The recent spate of cyberattacks on retailers in the U.S. and U.K. is the result of those businesses’ common vulnerabilities coupled with criminals’ honed social engineering tactics, experts say.

Attackers appear to have gained access to computer networks by using exposed or expired user credentials to mislead help desk and other employees into resetting passwords, among other tactics.

Several large retailers have been hit by cyberattacks this year, including Marks & Spencer and Harrods in the U.K. and Victoria’s Secret and Whole Foods in the U.S.

“They’re exploiting a vulnerability in a process of these companies, and this is something that these companies simply are not prepared for,” said Tiago Henriques, Lagos, Portugal-based chief underwriting officer for cyber insurer Coalition.

The attacks exploit human rather than technological weaknesses and present an emerging challenge to cybersecurity.

“The majority of these cyber events are caused by social engineering attacks, whether it’s infiltrating the help desk or email phishing; there’s so many different inroads, but the human factor is becoming the biggest risk,” said Jeff Kulikowski, New York-based executive vice president, professional lines, for Westfield Specialty, a unit of Westfield Insurance.

“This goes beyond a technology problem alone; there’s a people element,” said Simon West, London-based director of customer engagement for Resilience.

The hacking group dubbed “Scattered Spider” is known for sophisticated social engineering and data extortion, said Emily Weiss, Dallas-based vice president, cyber advisory, for Marsh.

The activity attributed to the group increased in the second quarter, affecting some large companies in the retail, insurance, financial and airline sectors, she said.

Several specific characteristics make retailers a compelling target for cyber criminals.

“Retailers are uniquely exposed. They have a heavy reliance on payment-processing and point-of-sale systems and high volumes of transactions,” said Rob Malone, New York-based head of large accounts and U.S. portfolio management, cyber, for Axa XL.

The companies have multiple operations that can be targeted, he said. “They have apps. They have brick-and-mortar stores. They have online presence, social media. They also have a number of IT service providers across potentially hundreds or thousands of employees, so the attack surface is very wide.”

Retailers are in the crosshairs for a few reasons, according to David Molony, Amsterdam-based head of cyber solutions for EMEA at Aon.

“They handle huge volumes of customer data, rely heavily on third-party platforms and contractors and operate in fast-moving digital environments — all of which create a broad attack surface,” Mr. Molony said via email.

In addition, retailers every day handle high volumes of financial and personal data, which is of value to criminals, said Resilience’s Mr. West.

Nine percent, or roughly 180, of the nearly 2,000 cyber claims that Marsh’s U.S. Cyber practice received last year were from U.S. retailers, Ms. Weiss said.

They remain behind health care and technology, which combined made up more than 40% of the cyber claims filed, she said.

“Given the increasing reliance on digital technologies and online transactions in the retail industry, it’s no surprise that cyber threats have become a major concern,” Ms. Weiss said.

Robust employee training can help protect against social engineering and phishing attacks.

Educating staff on cybersecurity best practices, phishing awareness and social engineering to promote a security-first culture within an organization can help mitigate exposures, Ms. Weiss said.

“The insurance market has proven that it’s able to influence behavioral change within organizations. We’ve done that with smoke alarms, fire alarms. You’ve seen it with car insurance and the seat belts, but influencing behavioral change in organizations does take time,” Mr. West said.

Another key way to mitigate risk is systems segregation, which can limit an attacker’s ability to move within a system once it is breached.

“It’s one thing to breach the organization. It’s another thing to move laterally,” Mr. Malone of Axa XL said.

With strong segmentation, organizations can restrict access to data even after their systems have been breached, he said.

“That’s the concept of defense in depth. It’s the foundation of good cybersecurity hygiene. Put in as many layers as you possibly can,” he said.

Network segregation — isolating human resources from point-of-sale systems, for example — can help mitigate downtime and losses in the wake of a breach.

“That is what defense in depth is, and it started from system architecture,” said Coalition’s Mr. Henriques.

“Segmentation between critical and noncritical systems is absolutely key,” Mr. Kulikowski said.

“There’s no reason that customer data should ever be mixed in with human resources data,” he said, “or that those two systems should even be in the same chain.”

---

Merchants among most active buyer groups in cyber insurance sector

The same characteristics that make retailers inviting targets for cyber criminals also led many leading merchants to become among the first buyers of cyber liability insurance.

As such, they have benefited from years of risk management experience and input from insurers and continue to be one of cyber insurance’s most active customer groups.

Retailers were an early adopter of cyber coverage due to a combination of factors, such as handling sensitive customer data, frequent financial transactions and their reliance on interconnected digital systems, said Emily Weiss, Dallas-based vice president, cyber advisory, for Marsh.

“Right now, we’ve seen more retailers focusing on purchasing additional limits rather than purchasing for the first time,” she said.

Retailers are moving away from minimal cover and opting for more comprehensive policies, which usually include business interruption, ransomware and extortion, third-party liability and regulatory fines and reputational harm, David Molony, Amsterdam-based head of cyber solutions for EMEA at Aon, said via email.

“I would say retailers are some of our more advanced clientele in cybersecurity, and so they’re very receptive to underwriter feedback and broker feedback on what’s trending within risk management and in the insurance market,” said Jeff Kulikowski, New York-based executive vice president, professional lines, for Westfield Specialty, a unit of Westfield Insurance.