Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Retail email attack seasonality: what IAM teams need to prepare for


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: A new analysis of retail email threats found US organizations averaged 1,052 advanced attacks per 1,000 mailboxes versus 462 in the UK, with phishing peaking in Q2 and business email compromise spiking in Q1, according to Abnormal AI. Seasonal attack timing now matters as much as volume, because it exposes predictable gaps in identity trust and financial approval processes.

NHIMG editorial — based on content published by Abnormal AI: retail email threat seasonality and advanced attack patterns

By the numbers:

Questions worth separating out

Q: How should retail security teams prepare for seasonal phishing spikes?

A: Retail teams should increase monitoring, user awareness, and escalation coverage before the seasonal peak arrives, not after the first wave of attacks.

Q: Why do business email compromise attacks work so well in retail?

A: BEC works in retail because it exploits trusted business routines such as vendor renewals, budgeting, and payment approvals.

Q: What breaks when retail teams rely on familiar-looking emails as proof of legitimacy?

A: The approval chain breaks first, because employees and finance staff may treat a message as authentic before it is properly verified.

Practitioner guidance

  • Build seasonal control calendars Increase phishing monitoring, awareness, and approval scrutiny during Q2 for retail operations and during Q1 for BEC-sensitive finance and procurement activity.
  • Separate email trust from payment authority Require out-of-band confirmation for supplier bank changes, payment exceptions, and urgent invoice requests, especially when vendor communication volume is high.
  • Treat seasonal hiring as an identity risk event Add targeted onboarding checks, short role-based training, and tighter approval review for temporary and part-time staff during peak trading periods.

What's in the full article

Abnormal AI's full research covers the operational detail this post intentionally leaves for the source:

  • Quarter-by-quarter breakdown of advanced email attacks across US and UK retail environments.
  • Separate seasonal analysis of phishing and business email compromise patterns by region.
  • Discussion of likely operational drivers such as staffing cycles, vendor renewals, and fiscal timing.
  • Context on how behavioural AI is used to block socially engineered email threats before delivery.

👉 Read Abnormal AI's analysis of retail email attack seasonality and threat timing →

Retail email attack seasonality: what IAM teams need to prepare for?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Seasonality is a governance signal, not just a threat metric. The article shows that retail attackers time campaigns to business cycles, which means identity controls should be judged against operating rhythm rather than static policy. When seasonal staffing, vendor churn, and fiscal events all increase message trust, the control gap is not only technical filtering but governance that fails to account for predictable human decision pressure. The implication is that retail identity programmes need time-based trust assumptions, not uniform treatment across the year.

A few things that frame the scale:

A question worth separating out:

Q: Who should own response when phishing or BEC targets retail payment workflows?

A: Ownership should be shared across IAM, security operations, finance, and procurement because the attack crosses all four domains. Identity teams control assurance, SOC teams control detection, and finance teams control the transaction decision. If those groups work separately, attackers can exploit the gaps between verification and action.

👉 Read our full editorial: Retail email attack seasonality is outpacing human defenses



   
ReplyQuote
Share: