IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
Akamai warns commerce is top target for AI bot attacks

Akamai warns commerce is top target for AI bot attacks

Wed, 15th Jul 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

Akamai has published research showing that commerce is now its most targeted industry for AI bot attacks and agentic fraud. The findings also rank EMEA as the second most targeted region for retail AI bot activity.

Its latest State of the Internet security report found that, by the end of 2025, nearly half of all commerce traffic across Akamai's global network consisted of AI bots. Automated traffic made up 47.9% of commerce traffic, and more than 70% of AI bot triggers in commerce came from training crawlers scraping product data, pricing and other content for large language model development.

The figures add to wider concern over cyber pressure on economically important sectors. The National Cyber Security Centre recently urged critical sectors to strengthen defences against Russian intelligence targeting, with commerce, financial services and energy seen as attractive targets.

Regional pressure

In EMEA, the retail sector recorded 26 billion AI bot counts between July and December 2025, accounting for 12.4% of all AI bot activity tracked in the study. That made the region the second-largest target globally for AI-driven commerce traffic, behind North America, which recorded 33 billion counts.

Bot activity among EMEA commerce organisations rose 16% in 2025. From the start of 2024 to the end of 2025, commerce platforms in the region also faced 40 billion web attacks, with pressure especially acute during holiday periods and on application interfaces.

The report pointed to a widening range of threats facing online retailers and other commerce businesses. Alongside conventional malicious traffic, companies are dealing with automated tools designed to imitate human behaviour more closely, making detection harder for existing security controls.

Patrick Sullivan, Chief Technology Officer of Security Strategy at Akamai, said the shift reflects changing online traffic patterns. “We are securing a digital frontier where the 'customer' is increasingly an AI agent operating on behalf of the human user,” he said.

He added: “This report reveals how and why security leaders must embrace 'agentic readiness' to architect sites that welcome legitimate AI while aggressively shutting down malicious bots.”

API exposure

The study also highlighted the role of application programming interfaces in the attack landscape. Web attacks targeting APIs rose 9% year on year, while 85% of commerce respondents in a separate API security study reported at least one API-related incident in the past year.

Yet visibility remains limited. Only 22% of organisations know which of their APIs expose sensitive data, leaving large parts of their online estates difficult to monitor or secure effectively.

That lack of visibility matters because APIs increasingly sit behind checkout systems, customer accounts, loyalty programmes, logistics and mobile apps. Attackers can use them to extract data, automate fraudulent activity or disrupt services at moments of high demand.

DDoS and fraud

Commerce was targeted by Layer 7 distributed denial-of-service attacks nearly 3 trillion times in 2025. Retail accounted for 84% of that volume, with attackers using HTTP botnets to flood APIs during peak shopping periods and overwhelm application servers.

The report also described what it called agent hijacking and synthetic identity fraud. In these cases, threat actors compromise legitimate AI assistants and abuse stored payment credentials, or use large language models to create false identities that can evade static fraud checks.

Guest commentary in the study from Pam Lindemoen, Chief Security Officer and Vice President of Strategy at RH-ISAC, said autonomous AI shopping agents are creating a signal-masking problem by mimicking human microbehaviours. The report argued that this narrows the distinction between ordinary customer activity and malicious automation.

The data suggests many companies still take a permissive approach to bot management. Commerce organisations placed more than 90% of their AI bot activity in a monitor category, while allowing three-quarters of the remainder to pass without restriction.

Phishing pipeline

Beyond bots and web attacks, malware and phishing remained central to online fraud against commerce businesses. Between November 2025 and April 2026, malware represented 56.5% of observed endpoint threat activity, while phishing accounted for 37.6%.

Average daily phishing volume across commerce customers rose sharply from 56,600 in February to 134,600 in April. Akamai said phishing provides the raw material for account takeover and loyalty point theft, two persistent problems for online retailers and travel-linked commerce services.

The regional pattern was uneven. North America and EMEA posted more modest increases in bot activity than APAC and Latin America, but both mature markets saw sizeable spikes in web attacks around holiday periods. APAC, where bot activity rose 63%, was identified as a major target for bot and Layer 7 DDoS activity, especially in travel and loyalty ecosystems.

The report recommends tighter API inventories, more granular controls over automated traffic, and stronger coordination between cybersecurity and fraud teams. It also found that while 92% of organisations use basic network segmentation, only 35% have moved to microsegmentation.