AI-Driven Cyberattacks Increase Risks to Online Retailers This Holiday Season

The retail industry is bracing for more than just the usual surge of cyberattacks this holiday shopping season.

Artificial intelligence-driven threats pose significant risks to both retailers and consumers. According to the latest report from Imperva Threat Research, retail websites are already facing an average of 569,884 AI-driven attacks each day.

Among the most persistent challenges is the rise in advanced bad bot traffic, which has surged by 58% compared to last year. Imperva’s research reveals that evasive bad bots now account for 70% of harmful traffic targeting retail sites, far higher than the 51% seen on other websites.

These bad bots use sophisticated tactics, including rotating random IPs, leveraging anonymous or residential proxies, altering identities, imitating human behavior, delaying requests, and even bypassing Captcha challenges. Their “low and slow” approach enables them to fly under the radar, executing damaging attacks with minimal requests.

“This approach minimizes the ‘noise’ typically generated by bad bot campaigns, making them harder to detect,” Gabriella Sharadin, content manager for Imperva’s Threat Research Unit, told the E-Commerce Times.

AI-Powered Bots Amplify Holiday Season Cyber Risks

Cybercriminals increasingly use AI-driven technologies to enhance the scale and sophistication of their attacks on e-commerce platforms. This is a critical time for online retailers who must prepare for a range of AI-driven threats, including bots, distributed denial of service (DDoS) attacks, API violations, and business logic abuse.

“While cybersecurity threats are a concern year-round, they become even more pronounced during the holiday shopping season, when retailers often experience record-breaking sales,” Nanhi Singh, GM of application security at Imperva, told the E-Commerce Times.

She added that cybercriminals are using generative AI tools and large language models (LLMs) to capitalize on the increased volume of digital transactions, limited-time promotions, and gift cards and loyalty points stored in customer accounts.

Retailers Need Comprehensive Defense Strategies

To mitigate these threats, retailers must adopt a defensive plan that addresses these attacks and allows them to respond swiftly without disrupting the shopping experience, Singh offered. Without robust defenses, retailers risk facing a perfect storm of AI-driven attacks that could disrupt operations, compromise customer data, and tarnish their reputations.

Imperva’s research reveals these attacks originate from general-purpose AI tools like ChatGPT, Claude, and Gemini, alongside specialized bots designed to scrape websites for LLM training data. An analysis of these attacks shows that cybercriminals primarily use AI tools to carry out specific types of threats, such as business logic abuse (found in 43% of all attacks), DDoS and bad-bot attacks, and API violations.

“Successful attacks can lead to identity theft, monetary loss, and a loss of customer trust in e-commerce platforms, with fraudulent charges and unauthorized account access negatively affecting consumers’ shopping experiences,” warned Sharadin.

Preparing for Peak-Time Bot and DDoS Attacks

Bot management solutions can help filter out bad bots from the mix. An anomaly detection tool can help identify non-human traffic in real time to minimize disruption from these digital deviants.

“Regular audits of business functions can help find vulnerabilities before they’re exploited and ensure retailers’ online presence is not compromised,” Sharadin added.

Retailers should also ensure their infrastructure is prepared to handle increased traffic without compromising performance by using servers that can scale to meet demand.

Another strategy is implementing a content delivery network (CDN) to distribute traffic more efficiently and use a waiting room queuing system during peak periods. This approach can also help create a seamless consumer experience.

“A waiting room controls traffic flow to a site or app using a first-come-first-served approach, which prompts a fair experience for legitimate users during high-profile events and sale times,” she said.

Provide Proactive Prevention

Sharadin suggests that online retailers establish a baseline for expected API behavior, including typical traffic rates and user geographies, to proactively defend against automated applications and API abuse before the holiday shopping season.

“This helps detect anomalies like unusual spikes in traffic on rarely used APIs, like ‘write’ APIs, which push updates to systems,” she explained.

It is also vital that retailers understand how users access their APIs and apply rate limits by session and IP to prevent abuse. This strategy is especially prudent when API keys (a unique code used to authenticate a user) are involved.

“Retailers should maintain an audit trail of user activity to enable their developers and security teams to monitor traffic logs, making identifying and investigating potential malicious bot activity easier,” Sharadin added.

Know the Significant Safety Signs

Not all of the burden of cyber safety rests with the retailers. Cybercriminals leverage AI to extract shoppers’ sensitive personal information, such as credit card details, addresses, and account information.

End users must learn to recognize abnormal activity on their websites and online accounts. Signs of a compromised account include:

• Unusual Activity or Unfamiliar Devices: Beware of unfamiliar transactions such as purchases, messages, or posts, especially from unauthorized devices.
• Password Changes or Locked Accounts: An unauthorized password change or inability to log into your account with the correct password may indicate trouble.
• Security Alerts and Unusual Messages: Review company security procedures in the case of a breach. As many businesses do not share alerts with customers, know whether receiving security alerts is typical behavior. Beware of warnings about suspicious account activity claiming to be your service provider.
• New Account Links: Scan for new accounts linked to your email or social media that you did not create.

According to Sharadin, generative AI is now a double-edged sword in cybersecurity. It provides powerful tools for threat defense but also aids cybercriminals in launching more sophisticated attacks.

“AI-powered threats can automate phishing campaigns, create convincing fake identities, and adapt in real time to bypass security defenses,” she summarized.

For e-commerce businesses, this means encountering more advanced and persistent attacks that precisely target vulnerabilities and enable fraud while remaining undetected.