Retail Cybersecurity Trends: New Data Reveals Predictable Patterns in the US and UK

The retail industry isn’t just seasonal in terms of sales—it’s also seasonal when it comes to cyber risk.

New analysis of data spanning January 2023 to June 2025 shows that cybercriminals appear to time their campaigns to coincide with retail’s moments of greatest vulnerability. This research, which assessed the median number of advanced email attacks per 1,000 mailboxes across retail organizations in the US and UK, confirms what many security teams suspect: modern threat actors are often more deliberate than opportunistic.

For retail security teams operating with limited budgets and resources, this predictability represents a game-changer—the ability to shift from reactive to proactive defense. In short, understanding these patterns can transform seasonal risk into strategic foresight.

The volume of sensitive data processed daily—including customer payment details, transaction histories, and personal information—makes successful compromise of a retail organization particularly financially lucrative. Furthermore, the industry’s heavy reliance on transactional email—such as order confirmations, shipping notifications, and customer service requests—creates ample opportunities for attackers to mimic familiar formats and deliver malicious payloads.

But beyond the data itself, the sector's operational structure introduces persistent exposure.

Compounding these risks, large, distributed workforces—including seasonal and part-time staff—present challenges related to inconsistent security awareness and, consequently, increased susceptibility to social engineering. Most retailers also depend on complex vendor ecosystems, making them especially vulnerable to vendor email compromise and impersonation attacks.

Unlike highly regulated industries, many retailers operate with lean security teams, which increases the likelihood of delayed threat detection and response. On top of that, security controls that introduce friction are often deprioritized in favor of maintaining transaction flow, which adversaries readily exploit. During peak periods (such as late spring/early summer and late fall/early winter), operational pressure further elevates risk as employees are pushed to prioritize speed over scrutiny.

These overlapping weaknesses make the retail sector a uniquely attractive and vulnerable target for threat actors.

In June 2025, Cartier and The North Face disclosed separate cyberattacks that compromised customer data. Cartier reported that hackers accessed limited personal information—names, email addresses, and countries of residence—but no financial data was compromised. The North Face revealed that a credential stuffing attack in April exposed names, contact details, purchase history, and birthdates. Experts warn that retailers are prime targets because they store vast amounts of customer data and often have weaker cybersecurity defenses.

Our analysis reveals cyclical attack behaviors with similar seasonal patterns across both regions, despite significant differences in overall attack volumes.

United States: Sustained Pressure with Q2 Peaks

US retailers faced a notably higher volume of email threats, averaging 1,052 advanced attacks per 1,000 mailboxes across the observation period, compared to 462 in the UK. Q2 stood out as the most dangerous quarter, peaking at 1,105 per 1,000 mailboxes and reflecting a spring/early summer surge that correlates with several operational factors unique to this period.

Q2 presents optimal conditions for cybercriminals targeting US retailers. Typically, retailers are ramping up vendor communications to prepare for the lucrative "Moms, Dads, and Grads" season—a critical sales period spanning Mother’s Day, Father’s Day, and graduation-related events. At the same time, companies flood their workforce with temporary hires to support heightened promotional activity and seasonal inventory transitions.

This combination of elevated email traffic and influx of inexperienced staff creates ideal conditions for attacks. Cybercriminals have learned to exploit this predictable vulnerability window, timing their campaigns precisely when retailers are most exposed.

United Kingdom: Different Scale, Similar Rhythm

While UK retail organizations experienced significantly lower attack volumes, the threat trends followed a comparable seasonal pattern, with Q2 representing the highest activity period for malicious campaigns.

The data shows UK retailers averaged 491.8 attacks per 1,000 mailboxes in Q2 compared to 445.2 in Q4—a 10.5% increase from the lowest to the highest quarters. This seasonal fluctuation closely mirrors the US pattern, indicating that both regions experience similar timing in overall advanced attack activity despite different baseline volumes.

The lower overall attack volumes in the fourth quarter may be attributed to differences in regulatory environments, business practices, or market structures. For instance, UK retailers are subject to employment policies, such as the Agency Workers Regulations 2010, which may shape workforce dynamics and operational patterns during busy seasons.

Even so, the parallel timing of attack spikes suggests that global retail supply chain rhythms create similar windows of opportunity across both regions.

The Key Takeaway

The consistency of second-quarter surges across both regions over the past two and a half years suggests that global threat actors may be coordinating campaigns to target retail organizations during this timeframe, possibly exploiting common business cycles or seasonal vulnerabilities. The upside is that when security teams know that Q2 consistently brings the heaviest attack loads, they can staff accordingly, increase training intensity, and prepare their defenses before the storm hits.

Phishing remained the most common attack type, comprising nearly two-thirds of advanced email threats in the US and over half in the UK over the last 30 months. The seasonal patterns of phishing closely mirrored overall attack trends, with Q2 representing the highest volume period in both regions.

United States: Persistent and Consistent

US retailers have faced relentless phishing pressure throughout the last two and a half years, with Q2 showing the highest average for attack volume. The seasonal variation was relatively modest—only a 6% difference between the highest (Q2) and lowest (Q4) quarterly averages—suggesting that phishing campaigns operate as a year-round threat, requiring constant vigilance.

The modest seasonal variation in phishing attacks reflects the technique's opportunistic nature. Unlike BEC attacks that require specific business contexts, phishing campaigns can exploit any stretch of time with elevated email volumes.

United Kingdom: Matching Seasonal Trends

Retail organizations in the UK saw a comparable quarterly pattern, with Q2 also representing the peak period. However, a 14% difference between the highest and lowest (Q4) quarterly averages indicates that UK retailers experience slightly more pronounced seasonal fluctuations in phishing activity.

This heightened variation may reflect different seasonal business rhythms in UK retail markets, creating distinct vulnerability windows.

The Key Takeaway

Both regions exhibit consistent Q2 spikes in phishing activity, with somewhat modest seasonal variations that necessitate year-round vigilance rather than dramatic shifts in resources. The similar patterns across both regions suggest that Q2 represents a globally recognized peak interval for phishing campaigns targeting retail organizations, making this quarter a priority for enhanced defenses regardless of geographic location.

While phishing attacks appeared to cluster in Q2, business email compromise (BEC) attacks operated on a counter-seasonal cycle, consistently reaching maximum volume in Q1 across both regions throughout the observation period. This unique pattern makes BEC particularly interesting from a defensive planning perspective.

United States: Q1 BEC Surge Suggests Strategic Targeting

On average, BEC campaigns targeting US retailers reached their highest levels in the first quarter, then declined steadily through Q4. A 17% drop from peak to trough in quarterly averages suggests that BEC attacks may be timed to coincide with annual business planning cycles, budget approvals, or vendor contract renewals—activities that often create ambiguity and opportunity for financial fraud.

The Q1 spike may also be due to threat actors' understanding that early-year stretches often involve new staff, updated procedures following year-end audits, and increased financial activity—all factors that can create openings for successful business email compromise attacks.

United Kingdom: Sharper Swings, Similar Timing

UK retailers showed an even more pronounced seasonal trend in business email compromise, with average attack volume dropping by 29% between Q1 and Q4. This sharper decline may reflect the behavior of cybercriminals influenced by the UK’s fiscal year, which spans from April to March. Threat actors may focus their efforts in Q1 to exploit the heightened financial activity that typically follows year-end reporting, as organizations finalize budgets, negotiate vendor contracts, and launch new initiatives.

These transitions often involve increased email traffic and internal coordination—conditions that create ambiguity and can be exploited through impersonation. By Q4, many of these processes are stabilized, and organizations may be operating within well-established workflows, reducing the likelihood of successful deception. The timing suggests a strategic focus by attackers on periods when disruption and decision-making are most concentrated.

The Key Takeaway

The counter-seasonal nature of BEC threats presents both challenges and opportunities for retail security teams. While other attack types allow for concentrated Q2 defensive efforts, BEC requires Q1 preparation when resources may be focused on other priorities. However, the predictability of this pattern also enables security teams to implement targeted awareness training and enhanced financial controls during the high-risk first quarter.

The seasonal trends revealed in this analysis offer retail security teams a strategic advantage: the ability to align defensive resources with predictable attack cycles. The data shows that:

• Q2 demands heightened defense against all advanced threats, especially phishing, based on consistent patterns across the last two and a half years. Organizations should prioritize enhanced SOC capacity and intensive user awareness campaigns during this critical quarter.

• Q1 requires BEC-specific planning, especially in finance and procurement functions, given the consistent seasonal peak observed. Tailored controls and training during this timeframe can help intercept fraud attempts tied to fiscal operations and vendor management activities.

• For global enterprises, regional strategies must reflect different threat landscapes. US teams face higher sustained pressure, necessitating more robust year-round postures, while UK teams can adopt more flexible seasonal strategies without sacrificing effectiveness.

Rather than maintaining uniform security postures year-round, retailers can implement dynamic defense strategies that intensify during high-risk periods and optimize resource allocation during lower-risk windows.

The business impact is significant. This data-driven approach can improve security outcomes while potentially reducing overall costs—a rare win-win in cybersecurity.

In an industry where a single successful attack can cost millions in remediation, regulatory fines, and lost customer trust, the ability to predict and prepare for elevated threat cycles isn't just valuable—it's essential for survival.

Today’s most dangerous threats rely on social engineering to manipulate human behavior, tricking employees into clicking malicious links, sharing credentials, or authorizing fraudulent payments. While seasonal preparation and ongoing security awareness training are critical, they can only go so far. The most effective way to stop these attacks is to prevent them from ever reaching employees in the first place.

By understanding when attacks are most likely to occur—and by utilizing behavioral AI to detect and block socially engineered threats—retail organizations can transition from a reactive defense to proactive protection, staying one step ahead of cybercriminals who count on timing and human error to succeed.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.