TL;DR: E-commerce traffic that comes from bad bots is 65%, login attack rates at e-commerce sites jumped 216% in 2025, and annual e-commerce losses to online payment fraud reached $48B, according to Arkose Labs and LexisNexis. That combination shows fraud controls now have to govern machine-driven abuse, not just human attackers.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- 65% e-commerce traffic that comes from bad bots
- 216% Jump in login attack rates at e-commerce sites in 2025
- $48B Annual e-commerce losses to online payment fraud
Questions worth separating out
Q: How should security teams reduce bot-driven account takeover in e-commerce?
A: They should combine device intelligence, behavioural analysis, and risk-based step-up checks at login and signup.
Q: Why do bad bots create an identity governance problem for retailers?
A: Because bots can create accounts, test credentials, and complete sessions at scale while looking operationally similar to real users.
Q: What breaks when fraud controls are disconnected from IAM decisions?
A: Teams miss the link between identity behaviour and abuse patterns, so attackers can move from account creation to takeover to transaction fraud without triggering a coordinated response.
Practitioner guidance
- Unify fraud and IAM telemetry Correlate login attempts, signup velocity, device reputation, and session behaviour so machine abuse is evaluated in one decision layer instead of separate tools.
- Tune step-up controls to attack patterns Apply adaptive challenges when signals indicate credential stuffing, fake account creation, or scripted checkout activity, and avoid forcing the same friction on every customer.
- Measure abuse at the identity edge Track account creation quality, login attack rates, and session anomalies together so you can see whether controls are reducing abuse or merely shifting it.
What's in the full announcement
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- Detection and mitigation patterns for bot traffic using the vendor's 250-plus signal model
- Examples of adaptive challenges for login, signup, and checkout abuse across retail journeys
- Customer-story detail on fraudulent new account reduction versus incumbent controls
- Decisioning and intelligence workflows used to tune fraud controls over time
👉 Read Arkose Labs' analysis of bot-driven retail fraud and AI agent abuse →
Bad bots, AI agents and retail fraud: are controls keeping up?
Explore further
Retail fraud is now an identity governance problem, not just a transaction risk. The article shows that bad bots, AI agents, and login abuse sit upstream of payment loss, which means the control plane has shifted toward account lifecycle, session trust, and access decisioning. When machine traffic dominates customer journeys, fraud and IAM can no longer operate as separate disciplines. Practitioners should treat account abuse as a governed identity flow, not a point-in-time fraud event.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 44% of organisations have implemented any policies to govern AI agents, which leaves most deployments operating without formal guardrails.
A question worth separating out:
Q: Which identity signals matter most for stopping retail automation abuse?
A: Look at account creation velocity, login repetition, device consistency, and session behaviour over time. Those signals help distinguish genuine customers from scripted activity. The strongest programmes use them together, because any single indicator can be spoofed, but consistent patterns across the journey are harder for automation to hide.
👉 Read our full editorial: AI agents and bad bots are widening retail fraud exposure