eCommerceNews UK - Technology news for digital commerce decision-makers
United Kingdom

Guides

#
commerce systems
#
customer data platforms
#
data analytics
#
digital signage
#
payment technologies

Search

Black friday tech fraudsters overflowing shopping cart electronics online stores
#
MFA
#
AI
#
e-Commerce

Retailers face soaring AI-driven fraud risks for Black Friday sales

Wed, 19th Nov 2025
Author image
By Melvin Hipolito, Editor

Major retail platforms are facing a heightened risk of fraud ahead of Black Friday as new research reveals widespread security gaps in their defences against automated account abuse. The proliferation of agentic commerce, where artificial intelligence-powered agents act on behalf of shoppers, is making it harder for retailers to distinguish between legitimate users and malicious bots intent on exploiting vulnerabilities.

Automation threats

According to findings from DataDome Advanced Threat Research, 64% of major retailers are vulnerable to mass fake account creation. Automated agents, which once simply mimicked human browsing, can now emulate genuine user interactions during account registration and login processes. This presents serious challenges in authenticating real customers, as fraudsters leverage the same technology to create disposable accounts at scale.

Tests conducted across 11 prominent eCommerce sites highlight that 73% of retailers accept disposable email addresses. This practice allows attackers to generate unlimited accounts with temporary inboxes. Only 27% of the assessed businesses have effective bot detection measures that actively prevent automated account creation. Furthermore, 36% do not use multi-factor authentication (MFA) for new account registrations.

Credential risks

The research identifies credentials-based attacks as a principal concern. Data shows that 82% of evaluated retailers allow multiple automated login attempts without challenge or verification, and 64% lack any account lockout controls. These flaws open the door to credential stuffing, where attackers test large volumes of stolen password and username pairs until a match is found.

The use of AI agents increases the efficacy of such attacks, as these tools can adjust their approach in real time to avoid detection. Once attackers gain access, they can exploit stored payment details, loyalty points, and existing balances, resulting in significant losses for both retailers and customers.

New commerce dynamics

The trend towards agentic commerce, in which AI agents transact on behalf of users, is increasing fraud risk further. Research cited by Gartner indicates that by 2028, organisations permitting users to share credentials with AI agents will experience three times as many account takeover incidents as those that do not. At present, 36% of US adults are reportedly interested in allowing AI agents to shop on their behalf.

This development creates tension between promoting user convenience and maintaining robust identity checks. Without effective systems in place to distinguish authorised automation from unauthorised bot activity, platforms remain exposed to large-scale abuse.

Financial implications

Fake account creation is cited as the most damaging threat for retailers in the lead-up to Black Friday. Attackers employ techniques such as using disposable email domains and manipulating Gmail address formatting to rapidly set up hundreds of accounts. These fake profiles are then used to circumvent purchase restrictions, stockpile sought-after products, and exploit promotional codes.

According to the assessment, a single fraud campaign leveraging these methods can cost retailers between USD $50,000 and USD $500,000. With millions of legitimate shoppers expected to flood online platforms during the holiday season, the potential for disruption is considerable should these vulnerabilities remain unaddressed.

Recommended actions

Researchers suggest that retailers have opportunities to bolster security rapidly before Black Friday. Recommendations include blocking the use of disposable email domains, normalising email addresses to prevent minor variations from enabling multiple registrations, implementing account lockout after repeated failed login attempts, and deploying robust bot management systems to better detect automated threats.

"Retailers still have time to close the most critical gaps before traffic surges. To mitigate the above risks, retailers can take steps to enhance their security posture: Block disposable email domains. This single change can reduce fake account creation by up to 80-90%. Implement email normalization. Removing 'dot' and 'plus' variations from Gmail addresses can cut multi-account abuse by as much as 70%. Implement account lockout: After repeated failed login attempts, account lockout is essential to stop credential stuffing attacks. Implement the disallow directives in robots.txt and deploy a robust bot management solution to actively detect and block sophisticated, malicious traffic from AI agents," said Jerome Segura, VP of Threat Research, DataDome.
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
BioCatch warns AI agents will supercharge online fraud
Newo.ai, IONOS launch AI receptionist for small firms
UK firms overconfident as AI integration badly lags
Cloudflare buys Human Native to reshape AI data pay
Manhattan unveils AI agents across Manhattan Active suite

Top stories

Staci to drive Waldencast’s UK & EU fulfilment growth
Fred. Olsen unveils AI ‘digital twin’ cruise campaign
Westcon lists Weblib Smart Wifi on AWS Marketplace
Insight & Stripe expand AI-driven enterprise commerce
Tighter visa rules deepen SAP S/4HANA skills shortage