American Retailers Leave Consumers Exposed to Email Fraud Amid Holiday Shopping Season

Proofpoint research reveals 40% of the leading retailers are not actively blocking bogus emails that spoof their brand

American Retailers Leave Consumers Exposed to Email Fraud Amid Holiday Shopping Season

PROOFPOINT MEDIA CONTACT:
Estelle Derouet
Proofpoint, Inc.
pr@proofpoint.com

Black Friday marks the unofficial start of the holiday shopping season. With just days to go until the annual event, Proofpoint Inc., a leading cybersecurity and compliance company, today released new research revealing two out of five of the leading retailers are not taking adequate measures to protect consumers from email fraud and cybercrime.

These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) adoption analysis of the top 50 retailers in the United States. DMARC is a widely-used email protocol that helps protect domain names from being spoofed and misused by cybercriminals. It authenticates an email sender’s identity before allowing a message to reach its intended destination, ensuring the sender is who it says it is. With three levels of protection—monitor, quarantine, and reject—DMARC ensures that only verified senders can send emails using a retailer’s domain. The ‘reject’ policy is the most secure, preventing any fraudulent emails from reaching the inbox.

The National Retail Federation (NRF) expects sales to grow steadily this year, forecasting that Americans will spend between $979.5 billion and $989 billion during the holiday season. Online shopping—which the NRF predicts will be the primary contributor of overall retail sales growth—spurs a flurry of email communications from retailers, presenting an opportunity for cyber criminals to spoof brands to launch fraudulent attacks. Email is a widely used marketing tool and a popular channel for cyber criminals to conduct large-scale phishing campaigns to steal personal information or credit card details that can then be used to engage in identity and financial fraud.

Proofpoint’s analysis of the top 50 retailers according to the NRF and their adoption of DMARC finds:

  • 60% of online retailers in the U.S. have implemented the highest level of protection to reject suspicious emails from reaching consumers’ inboxes, a 12-point increase compared to 2023
  • However, this means that 40% of online retailers are not actively blocking fraudulent emails from reaching consumers
  • One in 10 retailers have no DMARC record in place at all
  • 18% have implemented a monitor policy, meaning unqualified emails can still arrive in the recipient’s inbox; only 12% have implemented a quarantine policy to direct unqualified emails to spam/junk folders

“Email continues to be the vector of choice for cybercriminals and the retail industry remains a key target. It’s encouraging to see that more retailers are taking the right steps to protect their customers from email fraud this holiday season compared to last year,” said Robert Holmes, group vice president and general manager of Proofpoint’s Sender Security and Authentication business. “However, there is still a lot of room for improvement, especially as guards are down as consumers vie to quickly snag seasonal bargains.”

Google has also noted the significant increase in authentication adoption since implementing new email authentication rules for organizations last year, resulting in 265 billion fewer unauthenticated messages sent in 2024.

Proofpoint recommends consumers follow the below tips when shopping:

  • Passwords need protecting: Avoid reusing the same password. Utilize a password manager to simplify your online activities while ensuring security and further enhance protection by implementing multi-factor authentication.
  • Remain vigilant about imitation sites: Be wary of fake websites that imitate well-known brands. These fraudulent sites may sell counterfeit or non-existent items, distribute malware, or try to steal money and personal information.
  • Avoid phishing and smishing threats: Remain vigilant for phishing emails that direct to unsafe websites aiming to gather personal data, such as login credentials and credit card details. Also, exercise caution with SMS phishing ('smishing') and messages received via social media.
  • Don't click on links: Refrain from clicking on links; instead, manually enter the known website address into your browser to access advertised deals. When using special offer codes, input them during the checkout process to confirm their authenticity.
  • Confirm before making a purchase: Deceptive advertisements, websites, and mobile apps can appear convincing. Before downloading a new app or visiting an unfamiliar website, take the time to read online reviews and check for customer complaints.

To find out more about DMARC, visit https://www.proofpoint.com/us/products/email-fraud-defense.

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.