Flashpoint Year In Review: 2022 Retail Cyber Threat Landscape 

This blog is part of our 2022 Year In Review, an intelligence retrospective highlighting the most significant trends of the past year—plus insight into 2023

December 9, 2022

New year, same tactics

In the US alone, the retail sector accounts for trillions of dollars in transactions each year—and financially-motivated threat actors are eager to get their cut. They leverage weaknesses in stores’ refund and return policies, data breaches, and cyber extortion schemes, among other tactics, to successfully execute an attack. 

With so much at stake for retailers—as well as their partners and the consumers they serve—it’s vital for security and fraud teams to mitigate exploitable vulnerabilities, keep threat actors out, reduce risk, and ultimately, prevent loss. 

The right intelligence can help retailers know what to expect and take the necessary steps to close risk apertures and stop attacks, from ransomware to fraud. The good news is that even though attacks increased in 2022, the tactics, techniques, and procedures (TTPs) that threat actors used are, more or less, remaining the same. In other words, cyber threat actors are not necessarily creating new methods of attack; rather, they’re constantly adapting tried-and-true TTPs in order to bypass new security measures or technology. 

Here’s how threats to the retail sector played out in 2022.

Refund fraud

There are plenty of ways for threat actors to take advantage of retailers’ return policies, customer service representatives, and third-party affiliates, including payment processors and shipping companies, in order to receive fraudulent refunds for goods. Over the past year, the refund fraud schemes that Flashpoint has observed rely on iterations of already-popular refund fraud methods, tailoring them to be more effective against organizations’ security measures.

Compared to the 2021 year end report on the retail sector, in 2022 there were nearly double the number of mentions of popular refund fraud tactics within Flashpoint’s forum collections, indicating the increasing popularity of fraudulent refund tutorials and services. 

According to a 2021 report by the National Retail Federation (NRF), of the US$761 billion in returned goods over the entirety of 2021, approximately 10 percent ($78.4 billion) were deemed fraudulent. It also noted that the majority of returned items, fraudulent and legitimate, are from online orders. In 2020, the NRF estimated that US$428 billion worth of merchandise was returned, and approximately 5.9 percent ($25.3 billion) was deemed fraudulent. Although statistics are not yet available for 2022, based on this trend, it is likely that the volume and overall economic impact of fraudulent refunds will continue to grow across the United States.

The fake tracking ID (FTID) method

As in 2021, the “fake tracking ID” (FTID) method was one of the most discussed and advertised refund methods observed in 2022. Actors use the FTID method to defraud companies that require that a faulty or incorrect item be returned before sending a replacement or refund, interfering with the return label tracking ID numbers. 

Threat actors may obfuscate personally identifiable information (PII) on the return label, like name and address, so that only the barcode is visible. They attach the tampered-with label to a box that matches the approximate weight of the item in question but does not actually include the item. In one version of a successful FTID return, the warehouse would scan the barcode upon the item’s return, note the similar weight of the shipment, and accept it as a legitimate return. In another version, the threat actor would change the return address so that the box is scanned by mail carriers or shippers but is never actually returned to the warehouse.


This year, Flashpoint identified another iteration of the FTID method called the “not reroute FTID method” (NR-FTID). The majority of NR-FTID discussions took place on Telegram, with the earliest mention of this method emerging within Flashpoint collections in February 2022. This method allegedly fixes an issue in which packages sent under a fake shipping label do not compromise the refund by accidentally rerouting.

Gift card fraud

Gift card fraud is a common entry point for threat actors to commit other types of financial fraud. Often, gift cards are purchased with stolen financial information or purchased through compromised customer accounts where financial information is stored

Holiday Shopping Season 2022: The Complete Retail Threat Landscape

In our holiday shopping threat landscape guide, we outline how threat actors participate in gift card fraud..


Year to date, there have been 53 retail-related ransomware leaks within Flashpoint collections. In the same time period in 2021, there were 51 observed retail-related leaks. 

Data is leaked if the victim refused to pay the demanded ransom or did not not negotiate a ransom by a certain predetermined time. Since victims are normally spared from being outed on leak sites if they comply with negotiation and ransom demands, it is highly likely that a much larger number of retailers was impacted and targeted by ransomware gangs this year but were not publicly revealed. 

The United States is consistently the top targeted country by ransomware gangs seeking to exploit retailers, which may be attributed to the generally high number of online retailers across the country and the value of the sensitive information stored by these retailers.

In September 2022, Sophos released its “State of Ransomware in Retail 2022” report, which was conducted in early 2022 and surveyed 5,600 IT professionals, 422 of which work directly within the retail sector. Respondents were asked to reflect on cybersecurity incidents from the previous year when answering the survey questions. The report found that 77 percent of responding retail entities experienced a ransomware attack in 2021, which is up from 44 percent in 2020. The cross-sector average of entities experiencing a ransomware attack in 2021 was 66 percent. 

While extortion-only attacks against retailers were down this year—from 12 percent to 3 percent—Sophos noted that this more likely indicates a change in tactics, like coupling extortion with ransomware, rather than a true departure from this type of attack. In 99 percent of cases where data was encrypted, organizations were able to recover at least some of that data.

Advertisements of initial access

The exploitation of content management systems (CMS) and e-commerce platforms posed a great threat to retailers in 2022. On trend with previous years, Flashpoint observed the majority of such advertisements on top-tier Russian hacking forum Exploit, with a smaller number on Russian top-tier forum XSS. 

This year, analysts observed a high interest in selling access to Magento and WooCommerce resources.

Based on data collected from VulnDB, year to date, there have been fourteen newly disclosed CVEs in Magento that have an average risk score of 6.71. According to research published by Sansec in September 2022, threat actors have commonly exploited a vulnerability which enables actors to execute arbitrary code. Actors have leveraged at least three different attacks to exploit this vulnerability, all of which result in the injection of a remote access trojan into weak endpoints. It appears that this activity has been attributed to several “Magecart” groups.

Compared to other e-commerce platforms, Magento and WordPress/WooCommerce will likely persist as popular targets among financially motivated threat actors. This is in part due to the volume of online shops that leverage these resources: It is estimated that 4 four million websites use WooCommerce and 170,000 sites use Magento. Due to Magento’s disproportionately high rate of CVEs, actors will likely continue to target the platform.

Data breaches

The retail sector is a priority target for data breaches, based on the perceived amount of financial data stored within retailers’ systems. Between January and November, according to Cyber Risk Analytics, the retail sector experienced 221 breaches, resulting in over 279 million compromised records. The majority of these breaches occurred due to general hacking and skimming. 

The values will likely increase in the coming months and years, as breach data will most certainly be retroactively discovered for this time frame.

Keep your assets, data, personnel, and customers secure with Flashpoint

Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Begin your free trial today.