Cybercriminals are getting personal. Literally. According to KnowBe4’s “Global Retail Report 2025,” the greatest threat is “credential harvesting” where personal information is stolen.
Researchers at the firm said that credential harvesting, “which is often orchestrated through phishing attacks, has become the predominant threat, accounting for 38 percent of all compromised data in 2023, while payment card data theft dropped to 25 percent.”
This research comes at a time when cybercrime is top of mind for retailers as well as consumers. It follows a report from CardRates.com that polled over 1,000 U.S. consumers about online banking and found that 84 percent of respondents said they are worried about cybersecurity.
This shift occurs as the total number of cyberattacks in the retail sector has jumped 56 percent. “This puts retail in the top five industries targeted by cybercriminals,” the report’s authors said, adding that the average cost of a single retail data breach “reached $3.48 million in 2024, an 18 percent increase from 2023.”
“Our research reveals a critical shift in how cybercriminals are now prioritizing credential theft over payment card data,” said Stu Sjouwerman, chief executive officer of KnowBe4. “Stolen credentials allow immediate access to personal accounts, bypassing security measures like passwords and two-factor authentication. The good news is that organizations implementing frequent security awareness training are seeing dramatic improvements, demonstrating that human risk management must be a core component of any retail organization’s security strategy.”
The growth of cybercrime has a lot to do with how consumers shop. The report noted that more than 62 percent of all purchases are made with a credit or debit card. “When a customer uses a card to make a retail purchase, whether online or in store, they are entrusting that retailer with their credit card and other personally identifiable information (PII), including their name, address and phone number,” the report stated. “If they access their account on the web or through the store’s point of sale (POS) system, the retailer also has their past purchasing information and tracking data including any changes of addresses, and other addresses they have sent packages to.”
Consequently, KnowBe4 researchers said it should come as no surprise that the retail sector has become “a nearly irresistible trove for a growing number of cybercriminals. Unfortunately, new AI tools have not only enhanced the abilities of experienced cybercriminals, but also given state-of-the-art intrusion methods to relatively unskilled or novice attackers.”
Digging deeper into the research showed that North America’s retail sector experienced the highest percentage of cyberattacks with 56 percent, while Latin America experienced the second highest at 32 percent. Europe experienced 11 percent of attacks.
The report also noted that the U.S. retail sector accounted for 45 percent of global ransomware attacks “despite representing only 28 percent of market share, making retail the second most targeted sector.”
To combat these crimes, retailers need to reduce the “human risk” factors, which include workforce education of phishing tactics and other measures.
“Conducting security awareness training and simulated phishing evaluations for one year or more can reduce the likelihood of employees falling for phishing attacks for organizations of all sizes,” the report’s authors said, adding that there is a significant impact of security awareness and education. Training on employee susceptibility to phishing attacks dropped from 42.4 percent to just 5.2 percent in large retail organizations, “while small and medium-sized retailers saw similar improvements, with rates dropping to 4.7 and 4.5 percent, respectively, after one year of continuous training.”
