South African retailers face cybersecurity storm during peak season

South African retailers face a perfect cybersecurity storm as they prepare for an extended peak season.

The busiest time of the year will see head offices at their most vulnerable as cyber criminals target overworked staff desperate to maximise sales and keep customers happy.

Black Friday, Festive, and Back to School trading periods merged into a three-month peak that placed growing strain on local retailers.

Many businesses have fewer administrative staff as employees take their annual leave over the summer holidays.

Landmark retail breaches in the United Kingdom added to the concern for local businesses.

“Ransomware attacks at UK retailers like Marks & Spencer, Co-op, and Harrods made headlines across the globe. While the circumstances of each incident varied, each case highlighted the fact that human error was still one of the most exploited vulnerabilities,” said Heino Gevers, Senior Director of Technical Support at Mimecast South Africa.

“Rather than deploying groundbreaking malware or sophisticated technical exploits, criminals manipulated employees, impersonated IT staff, and bypassed trust-based systems designed for convenience and speed.”

The effects of ransomware attacks were a growing threat to local businesses. Research by Sophos in 2025 showed that sixty percent of South African companies hit by a ransomware attack had their data encrypted.

The median payment to retrieve their data amounted to around R7.8 million, while the average cost to recover from an attack reached approximately R23 million.

Email remained a major attack vector, with twenty-three percent of global retailers reporting phishing as the root cause and a further fourteen percent citing malicious email.

The UK retail breaches offered a cautionary tale of how attacks exploited an organisation’s weakest links.

Marks & Spencer reportedly fell victim when attackers gained access using stolen credentials obtained via social engineering, which disrupted operations and caused damage expected to reduce profits by thirty percent.

Co-op suffered a breach when IT staff were tricked into resetting a legitimate user’s password, granting criminals access to their network.

The attack reportedly cost the retailer £206 million in lost sales. Harrods also experienced social engineering attacks, compromising 403 000 customer records.

“The amount of damage done to these retail juggernauts must have been a cautionary tale for local retailers. Particularly since South African companies faced additional challenges. While shop floors were fully staffed, many administrative roles were away on leave. The extra strain on overworked employees in the office could easily lead to very expensive errors,” Gevers said.

Gevers explained that the public visibility of UK attacks was likely to have a copycat effect.

Less technically skilled attackers could now quickly and cheaply access tools and tactics, often enabled by artificial intelligence, to launch highly effective phishing campaigns or impersonate support teams at scale.

Mimecast’s threat intelligence team had tracked over 150 000 phishing campaigns since February, all bearing the hallmarks of these tactics. Many appeared simple, including fake CAPTCHAs, spoofed portals, and multi-factor authentication prompts, yet remained effective because they exploited trust rather than code.

Local retailers faced additional challenges as overburdened support teams contended with increased customer demands both in stores and online. “Great customer support lies at the heart of ecommerce growth.

Unfortunately attackers knew this, and they increasingly targeted support desks, managed service providers, and third-party vendors.

These teams were trained to solve problems quickly, reset credentials, and keep operations moving. And it was precisely these qualities that made them attractive entry points for social engineers,” Gevers said.

Business email compromise remained one of the most successful attack methods because it bypassed technology entirely.

“A well-crafted email from a ‘colleague’ asking for an invoice payment or password reset could have been all it took,” Gevers noted.

Mimecast research revealed that ninety-five percent of data breaches were caused by human error, yet just eight percent of employees accounted for eighty percent of security incidents. Organisations needed to identify high-risk individuals and implement targeted training to mitigate vulnerabilities. With over ninety percent of threats delivered via email, blocking these entry points was crucial to prevent attackers from gaining access to credentials and moving laterally within systems.

“As cyber criminals evolved, the battle moved into inboxes, helpdesks, and chat windows. South African retailers had to act to ensure their teams had all the necessary support to get through their busiest time of the year. Retailers could make between twenty percent and fifty percent of their revenue during peak season and, while they needed to remain laser-focused on sales, the UK incidents showed just how devastating a ransomware attack could be,” Gevers said.

Mimecast advised local retailers to adopt multiple strategies to protect customers and brands. These included deploying Domain-based Message Authentication Reporting and Conformance protocols to prevent fraudulent emails, monitoring and analysing email activity to quarantine suspicious communications, using third-party brand protection services with machine learning to detect spoofed websites, establishing collaboration between marketing and cybersecurity teams, maintaining transparency with customers about incidents, and responding swiftly to attacks to maintain consumer trust.

BUSINESS REPORT