The retail industry is bracing for more than the usual increase in cyber attacks this holiday shopping season.
AI-driven threats pose significant risks to both retailers and consumers. According to the latest report from Imperva Threat Research, retail websites face an average of 569,884 AI-driven attacks every day.
Among the most persistent challenges is the increase in advanced bad bot traffic, which is up 58% over last year. Imperva’s research reveals that evasive bad bots now account for 70% of malicious traffic targeting retail sites, up from 51% for other sites.
These bad bots use sophisticated tactics, including rotating random IP addresses, using anonymous or resident proxies, impersonating identities, mimicking human behavior, delaying requests, and even bypassing Captcha prompts. Their “low and slow” approach allows them to fly under the radar and carry out malicious attacks with minimal requirements.
“This approach minimizes the ‘noise’ typically generated by bad bot campaigns, making them more difficult to detect,” Gabriella Sharadin, content manager of Imperva’s threat research department, told the E-Commerce Times.
Artificial intelligence bots are amplifying the cyber risks of the holiday season
Cybercriminals are increasingly using AI-driven technologies to increase the scale and sophistication of their attacks on e-commerce platforms. This is a critical time for online retailers to prepare for a range of AI-driven threats, including bots, distributed denial of service (DDoS) attacks, API breaches and business logic abuse.
“While cyber security threats are a year-round concern, they become even more prominent during the holiday shopping season, when retailers often experience record sales,” Nanhi Singh, general manager of application security at Imperva, told the E-Commerce Times.
She added that cybercriminals are using generative artificial intelligence tools and large language models (LLMs) to capitalize on the increased volume of digital transactions, limited-time promotions and gift cards and loyalty points stored in customer accounts.
Retailers need comprehensive defense strategies
To mitigate these threats, retailers need to adopt a defense plan that addresses these attacks and allows them to respond quickly without disrupting the shopping experience, Singh offered. Without robust protection, retailers face a perfect storm of AI-driven attacks that could disrupt operations, compromise customer data and tarnish their reputation.
Imperva’s research reveals that these attacks come from general-purpose AI tools such as ChatGPT, Claude and Gemini, along with specialized bots designed to extract LLM training data from websites. Analysis of these attacks shows that cybercriminals primarily use AI tools to execute specific types of threats, such as business logic abuse (found in 43% of all attacks), DDoS and bad-bot attacks, and API breaches.
“Successful attacks can lead to identity theft, monetary loss and loss of customer confidence in e-commerce platforms, with fraudulent charges and unauthorized account access negatively impacting consumers’ shopping experiences,” Sharadin warned.
Preparing for peak bot and DDoS attacks
Bot management solutions can help filter bad bots out of the mix. An anomaly detection tool can help identify non-human traffic in real-time to minimize interference by these digital deviants.
“Regular audits of business functions can help find vulnerabilities before they are exploited and ensure that retailers’ online presence is not compromised,” added Sharadin.
Retailers should also ensure their infrastructure is ready to handle increased traffic without compromising performance by using servers that can scale according to demand.
Another strategy is to implement a content delivery network (CDN) to distribute traffic more efficiently and use a queuing system during peak times. This approach can also help create a seamless consumer experience.
“The waiting room controls the flow of traffic to the website or app using a first-come, first-served approach, allowing legitimate users a fair experience during major events and sale times,” she said.
Provide proactive prevention
Sharadin suggests that online retailers establish a baseline of expected API behavior, including typical traffic levels and user geographies, so they can proactively defend against automated applications and API abuse before the holiday shopping season.
“It helps detect anomalies such as unusual spikes in traffic on infrequently used APIs, such as the write APIs that push updates to systems,” she explained.
It is also important for retailers to understand how users access their APIs and apply session and IP rate limits to prevent abuse. This strategy is especially cautious when it comes to API keys (a unique code used to authenticate a user).
“Vendors should maintain an audit trail of user activity to allow their developers and security teams to monitor traffic logs, making it easier to identify and investigate potential malicious bot activity,” added Sharadin.
Know the important safety signs
Not all of the cybersecurity burden rests with retailers. Cybercriminals use artificial intelligence to obtain shoppers’ sensitive personal information, such as credit card details, addresses and account information.
End users must learn to recognize abnormal activity on their websites and online accounts. Signs of a hacked account include:
- Unusual activity or unknown devices: Beware of unknown transactions such as purchases, messages or posts, especially from unauthorized devices.
- Password changes or locked accounts: Changing your password without authorization or not being able to log into your account with the correct password can mean trouble.
- Safety warnings and unusual messages: In the event of a breach, review the company’s security procedures. Because many businesses don’t share alerts with customers, know if receiving security alerts is typical behavior. Watch out for warnings about suspicious account activity impersonating your service provider.
- Links to new accounts: Look for new accounts linked to your email or social media that you didn’t create.
According to Sharadin, generative artificial intelligence is now a double-edged sword in cybersecurity. It provides powerful tools to defend against threats, but also helps cybercriminals launch more sophisticated attacks.
“AI-based threats can automate phishing campaigns, create convincing fake identities and adapt in real-time to bypass security defenses,” she summarized.
For e-commerce businesses, this means they encounter more advanced and persistent attacks that precisely target vulnerabilities and enable fraud while remaining undetected.