The holiday season, once marked by bustling malls, has transformed into an online frenzy of clicks and carts. But while shoppers hunt for deals, fraudsters are hunting for profits — equipped with stolen credentials, synthetic identities and AI-powered tools to exploit every opportunity. From bots hoarding your must-have gifts to deepfakes fooling the savviest shoppers, holiday fraud has never been more sophisticated and damaging.
Holidays aside, retailers are experiencing more than 569,000 AI-driven attacks per day. It’s hardly a surprise since phishing spiked by 1265% after the release of ChatGPT. Over the past two years, criminals have been refining their craft, using generative AI (GenAI) to rapidly evolve a new breed of deceptive fraud.
Add holiday shopping to the mix and stir. On Black Friday last year, 35.7% of all “shoppers” were actually bots and fake users. As online traffic surges with greater numbers of humans and bots, retailers must prepare — not just for fraud but for high traffic volumes and potential outages that could disrupt customers amidst their spirit of spending.
If you’re an online retailer, keep reading. In this article, we explore the evolving threat landscape and outline actionable steps for you to secure your customers’ holiday shopping experience.
Going to Gartner IAM? Let us strengthen your resilience.
Sign up for a strategy session so we can solve your specific challenges.
Evolving fraud: The Grinch wields new technology
AI and deepfake technologies have supercharged fraud capabilities, giving rise to highly convincing holiday scams. They’re able to trick even the most vigilant shoppers and evade detection by the majority of customer identity and access management (CIAM) and anti-fraud systems, which are often poorly integrated and hindered by complexity.
AI-driven phishing and spoofing deceive customers…and retailers
- Fake offers and emails: AI-generated phishing emails mimic legitimate retailer emails with flawless precision, preying on shoppers eager to buy the perfect gift. Expect to see phishing emails that falsely notify customers that popular items are, “Back in stock!” or available at deep discounts among, “Cyber Monday Deals!”
- Spoofed websites: Fraudsters create cloned sites that mirror trusted retailers, often with slight URL changes that are easy to miss. Busy holiday shoppers who are in a rush are more likely to fall for spoofed sites, typing in their credentials without thinking twice.
- Malicious advertising and e-skimming: The advertising ecosystem becomes a weapon during the holiday shopping season as malicious ads infiltrate legitimate sites. When clicked, some malicious ads inject skimming code into payment pages to steal credit card information. With AI, e-skimming is created with more realistic decoy interfaces and dynamic scripts that adapt behavior to evade detection.
- Trojans with fake login overlays: While most Android trojans target banking apps, some also target online retailers. Notable examples include Marcher and Gustuff, which masquerade as popular utility apps. Among their many tricks, they overlay fake login forms on legitimate sites and use keyloggers to collect credentials and one-time passcodes (OTPs) from unwitting customers. Criminals simply log in with MFA, take over accounts and shop.
- Deepfakes — the new face and voice of fraud: During the holiday season, generated voices impersonate customer service reps or even family members to trick your customers into sharing sensitive account details or authorizing fraudulent transactions. When targeting retailers, fraudsters use deepfakes to simulate facial features or voices with such precision that they are able to fool some biometric authentication. Key takeaway: relying on a single point solution is not enough.
Retailers face an onslaught of bot-driven attacks
- Grinch bots: These bots buy and hoard in-demand inventory, so fraudsters can resell the products at inflated prices. With GenAI, bad bots are increasingly able to mimic human behavior and handle complex interactions, evading standard bot detection systems. Malicious bots also switch IPs and employ device spoofing to evade detection. Sure, retailers are selling their inventory, but it lowers the chances of bringing in new customers who want to buy that special gift. Customers will be forced to buy that must-have item from a competitor or the fraudsters themselves.
- Credential stuffing and ATO: Instead of stocking stuffers, fraudsters stuff stolen credentials into logins across many retail sites. It’s an old trick that won’t go away because it works! Taking advantage of the fact that most people reuse the same passwords, they use bots to log in to take over accounts. ATO represents 32% of all fraud experienced by online retailers in 2024.
Buy Now, Pay Later (BNPL) scams
- Instant loans never paid: As BNPL services from lenders like Affirm and Afterpay grow in popularity, fraudsters exploit these platforms to make unauthorized purchases. This year, Adobe predicts BNPL spending will hit $9.5 billion in November, a record-breaking month. The bad news is that fraudsters follow the money, so retailers should anticipate this and prepare.
- Double the attack surface: BNPL comes with added risk since the cybercriminal can take over one of two accounts: the BNPL account that’s set up with the lender or the customer account established with a retailer. Either way, by taking over customer accounts, fraudsters are able to authorize purchases via BNPL, leaving victims and retailers grappling with unexpected debts.
Loyalty point fraud
- Gobbling up reward points: Reward programs, designed to foster customer loyalty, have become a prime target due to their often lax security. Fraudsters take over customer accounts and drain loyalty points, converting them into cash or goods, with 31% of all ecommerce fraud attempts targeting these programs in 2024.
Consequences can even result in downtime
The impact of holiday threats extend well beyond financial losses, diminished customer trust and brand damage. With so many malicious bots masquerading as shoppers, ecommerce sites must be ready to handle spikes in traffic as well as cyberattacks, which are increasingly targeting IAM vendors.
To avoid outages and ensure customers have always-on access to their accounts, retailers must consider if their IAM services are resilient enough to withstand attacks and scalable enough for millions of customers (or bots) attempting to log in.
Put an end to the holiday humbug
The pace and sophistication of new, evolving fraud types in the age of AI represents a significant threat to retailers with legacy identity and fraud solutions, especially those that block or challenge requests based on static algorithms and narrow rule sets.
To detect today’s advanced phishing campaigns, social engineering, synthetic identities, deepfakes, trojans and other tricks, anti-fraud and identity security must have broad AI and ML detection capabilities, able to pinpoint anomalies throughout the customer identity lifecycle.
Prepare now for the next holiday season with 3 strategic goals:
- Seal the cracks: To eliminate the tangled web of complexity, security gaps and identity silos created by multi-vendor point solutions, retailers need a unified AI-driven platform. Only Transmit Security delivers a fusion of natively-built fraud prevention and CIAM services, including identity orchestration, authorization and phishing-resistant authentication with passkeys and true passwordless MFA.
Mosaic by Transmit Security analyzes the full context of every access request to detect and stop today’s rapidly evolving fraud with accuracy, agility and speed. AI and ML pinpoint anomalies and learn new attack patterns as they emerge. You’ll get ahead of evolving threats while optimizing your customer experience.
- Ensure 100% uptime: Prevent outages that disrupt the shopping experience. Mosaic is the only fraud prevention and identity platform with an active-active multi-cloud architecture that operates simultaneously across AWS, Azure and GCP. In-session failover ensures business continuity, so your shoppers carry on — with no interruptions.
For additional redundancy, identity caching provides backup authentication during outages. This allows cached credentials to be served from the cloud without relying on your primary infrastructure. It’s resilient to its core.
- Scale to support millions of shoppers while preventing breaches: Enterprise-class cloud-native architecture with cybersecurity in its core shields your mission-critical apps while serving hundreds of millions of customers. Built-in AI-powered security offers embedded API and mobile app security, anti-tampering measures, automated anomaly detection and trend analyses. With the click of a button, static application security testing (SAST) analyzes the code to flag and address vulnerabilities before launch.
Our unified identity security solves the most difficult fraud and customer identity use cases — from account opening and account recovery to high-risk transactions and end-to-end fraud ops. Explore our website to see why 7 ‘top 10’ US banks & Fortune 500s put their trust in Transmit Security.