Full Report
What HappenedOn 3 June 2026, the City of London Police issued a warning stating Report Fraud has seen a significant increase in cases mentioning the retailer, reflecting how criminals are targeting well-known brands.Report Fraud, which is run by the City of London Police, warned that cybercriminals are using leaked credentials from historical data breaches to hijack Argos user accounts.Once on the account, the fraudsters order and then collect the goods in-person at a physical store. In some instances, the goods are paid for using payment details not connected to the victim of the compromised account.Notably, the goods from fraudulent orders are often claimed via Click & Collect option that Argos allows, enabling the threat actors to retrieve goods in store.In May, Report Fraud received 652 reports which mention Argos, a 323% increase compared to April, when 154 reports mentioning the retailer were made. Since the start of 2026, there have been 1,175 reports mentioning the retailer, with May seeing the highest number to date.This alert is also not the first raised about Argos. On 18 November 2025, the East Midlands Cyber Resilience Center issued a warning about Argos and Currys accounts getting compromised and unauthorised purchases being made. In some instances, particularly with Currys, the Buy Now Pay Later (BNPL) option was used, leaving the account holder with finance plans in their names.Analyst CommentFor both everyday UK consumers and UK retail risk teams, these alerts provide several layered insights. Retailers have spent years optimising Click & Collect to be as frictionless as possible to compete with online shopping giants like Amazon. However, this alert shows how Click & Collect can be a security liability. As Argos allows quick collections, criminals can buy an item online and pick it up at a local store before the real account owner notices an order confirmation email.The police alerts also note that the items may even be paid for using payment details not connected to the victim. Criminals are mixing stolen accounts with stolen credit cards. This is likely due to an established Argos account with a multi-year history buying expensive items would look pretty normal to a fraud detection engines.The combination of an Account Takeover (ATO) and Buy Now Pay Later (BNPL) fraud creates a difficult scenario for retailers, credit providers, and consumers. The regulatory and reputational fallout for a retailer under the rules of the UK Financial Conduct Authority (FCA) could be severe. If a retailer's poor account security allows fraudsters to easily spin up a finance plan in a victim's name, the FCA will view this as a systemic failure to protect consumers, resulting in massive fines.These attacks are possible due to the practice of Argos users who are reusing the same previously leaked password across multiple accounts, plus users not having multi-factor authentication (MFA) turned on in their account settings. Campaigns like this can trigger a reputational hit to retailers as victims often do not suffer silently. They take to social media to share stories and the public narrative can shift to being about a retailer who is complicit in disrupting innocent people's financial lives.Defensive TakeawaysUser Account Hygiene Best Practices: Standard practices such as rotating passwords, using complex password, using a different password per service, using a password manager, using passkeys, and turning on MFA would all help mitigate this type of threat for users.Credit Monitoring: If a user suspects their account has been compromised, they should consider using a credit monitoring service to help prevent unauthorised loans taken out in their name.Cancel and Replace Payment Cards: If a user suspects their payment card data has been stolen, then they should contact their financial institution and have it cancelled and replaced.Implement Click-and-Collect Controls: Retailers with click-and-click options should introduce controls such as requiring ID of the account owner or a single-use QR code or PIN via SMS/Email at the point of collection for high-value items to prevent this type of fraud.Detecting Credential Stuff Attacks: If the cybercriminals were using credential stuffing attacks, then retailers should be able to detect unauthorised password guessing attempts against their online portals. It is recommended to use IP context analysis and perform source IP correlation. If one IP address tagged as a proxy or VPN is observed attempting to login to dozens of accounts simultaneously, then there’s an issue.Leverage Stripe’s FT3 framework: If your organisation or team is tasked with combating fraud, then categorising these scammers TTPs is crucial. That’s why Stripe has developed the Fraud Tools, Tactics, and Techniques (FT3) framework. It’s designed to help security teams understand the landscape, spot gaps, develop detections, improve incident response, and foster collaboration.Relevant Sourceshttps://www.cityoflondon.police.uk/news/city-of-london/news/2026/june/report-fraud-alert-warning-for-argos-shoppers-after-323-per-cent-spike-in-fraud-reports-mentioning-the-retailer/report-fraud-alert-warning-for-online-shoppers-after-spike-in-criminals-gaining-unauthorised-access-to-retailer-accounts/https://www.emcrc.co.uk/post/currys-and-argos-account-warning-issued-by-policeSocial Media Intelligence (SOCMINT)https://www.reddit.com/r/LegalAdviceUK/s/NbOWRfzvgmhttps://www.reddit.com/r/Argos/s/6uOo52UpHfhttps://www.reddit.com/r/Argos/s/eZTgBhhNzphttps://x.com/donnaeenichols1/status/2060321697996161165https://x.com/lottyburns/status/1983581827127259558Relevant CTI Resourceshttps://www.cloudflare.com/learning/bots/what-is-credential-stuffing/
Analysis Summary
# Incident Report: Widespread Account Takeover (ATO) Campaign Targeting Argos Customers
## Executive Summary
Since early 2026, the UK retailer Argos has been targeted by a large-scale account takeover (ATO) campaign fueled by credential stuffing. Threat actors leverage historical data breaches and password reuse to hijack customer accounts, utilizing the frictionless "Click & Collect" service and "Buy Now Pay Later" (BNPL) schemes to steal high-value goods. The incident has seen a 323% spike in reported cases in May 2026, posing significant financial and regulatory risks to the retailer.
## Incident Details
- **Discovery Date:** 3 June 2026 (Public alert by City of London Police)
- **Incident Date:** Continuous; accelerated significantly in May 2026
- **Affected Organization:** Argos (and Currys noted in historical context)
- **Sector:** Retail / E-commerce
- **Geography:** United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing since January 2026; sharp increase in May 2026.
- **Vector:** Credential Stuffing.
- **Details:** Attackers use automated tools to test credentials leaked from historical third-party data breaches against Argos login portals.
### Lateral Movement
- **Details:** Not applicable in a traditional network sense; however, attackers navigate through the compromised user accounts to modify delivery preferences or view stored payment methods.
### Data Exfiltration/Impact
- **Details:** Unauthorized purchases of physical goods. In some cases, attackers applied for Buy Now Pay Later (BNPL) financing in the victims' names, creating fraudulent debt.
### Detection & Response
- **Discovery:** Identified via a surge in victim reports to "Action Fraud" (City of London Police).
- **Response Actions:** City of London Police and the East Midlands Cyber Resilience Center issued public warnings to consumers.
## Attack Methodology
- **Initial Access:** Credential Stuffing (exploiting password reuse).
- **Persistence:** Maintaining access to web-based retail accounts; lack of MFA allows continued access.
- **Privilege Escalation:** N/A (Standard user account access used for fraud).
- **Defense Evasion:** Using residential proxies or VPNs to blend with legitimate traffic; leveraging established accounts with "aged" history to bypass automated fraud detection.
- **Credential Access:** Historical leaked databases from unrelated breaches.
- **Discovery:** Reviewing account balance, stored cards, and credit limits for BNPL options.
- **Lateral Movement:** N/A.
- **Collection:** Gathering account-holder details to facilitate in-person collection of goods.
- **Exfiltration:** N/A.
- **Impact:** Financial fraud and physical theft via Click & Collect.
## Impact Assessment
- **Financial:** Over 1,175 reports filed in 2026; May alone saw 652 reports. Individual victims face fraudulent finance plans and lost funds.
- **Data Breach:** Compromise of personal PII stored within retail accounts.
- **Operational:** Increased burden on fraud prevention teams; potential regulatory scrutiny from the Financial Conduct Authority (FCA).
- **Reputational:** Significant public outcry on social media (X/Reddit) regarding perceived lack of security controls.
## Indicators of Compromise
- **Behavioral indicators:**
- High-volume login attempts from known VPN/Proxy IP ranges.
- Multiple login attempts across different usernames from a single IP.
- Immediate high-value orders following a successful login after a long period of dormancy.
- Orders placed with payment cards that do not match the account holder's name or billing address.
## Response Actions
- **Containment:** Police warnings to the public to change passwords.
- **Eradication:** Advice to users to implement MFA and rotate reused passwords.
- **Recovery:** Victims advised to contact financial institutions to cancel cards and use credit monitoring services.
## Lessons Learned
- **Key takeaways:** Frictionless commerce (Click & Collect) without secondary verification provides a high-speed "cash out" method for fraudsters.
- **What could have been done better:** Earlier implementation of mandatory Multi-Factor Authentication (MFA) and more robust Bot Management to block credential stuffing at the login portal.
## Recommendations
- **Consumer:** Use unique, complex passwords per service; enable MFA; monitor credit files.
- **Retailer:**
- Implement ID verification or single-use PIN codes/QR codes for Click & Collect.
- Deploy IP context analysis and source IP correlation to detect automated credential stuffing.
- Adopt the **Stripe FT3 (Fraud Tools, Tactics, and Techniques)** framework to categorize and detect evolving scammer TTPs.
- Ensure compliance with FCA standards regarding the issuance of BNPL credit to prevent "systemic failure" fines.
---
**Relevant Defanged Sources:**
- hxxps[://]www[.]cityoflondon[.]police[.]uk/news/city-of-london/news/2026/june/report-fraud-alert-warning-for-argos-shoppers/
- hxxps[://]www[.]emcrc[.]co[.]uk/post/currys-and-argos-account-warning-issued-by-police
- hxxps[://]www[.]cloudflare[.]com/learning/bots/what-is-credential-stuffing/