May 26 2023

Today’s Retail Criminals Are Tech Savvy but Your Security Partners Can Help

With organized crime and cybercrime on the rise, today’s retailers are facing loss prevention challenges that go beyond sticky fingers and inventory shrinkage.

Aside from being criminal activity, retail theft and cybercrime share a common denominator: Both are nearly as old as the storefronts and the technologies, respectively, that made them possible. Unfortunately for retailers, the two also share a type of malicious symbiosis, with cybercrime inflicting an increasing risk of theft in recent years.

Twenty-five years ago — before curbside pickup, before every retailer had an online shop, and before the internet made online-only storefronts possible — when people thought of retail shrinkage, they largely thought of shoplifters and “boxes falling off the backs of trucks.” Today’s retailers, however, face a litany of threats much more organized and nuanced than lone thieves cutting alarm sensors out of leather coats or sneaking cold medicine into coat pockets.

Rising rates of organized crime have driven an alarming increase in retail shrinkage, with 8 in 10 retailers reporting violent incidents or aggression associated with organized crime in the past year. Over the past five years, 59 percent of retailers reported an increase in cybercrime, an increasingly popular tactic of organized crime syndicates.

Retail Loss TOC


Criminals Today are Tech Savvy and Organized

Organized retail crime is big business today, says Christian Beckner, vice president of retail technology and cybersecurity at the National Retail Federation. Hackers and cybercriminals are using a widening range of tactics, from account theft and takeovers (for example, stealing login information for a particular online retailer) to credit card theft, ransomware and more. Using stolen account information — often purchased on the dark web — retail thieves can access credit card data, and, in some cases, evolve their crimes from the online realm to physical locations.

Take, for instance, the “buy online, pickup in store” or curbside pickup trend that escalated when the COVID-19 pandemic shut down stores across the nation. Simply by stealing online account information, cybercriminals can make purchases online, pickup the merchandise in-store, and then resell it, leaving victims and businesses to foot the bill. Similar acts of thievery can be accomplished using stolen credit cards and having merchandise delivered to the criminals’ doorsteps.

Things are likely to get even more dangerous as artificial intelligence matures, says Buck Bell, the head of CDW’s Global Security Strategy Office. “The real short-term challenge is the degree to which AI can be an accelerant of successful attacks,” he says. Criminals are working on “using AI to replicate successful attacks to get pretty broad coverage in no time.”

DISCOVER: Three key pillars retailers should embrace.

Specifically in retail, Bell says, AI may be used to extract customer information via omnichannel communications. For example, he said, criminals might build an AI bot that can present itself to retailers as a customer, using whatever information is publicly available about him or her. “The AI will be responsive enough to walk through additional steps to extract additional information about that customer.”

What’s enticing about such a scenario, from the standpoint of cybercriminals, is the algorithm’s ability to learn as it goes, getting better with each attempt, as well as the ability to easily unleash such a bot at scale. “You know three of four pieces of demographic information about someone that’s easily discoverable online, and from that you can try to discover additional demographic information, account information, those kinds of things. We’ll see that increasing over the next two or three years.”

In some cases, the malicious bots will communicate with the retailers’ own customer service chatbots. In others, they will dial into call centers and speak to live agents, using the large language models that power tools such as Chat GPT.

“With some of these large language models, the opportunity to be much more conversational exists,” Bell says, “and if I can combine that with data mining, I can probably find out enough to convince a retailer that I might be who I say I am.”

Click the banner below to learn how enhanced video surveillance can help prevent retail loss.

A Partnership Between Loss Prevention and IT

If the nature of retail crime is evolving, so, too, is the relationship between loss prevention teams and IT departments. The increasing overlap of cybercrime and physical theft has made it increasingly important for loss prevention professionals to partner with IT decision-makers to reduce risk and the dreaded retail shrinkage.

“It’s about having compensating controls,” Beckner explains, “whether it’s deploying multifactor authentication for consumer transactions” or authenticating new device sign-ins. “A lot of this really comes down to having tools in place that can provide information about who is doing this, what their patterns are, and how we can detect and prevent it.”

It’s also important, Beckner says, for IT teams to partner with their security and loss prevention counterparts to ensure cohesion and alignment. “You want to know that you’re making the right investments and that they’re integrated with the rest of the company’s technology,” he says. That means not only investing in traditional physical security solutions, such as security cameras, but also protecting those assets with robust cybersecurity. Solutions to consider might include:

  • Next-generation firewalls: Combining traditional firewall technology with application-level protection, next-gen firewalls protect against advanced security threats through intelligent, context-driven features.
  • Endpoint detection and response: Continuously monitor all of the end-user devices on your network to detect and respond to cyberthreats such as malware and ransomware, which has become an increasing threat to retailers.
  • Identity and access management: The rise in customer account theft means that it’s not enough for businesses to implement IAM solutions for their employees; their customers need protection too. That’s why many retailers have been investing in IAM solutions, including multifactor authentication solutions.
  • Third-party security assessments: In some cases, it’s not enough to invest in new products; you may need to bring in help. Retailers determined to shore up any potential weaknesses might consider investing in third-party support services, including providers who can test your network for holes using red-team techniques.

EXPLORE: What trends are retailers leaning into this year?

How Cybersecurity and Physical Security Overlap in Retail

Bell notes that retailers are increasingly deploying automation technology inside stores to improve customer service. Some of these, such as advanced video surveillance systems, are designed to improve security. But others, like self-checkout technology, can complicate security.

In addition to the more obvious ways criminals can undermine such technology — by using tags from lower-priced items to ring up more-expensive merchandise, for example — Bell says it’s vital that retailers clearly understand what software is inside those machines, should the machines themselves be compromised.

“The IoT attack surface isn’t new, but it’s been a major attack vector for breaches in the past, as it comes from third-party point-of-sale systems,” he said. “In this case, the risk is straight up from the point-of-sale systems. There could be 20 or 30 third parties that have software that are part of the point-of-sale system. And many of the retailers out there do not have sophisticated software bills of materials for these systems, so they’re not sure, for instance, what open-source solutions are in there. So when the Log4j exploit hit, for example, many businesses had no idea what third-party providers might have leveraged Log4j in their systems, and they had no way to measure their exposure.”

Building a thorough software bill of materials for such technology is a critical component of any cybersecurity incident response plan, Bell says, because retailers can effectively respond to an incident only when they have clarity on what technology they have that might be compromised.

Modern retailers must fight a two-front security battle, both in their stores and on their networks. That’s why it’s imperative that they take a holistic approach to their  security posture with the right mix of robust cybersecurity and physical security technology solutions to keep their employees, customers and merchandise safe.

Breakermaximus, Hartmut Witte/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT