Cybersecurity risks in the retail and e-commerce sector continued to intensify through 2025, as attackers increasingly targeted online shopping platforms, payment systems and delivery services. According to the 2025 Security Bulletin released by Kaspersky, the combination of high transaction volumes, predictable shopping seasons and expanding digital touchpoints has made retail one of the most consistently targeted industries.
The bulletin analyses real-world incidents affecting consumers and businesses, alongside emerging risks in the B2B segment. Its findings suggest that while familiar threats such as phishing and ransomware remain dominant, changes in how consumers discover and purchase products—particularly through AI-driven interfaces—are reshaping the sector’s privacy and security exposure heading into 2026.
A year of elevated threat activity
Kaspersky’s data shows that retail users and organisations faced sustained cyber pressure throughout 2025. More than 14% of users in the retail sector encountered web-based threats, while over 22% faced on-device threats. On the business side, 8.25% of retail and e-commerce companies were affected by ransomware during the year.
The most notable increase was observed in the B2B segment: the number of unique users encountering ransomware detections rose by 152% compared to 2023. According to Kaspersky, much of this surge was driven by the spread of a single ransomware family, Trojan-Ransom.Win32.Dcryptor, which leverages the legitimate DiskCryptor utility to encrypt disk partitions—making detection and mitigation more challenging in operational environments.
Phishing remains the dominant entry point
Despite years of awareness efforts, phishing continued to be the most visible and scalable attack technique in online retail. Between November 2024 and October 2025, Kaspersky products blocked more than 6.6 million attempts to access phishing links targeting users of online stores, payment systems and delivery services.
More than half of these attacks impersonated online shopping platforms, while others targeted payment services and logistics providers. Seasonal sales periods once again proved particularly effective for attackers, as heightened promotional activity lowered user vigilance and allowed malicious messages to blend into legitimate marketing traffic.
Kaspersky also highlighted risks associated with mobile shopping behaviour. The analysis showed that even applications downloaded from official app stores can pose threats, with some malicious apps capable of harvesting credentials and financial data under the guise of legitimate services such as food delivery or online shopping.
How shopping behaviour is changing—and why it matters
Looking ahead to 2026, Kaspersky expects shifts in shopping behaviour to introduce new privacy and security challenges. One key area is the growing use of conversational and AI-driven product discovery tools.
Chatbots are increasingly being integrated into online marketplaces, encouraging users to interact in natural language rather than simple keyword searches. While this can improve the shopping experience, it also results in the collection of richer contextual data, including preferences, constraints and behavioural signals.
“Search itself is changing, including how people look for products online. In 2025, there was a gradual shift from simple keyword queries to more conversational and visual ways of finding what to buy. As these models rely on broader user input, careful handling of the data involved will remain an important consideration for maintaining user trust,” comments Anna Larkina, Web data and privacy analysis expert at Kaspersky.
According to the bulletin, chatbot interaction logs could become as sensitive as transactional data, raising concerns around over-collection, misuse and unintended exposure of personal information.
External AI agents and blurred data boundaries
Another emerging trend is the rise of AI-powered shopping assistants that operate outside traditional retail platforms, embedding themselves into browsers, mobile apps and third-party services. While designed to simplify navigation and price comparison, these tools shift data collection beyond the retailer’s direct control.
To function effectively, such agents require ongoing access to browsing behaviour, search intent, location context and product interactions across multiple sites. Kaspersky warns that this could lead to the aggregation of detailed behavioural profiles in less transparent ecosystems, increasing privacy risks for consumers and compliance challenges for retailers.
Image-based search and unintended data exposure
Visual product search is also expected to become more common across major e-commerce platforms. While image uploads can improve product discovery, Kaspersky notes that they introduce new privacy risks.
User-submitted images may inadvertently include faces, home interiors or sensitive details such as names, phone numbers or addresses visible on packaging or shipping labels. As image-based search becomes routine, secure processing, data minimisation and strict retention policies are likely to become critical requirements for retailers.
Fraud adapts to regulatory change
Beyond AI-driven shopping experiences, Kaspersky also highlighted how changes in taxes, import duties and cross-border trade rules could be exploited in fraud campaigns. Attackers may use regulatory complexity as a lure, promoting unrealistic discounts or claims of avoided fees to deceive consumers and smaller retailers with limited fraud-detection resources.
Preparing for 2026
Taken together, the findings suggest that the retail and e-commerce sector’s risk profile is expanding—not just because of traditional cyber threats, but due to evolving user interfaces and data flows. As AI becomes more deeply embedded in shopping experiences, security and privacy considerations are moving closer to the core of customer trust.
For retailers, the challenge in 2026 will be balancing innovation in product discovery and personalisation with disciplined data handling, visibility and user protection—ensuring that convenience does not come at the cost of security or privacy.