Make security your best offer this Black Friday

This week, the internet is swamped with offers, discounts, and deals leading up to Black Friday, the biggest shopping day of the year. Over the years, the Black Friday/Cyber Monday shopping period has grown to be the most significant date in the calendar for online retailers. As retailers and consumers alike prepare for it, so do the cybercriminals; Black Friday is also rife with scams, fake offers, and credit card theft. Consumers are relying on retailers to have the protections in place that allow them to shop stress-free. For retailers, there is a lot of pressure, they know their reputation rests on being able to protect their customers during this period. So, as cybercrime grows ever more sophisticated and widespread, how can retailers keep up? 

This Black Friday, SecurEnvoy is sharing our guide to how retailers can shore up their defences at a time risk is heightened. 

The Black Friday security risks

Year on year, we see ever more terrifying stats on the increasing levels of cybercrime that centre around Black Friday. Last year, researches found that Black Friday themed phishing attacks jumped 692% from the beginning of November to the week of Black Friday. Action Fraud revealed that Brits reported losing over £11.5 million to online criminals between November 2023 and January 2024, with each victim losing £695 on average.

Recent research confirms that malicious activity is rising in 2025 too, with 1 in 11 newly registered Black Friday themed domains classified as harmful. Brand impersonation remains a primary tactic, with 1 in 25 new domains related to the reputable ecommerce marketplaces of Amazon, AliExpress, and Alibaba flagged as malicious.

A payable survey of retailers found that a third (33%) said the speed at which scams develop is their biggest concern, while others struggle to balance smooth checkout experiences (31%) and effective security measures (29%).

Protecting consumers during Black Friday

There is no doubt that the scammers and cybercriminals won’t be letting up this year. The best defence retailers can put up is to ensure they have robust security measures to meet the challenge. There’s no silver bullet for this type of cybercrime but making sure you’ve got the basics right goes a long way to preventing a headline grabbing security incident:

Strengthen account security

Black Friday brings a surge in account takeover attempts so fortify login and checkout with strong, simple authentication. Enforce multi-factor authentication (MFA) for all staff, vendors, and admin accounts. 

For your customers, offer low-friction MFA options for their customers (e.g., OTPs, app prompts) that don’t slow down checkout. This is in line with recommendations from government agencies – last year, the NCSC launched a national campaign to encourage people to turn on MFA to help protect their online accounts.  Consumers also want these security measures; with 66% saying they trust a company more if it requires them to use MFA. Admin and supplier accounts are also high-value targets so it’s recommended to lock down privileged access before the sales period. Require MFA for all accounts, enforce least-privilege access and revoke unused permissions.

Any access management solution should aim to be easy and frictionless to avoid a situation whereby consumers or staff attempt to circumvent security measures out of frustration. Retailers should use clear, human-centred messaging when requesting identity proof or MFA, keep friction to a minimum by adapting security challenges only when risk is high and reassure people that these measures protect their data and purchases.

Detect anomalous behaviour  

Cybercriminals will be relentless during this period, so retailers should monitor for unusual spikes in behaviour to identify tactics like credential-stuffing and bot activity in real time. Look out for unusual log in volumes or IP patterns, rate-limit login attempts and block known malicious IP ranges, and use CAPTCHA or adaptive challenges when behaviour looks suspicious. Fraud is also rife during this period, often highlighted by unusual purchasing behaviour or unexpected changes to address or payment methods. Encourage customers to enable MFA and proactively prompt password resets for known compromised emails. For additional protection, employ Risk-Based or Adaptive MFA that analyses login context (location, device, time) and can automatically block suspicious attempts that deviate from the norm.

Comply with frameworks that drive security 

Any organisation that stores, processes, or transmits payment card data must comply with PCI DSS, including retailers, e-commerce sites, payment processors, service providers, and any vendors that handle cardholder information on behalf of others. To meet PCI DSS requirements, retailers have to follow 12 security controls across six areas: securing networks with firewalls and non-default settings, protecting cardholder data through encryption, maintaining up-to-date anti-malware and patches, enforcing strict access controls including MFA, continuously monitoring and testing their systems, and upholding strong security policies.

Rather than treating this as a tick box exercise, retailers should see this as an opportunity to build stronger defences for both their own businesses and their customers. Customers can read compliance with PCI DSS as shorthand to know they can trust a supplier. 

Make security friction-free

One of the most important aspects to consider when putting in place any security measures is that they don’t slow down your staff or your customers. You want them to have a frictionless experience, building confidence and trust in them, which will ensure they won’t look for any workarounds or disable any protections in pursuit of an amazing Black Friday deal. 

Security can be a brand advantage and business enabler if customers trust that you are following security best practices. This shopping season, make buying from your brand the responsible and secure option and avoid becoming another statistic of the Black Friday horror stories. 

SecurEnvoy has a range of frictionless MFA and access management solutions for retailers. Find out more here.

Published: 28 November 2025

Category: Industry News

Access Management / Cloud / MFA / Retail