TL;DR: A new analysis of retail email threats found US organizations averaged 1,052 advanced attacks per 1,000 mailboxes versus 462 in the UK, with phishing peaking in Q2 and business email compromise spiking in Q1, according to Abnormal AI. Seasonal attack timing now matters as much as volume, because it exposes predictable gaps in identity trust and financial approval processes.
NHIMG editorial — based on content published by Abnormal AI: retail email threat seasonality and advanced attack patterns
By the numbers:
- US retailers averaged 1,052 advanced email attacks per 1,000 mailboxes.
- UK BEC volume drops 29% from Q1 to Q4.
Questions worth separating out
Q: How should retail security teams prepare for seasonal phishing spikes?
A: Retail teams should increase monitoring, user awareness, and escalation coverage before the seasonal peak arrives, not after the first wave of attacks.
Q: Why do business email compromise attacks work so well in retail?
A: BEC works in retail because it exploits trusted business routines such as vendor renewals, budgeting, and payment approvals.
Q: What breaks when retail teams rely on familiar-looking emails as proof of legitimacy?
A: The approval chain breaks first, because employees and finance staff may treat a message as authentic before it is properly verified.
Practitioner guidance
- Build seasonal control calendars Increase phishing monitoring, awareness, and approval scrutiny during Q2 for retail operations and during Q1 for BEC-sensitive finance and procurement activity.
- Separate email trust from payment authority Require out-of-band confirmation for supplier bank changes, payment exceptions, and urgent invoice requests, especially when vendor communication volume is high.
- Treat seasonal hiring as an identity risk event Add targeted onboarding checks, short role-based training, and tighter approval review for temporary and part-time staff during peak trading periods.
What's in the full article
Abnormal AI's full research covers the operational detail this post intentionally leaves for the source:
- Quarter-by-quarter breakdown of advanced email attacks across US and UK retail environments.
- Separate seasonal analysis of phishing and business email compromise patterns by region.
- Discussion of likely operational drivers such as staffing cycles, vendor renewals, and fiscal timing.
- Context on how behavioural AI is used to block socially engineered email threats before delivery.
👉 Read Abnormal AI's analysis of retail email attack seasonality and threat timing →
Retail email attack seasonality: what IAM teams need to prepare for?
Explore further
Seasonality is a governance signal, not just a threat metric. The article shows that retail attackers time campaigns to business cycles, which means identity controls should be judged against operating rhythm rather than static policy. When seasonal staffing, vendor churn, and fiscal events all increase message trust, the control gap is not only technical filtering but governance that fails to account for predictable human decision pressure. The implication is that retail identity programmes need time-based trust assumptions, not uniform treatment across the year.
A few things that frame the scale:
- DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
A question worth separating out:
Q: Who should own response when phishing or BEC targets retail payment workflows?
A: Ownership should be shared across IAM, security operations, finance, and procurement because the attack crosses all four domains. Identity teams control assurance, SOC teams control detection, and finance teams control the transaction decision. If those groups work separately, attackers can exploit the gaps between verification and action.
👉 Read our full editorial: Retail email attack seasonality is outpacing human defenses