Solutions overview
Account take over (ATO)
Digital Impersonation
Credit card data theft
SEO poisoning
Credential stuffing
For security teams
For fraud/risk teams
For digital business teams
Library
Blog
Partner Up
About
News
Events
Careers
Contacs
Retail fraud has gone public.
It no longer happens quietly in the background. Today’s scams are faster, sharper, and designed to look exactly like your brand. A spoofed checkout flow can harvest thousands of credentials before your SOC team even sees a spike.
But the real damage isn’t always technical. In 2025, one impersonation scam can trigger waves of fake complaints, social media outrage, and reputational backlash that cost far more than the fraud itself.
For security teams, that has changed the mandate. It’s no longer just about protecting infrastructure. It’s about preserving trust in a digital ecosystem where every scam risks becoming a public crisis.
This is why retailers are shifting away from reactive clean-up tactics. Takedowns, scans, and after-the-fact alerts are now sub-par answers to an increasingly complex question. How can retailers defend against industrialized ATO attacks that blend in with legitimate traffic? The focus is turning to preemptive ATO protection capable of anticipating and mitigating attacks pre-fallout.
To understand what that looks like from the inside, Memcyco CMO Eran Tsur sat down with Antonio Scanzaroli, Security Operations Lead at a global food retailer, to talk about how retail security is evolving and what scam-proofing really requires in 2025.
PART 1: The View from the Field
Eran: Antonio, let’s start with what you’re seeing on the ground. What kinds of fraud and threat activity are becoming more common in your day-to-day?
Antonio: There’s been a clear shift. Loyalty programs are getting targeted more than ever. We’re seeing phishing campaigns that closely mimic login pages, and they’re getting harder to distinguish from the real thing. The level of polish is impressive.
We’ve also seen a rise in fake checkout pages. Single sign-on spoofing is another big issue, especially when attackers try to reuse credentials across systems. And on top of that, voucher abuse, gift card exploitation, and account takeovers through lookalike domains have all become more frequent. Many of these scams are tied to automated tools now, not just individual actors.
Eran: What makes large food retailers particularly vulnerable to these kinds of attacks?
Antonio: First, loyalty programs hold real monetary value, which makes them an obvious target. Then you have gift cards, which are regularly exploited, sometimes even through internal misuse.
“For security teams, that has changed the mandate. It’s no longer just about protecting infrastructure. It’s about preserving trust in a digital ecosystem where every scam risks becoming a public crisis.”
The other factor is volume. With millions of customers, attackers have plenty of room to blend in. And because we’re constantly releasing new features or channels, sometimes security has to catch up to digital innovation.
We’ve had to shift toward more preemptive loyalty fraud defenses. Customers don’t always realize how valuable those accounts are, and once fraud happens, it’s usually public and difficult to contain.
PART 2: The AI and Automation Dilemma
Eran: Let’s talk about how AI and automation are changing fraud. What are you seeing?
Antonio: Scam sites are being spun up much faster now. Sometimes they reuse phishing kits. Other times they’re built from scratch using tools that let anyone generate convincing content. We’ve seen sites go live within hours.
What’s really worrying is how attackers are targeting key customer flows. Login, password reset, checkout pages. They know where to hit, and the impersonation is often spot-on. In some cases, even the tone of the messaging feels like something our team would write. That level of personalization is new.
Eran: How are your teams adapting to this faster, more automated threat environment?
“If your detection happens after the user reports the issue, it’s not detection. It’s confirmation.”
Antonio: We’ve started focusing more on detection that happens in-session, not days later. The goal is to spot something while it’s happening, not after a customer reports it. If your detection happens after the user reports the issue, it’s not detection. It’s confirmation.
You can’t stop fraud you don’t see. Real-time visibility has become essential, especially at the pre-login session level because that’s where the subtle signs emerge of anomalies that indicate imminent ATO.
That’s why we look closely at user behavior. Did they come from a suspicious referral source? Is the session behaving like a human or like a bot? Is the access pattern aligned with known customer behavior? These are all clues that help us detect fraud earlier.
The reality is, these threats now start doing damage in seconds. By the time you’re alerted through traditional channels, harm has often already begun, and neither the user nor the security team may be aware of it.
Real-time visibility at the session entry point matters. It’s not just about the login event itself, but the conditions leading up to it –did the user arrive from a suspicious site? Is the device known and behaving normally?
“Preemptive, real-time visibility doesn’t just matter – it’s now a ‘must-have’. It’s not just about the login event itself, but the conditions leading up to it – did the user arrive from a suspicious site? Is the device known and behaving normally?”
PART 3. ‘Zero Trust’ Applied to Customers
Eran: How does the concept of Zero Trust apply in your environment? It’s usually seen as something for internal users.
Antonio: That’s how it started for us too. But now, we’ve expanded it to customer sessions. Just because someone logs in from a familiar device doesn’t mean the session is safe.
Loyalty platforms and SSO flows are frequent targets. We’ve moved away from static indicators of trust, like browser cookies. Instead, we evaluate everything in context: Where did this user come from? Are they doing something unusual? Are they acting like a real person? In many cases, trust signals have become vulnerabilities – the very things we relied on to verify legitimacy are now being exploited, so I think the ‘zero trust’ approach has gained a lot of relevance now, in a consumer context.
Preemptive, real-time visibility doesn’t just matter – it’s now a ‘must-have’. It’s not just about the login event itself, but the conditions leading up to it – did the user arrive from a suspicious site? Is the device known and behaving normally? These pre-login signals are often the first and only chance to stop credential misuse before an account is compromised.
“That same thinking applies to real-time protection. If you can stop a scam mid-session, before a customer even realizes they’re in danger, that’s powerful.”
PART 4: What Retail Needs Now More than Ever
Eran: If you could change one thing about how the retail sector handles fraud today, what would it be?
Antonio: I would push the whole industry to stop relying on reactive methods. Things like scanning for impersonation sites or issuing takedowns after an incident have their place, but they’re too late. If you’re seeing the threat in your WAF, you’re already under attack.
What’s still missing across much of retail is that preemptive layer of visibility, and proactive disruption of scams in progress. Teams are good at ATO response and cleanup, but not enough is being done to anticipate fraud before it escalates.
There’s also an ongoing challenge around user experience. Everyone wants it to be smooth, but we can’t keep trading security for convenience. We have to find the right balance.
And I think it’s time to treat security as a brand asset. Most people see it as a cost. But when customers notice that you’re protecting them, it actually builds loyalty. Security can be a differentiator, not just a defense mechanism.
“What’s still missing across much of retail is that preemptive layer of visibility, and proactive disruption of scams in progress. Teams are good at ATO response and cleanup, but not enough is being done to anticipate fraud before it escalates.”
Eran: Have you seen that mindset work in practice?
Antonio: Yes, definitely. We introduced multi-factor authentication in a few areas, and we expected complaints. But the opposite happened. Once customers understood the reason behind it, many saw it as a positive sign. It showed them we’re serious about protecting their data.
That same thinking applies to real-time protection. If you can stop a scam mid-session, before a customer even realizes they’re in danger, that’s powerful. You’re not just blocking fraud – you’re reinforcing and amplifying digital trust.
Closing Thoughts
Retail is evolving fast. Customers expect frictionless experiences and more services to accommodate different needs. Loyalty programs are more integrated than ever. And threat actors are getting more creative by the day.
What’s changing is how security teams are expected to respond. The job is no longer just about blocking known threats. It’s about anticipating new ones. It’s about preventing incidents that never make the headlines, and neutralizing attacks before they reach scale.
This shift isn’t just about tools or infrastructure. It’s about mindset. It’s operational. It’s cultural. It’s a new way of thinking about digital trust – one that starts before the attack, not after.
In the retail sector, the time between a threat forming and harm being done is often just a few seconds. That’s why the move toward real-time visibility, preemptive protection, and session-level intelligence isn’t just a smart enhancement, it’s the new critical baseline.
Retailers that succeed in this environment will be the ones who build fraud resilience directly into the customer experience. Not as an afterthought. Not as clean-up. But as a real-time, always-on safeguard.
Digital Marketing Director
