KnowBe4 released its “Global Retail Report 2025,” revealing a shift in cybercriminal tactics targeting the retail sector. The report finds that credential harvesting, which is often orchestrated through phishing attacks, has become the predominant threat, accounting for 38% of all compromised data in 2023, while payment card data theft dropped to 25%.
The research shows an increase in cyberattacks in the retail sector, with attack frequency rising by 56% in 2023 compared to the previous year. This puts retail in the top five industries targeted by cybercriminals. The average cost of a retail data breach reached $3.48 million in 2024, an 18% increase from 2023.
Credential theft now accounts for 38% of all compromised data, while payment card theft dropped to 25%, making credential harvesting the leading threat in retail cyberattacks. North America’s retail sector experienced the highest percentage of attacks (56%), while Latin America saw the second most at 32%, and Europe experienced 11% of attacks.
The United States retail sector accounted for 45% of global ransomware attacks despite representing only 28% of market share, making retail the second most targeted sector. Conducting security awareness training and simulated phishing evaluations for one year or more can reduce the likelihood of employees falling for phishing attacks for organizations of all sizes.
Employee susceptibility to phishing attacks dropped from 42.4% to just 5.2% in large retail organizations, while small and medium-sized retailers saw similar improvements, with rates dropping to 4.7% and 4.5% respectively after one year of continuous training, according to the report.
Source: Security Magazine