South African retailers face a perfect cybersecurity storm as they gear up for an extended peak season.
The busiest time of year will see head offices at their most vulnerable as cyber criminals target overworked staff who are desperate to ensure sales are maximised and customers kept happy.
Black Friday, Festive and Back to School trading holidays have merged into a three-month peak that has placed a growing strain on local retailers, many of which also have less administrative support as employees take their annual leave over the summer holidays. What’s more, landmark retail breaches in the UK should be giving local retailers cause for concern.
“Ransomware attacks at UK retailers like Marks & Spencer, Co-op, and Harrods have made headlines across the globe. While the circumstances of each incident may have varied, each case highlighted the fact that human error is still one of the most exploited vulnerabilities,” says Heino Gevers, senior director of technical support at Mimecast SA.
“Rather than deploying groundbreaking malware or sophisticated technical exploits, criminals manipulated employees, impersonated IT staff and bypassed trust-based systems designed for convenience and speed.”
Odds stacked against local retailers
The effects of ransomware attacks are a growing threat to local businesses. According to 2025 research by Sophos, 60% of local companies hit by a ransomware attack had data encrypted. The median payment to retrieve their data came in at around R7,8-million, while the cost to recover from an attack averaged around R23-million.
The research further shows that email remains a major attack vector, with 23% of global retailers reporting phishing as the root cause, and a further 14% citing malicious email.
Human-factor still the biggest weakness
The UK retail breaches were a case study in how cyber attacks target an organisation’s weakest links.
The Marks & Spencer attackers reportedly gained access using stolen credentials obtained via social engineering, allowing them to disrupt operations, with the damage expected to result in a 30% hit to profits.
Co-op suffered a similar breach when IT staff were tricked into resetting a legitimate user’s password, giving criminals access to their network. The breach is alleged to have cost the retailer £206-million in lost sales. Harrods also fell victim to social engineering tactics with 403 000 customer records compromised.
“The amount of damage done to these retail juggernauts must be a cautionary tale for local retailers,” Gevers says. “Particularly since South African companies face additional challenges. While shop floors may be fully staffed, many administrative roles may be away on leave. The additional strain on overworked employees who are at the office can lead to very expensive errors.”
Gevers goes on to explain that the public visibility of the successful UK attacks is likely to have a copycat effect. What’s more, he points out that even less technically skilled attackers can now quickly and cheaply access tools and tactics (often enabled by AI), that allow them to build highly effective phishing campaigns or impersonate support teams at scale.
He says the threat intelligence team at Mimecast has tracked over 150 000 phishing campaigns since February this year, all bearing the hallmarks of these tactics. While many seem simple in nature, such as fake CAPTCHAs, spoofed portals, and MFA prompts, they remain effective because they exploit trust, not code.
Keeping customers happy adds layers of threat
To further complicate things, local retailers will be facing a particularly challenging time this peak as overburdened support teams struggle to deal with increased customer support demands. This will be the case both on the shop floor and online as ecommerce continues to surge.
“Great customer support lies at the heart of ecommerce growth. Unfortunately attackers know this, and they are now increasingly targeting support desks, managed service providers, and third-party vendors.
“These teams are trained to solve problems quickly, reset credentials and keep operations moving. And it’s precisely these qualities that make them attractive entry points for social engineers,” Gevers shares.
He also warns that business email compromise (BEC) remains one of the most successful forms of attack today, because it bypasses technology altogether. “A well-crafted email from a ‘colleague’ asking for an invoice payment or password reset can be all it takes.”
Identify the areas of weakness and help shore up the gaps
Gevers says recent research from Mimecast reveals that 95% of data breaches are caused by human error but that just 8% of employees account for 80% of security incidents.
He says organisations must prioritise identifying high-risk individuals and implementing targeted training to mitigate these vulnerabilities.
Additionally, with over 90% of threats delivered via email, he says it’s crucial to focus on blocking these entry points to prevent attackers from gaining access to credentials and moving laterally within systems.
“As cybercriminals evolve, the battle has moved into inboxes, helpdesks and chat windows. South African retailers must act now to ensure their teams have all the necessary support to get through their busiest time of the year.
“Retailers can make anything from 20% to 50% of their revenue during peak season and, while they must remain laser-focused on making the most of this time, this past year in the UK has shown us just how devastating a ransomware attack can be,” Gevers says.
Online brand protection is everyone’s responsibility
To keep consumers safe over the peak, Mimecast teams devised a list of tips for retailers:
- Deploy Domain-based Message Authentication, Reporting and Conformance (DMARC), as a first step. The DMARC protocol prevents cybercriminals from sending harmful emails that appear to come from the business’s domain and is one of the ploys often used by cybercriminals during busy sale days when consumers are expecting communications from stores they have purchased from.
- Monitor and analyse email activity to identify illegitimate senders, then quarantine or reject suspicious emails before they reach consumers.
- Deploy third-party brand protection services that use advanced scanning and ML to detect and neutralise imitation or spoofed websites and actively block brand impersonation attempts.
- Establish strong collaboration between marketing and cybersecurity teams to ensure brand protection is addressed from both a reputation and a technical security perspective.
- Be transparent and communicate with customers, especially regarding incidents, proactive protection steps, and general information security advice.
- Respond swiftly to attacks by investigating, remediating, and compensating affected customers to maintain the trust that has often taken years to build.
- Treat online brand protection (including defense against domain spoofing and fake websites) as integral to overall brand management and consumer trust.