The cyber-attack surface in the power grid has widened with the deployment of the wide-area monitoring, protection, and control (WAMPAC) system. Replay attacks are one of the most challenging attacks to detect in a WAMPAC system. The authors aim to address the problem of identification and repercussions of continuous replay attacks on wide-area backup protection schemes. The continuous replay attacks introduce a permanent lag in the phasor measurement unit (PMU) data. The authors classify such attacks into small, medium, and wide-scale based on the number of compromised substations. Furthermore, the signature of a replay attack is derived using a one-step-ahead prediction of PMU data. The resulting forecast error distributions are subsequently analysed using the Kullback–Leibler divergence metric. Results using field PMU data show that this method successfully distinguishes replay attacks from normal system operation and faults in the system. Therefore, the proposed scheme can be used to detect and mitigate the effects of replay attacks on wide-area protection schemes.