proof of legitimacy?

A: The approval chain breaks first, because employees and finance staff may treat a message as authentic before it is properly verified.

Practitioner guidance

• Build seasonal control calendars Increase phishing monitoring, awareness, and approval scrutiny during Q2 for retail operations and during Q1 for BEC-sensitive finance and procurement activity.
• Separate email trust from payment authority Require out-of-band confirmation for supplier bank changes, payment exceptions, and urgent invoice requests, especially when vendor communication volume is high.
• Treat seasonal hiring as an identity risk event Add targeted onboarding checks, short role-based training, and tighter approval review for temporary and part-time staff during peak trading periods.

What's in the full article

Abnormal AI's full research covers the operational detail this post intentionally leaves for the source:

• Quarter-by-quarter breakdown of advanced email attacks across US and UK retail environments.
• Separate seasonal analysis of phishing and business email compromise patterns by region.
• Discussion of likely operational drivers such as staffing cycles, vendor renewals, and fiscal timing.
• Context on how behavioural AI is used to block socially engineered email threats before delivery.

👉 Read Abnormal AI's analysis of retail email attack seasonality and threat timing →

Retail email attack seasonality: what IAM teams need to prepare for?

Explore further

View Full Forum →  |  NHI Foundation Course →