Retail’s rush toward AI-driven shopping has created a security headache that’s no longer confined to the holiday season; it’s now a year-round battle. That’s the central message of Akamai’s latest State of the Internet report, “Attacks on Commerce,” which paints commerce as the internet’s most heavily targeted industry across nearly every threat category.
Bots are everywhere and increasingly hard to spot
Commerce attracted more automated bot traffic than any other sector in 2025, with activity climbing 19% year over year. Retail alone accounted for roughly six in ten of those bot interactions, while travel and hospitality made up the rest. Growth was especially sharp in Asia-Pacific and Latin America, where online retail is still maturing.
The bigger worry, though, is AI bots specifically. Nearly half of all AI bot traffic tracked by Akamai targeted commerce sites between mid and late 2025—more than three times the volume hitting the next closest industry, media. Most of that came from AI training crawlers scraping product and pricing data, followed by AI-powered fetchers and search tools from companies like OpenAI, ByteDance, and Anthropic.
Chatbots and AI agents: A new attack surface
As retailers deploy customer-facing chatbots and autonomous shopping agents, criminals have found fresh ways in. Attackers use crafted prompts—so-called “leaky faucet” attacks—to trick chatbots into honouring expired discount codes or approving bogus returns. More alarmingly, AI shopping agents themselves can be hijacked, letting fraudsters exploit stored payment details across multiple retailers before anyone notices.
APIs are the new front door
The report flags a clear shift: attackers increasingly go after APIs rather than traditional web applications. API-targeted attacks grew 9% year over year and, for the first time, outpaced attacks on standard applications. Retailers bore the brunt, accounting for over half of all API attacks in the sector. Yet Akamai found a troubling gap—most companies believe they have a full API inventory, but very few actually know which of those APIs expose sensitive customer data.
DDoS attacks and political hacktivism
Commerce also topped the list for Layer 7 DDoS attacks, application-layer assaults designed to overwhelm checkout systems without knocking sites fully offline. Retail again dominated, representing 84% of such attacks. Notably, the report highlights a pro-Iran hacktivist group, the 313 Team, which has pivoted from government targets to e-commerce, blending botnets and traffic-mimicking techniques to disrupt retailers.
Fraud is getting more industrialised
Beyond bots, credential theft, phishing, and malware remain persistent threats, with phishing volumes tripling between February and April as scammers shifted toward urgency-based scams like fake delivery alerts.
Akamai’s bottom line: blanket-blocking bots isn’t viable anymore, since legitimate AI shopping tools now drive real revenue. Instead, the report urges retailers to build smarter, risk-based defences—treating security readiness as a business continuity issue, not a seasonal chore.
