It’s 9:07 a.m. You open your laptop, coffee in hand, ready to ship orders and answer a few customer emails.
Instead, your dashboard delivers the usual greatest hits:
You haven’t even checked Slack.
This used to be a bad day a few months ago, but now it’s a typical one.
Ecommerce has quietly become adversarial. The same systems that make it easy to sell also make it easy to exploit merchants at scale, costing them their livelihoods. Entire businesses just crumbling to the ground because of these threats.
Bots don’t sleep. Fraud rings share playbooks. And now AI shopping agents can place orders on your site without your consent, creating disputes you didn’t invite and can’t easily resolve.
You’re a great merchant, but you didn’t sign up to be a cybersecurity specialist. Yet here we are.
Massive China bot attack
Am I ever going to get to see my real live traffic again? Since the first week of October my store has been under attack. I’ve tried consulting Cloudfare and they recommend to activate some features and rules - didn’t work. Tried installing a recommended bot blocker app - also didn’t work.
Anyone else experience this mess? Is there a solution here?
Let’s go over the real cybersecurity and fraud threats merchants face today, why they’re escalating, and what practical steps merchants can take to protect their businesses without becoming full-time security teams.
Bot attacks aren’t clever. They’re relentless.
Nearly 50% of all internet traffic is now generated by bots, not humans. And 32% of that traffic is classified as malicious “bad bots”. Attackers automate actions that would look suspicious if done once, then repeat them thousands of times until something works. For ecommerce merchants, this shows up as:
Akamai recorded 61 billion credential-stuffing attempts in just 18 months
“We’re getting absolutely hammered by fake accounts, promo abuse, with some sophisticated bots. This is starting to feel unmanageable. Bots are creating hundreds of fake accounts every day using disposable emails and proxies, fraudulent orders are coming through stolen cards & chargeback are fired against my client, some attacks target high-value items (electronics) and use headless browsers or tools that fake mouse movements and session timing to bypass re-CAPTCHA.”
- A frustrated business professional shared on Reddit
Bots inflate traffic numbers without generating revenue, driving up infrastructure costs and muddying analytics. Card-testing bots raise chargeback ratios, which can trigger higher processing fees or even payment account reviews. Inventory bots create artificial scarcity, frustrating real customers and damaging brand trust.
Bots don’t need ultra-secret spy level tools to get in. They just need time, automation, and one overlooked weakness.
Friendly fraud isn’t accidental at all. It’s learned behavior.
Surveys show nearly 39% of shoppers admit they or someone they know engaged in return policy abuse in the past year. That’s how common it is. Bracketing, pointless returns, and chargebacks have unfortunately become the norm for most merchants.
“Got a $400 chargeback today when the guy has a picture of him wearing the shoes he bought on Instagram. Supposedly they didn’t arrive.” - A frustrated seller on Reddit
This isn’t just some one-off case where everything gets resolved in the end.
.jpg)
Customers discover which claims are least likely to be challenged and repeat them. Common patterns include:
Payment networks prioritize customer trust. Merchants carry the burden of proof when it comes to chargebacks, including the cost when disputes fail.
This indifference towards merchants is exactly how US retailers lose over $101 billion annually to return fraud.
For payment networks, as long as the customer isn’t a hardened criminal, they’re not concerned.
Unfortunately, fraud doesn’t always look malicious. Sometimes it looks like a customer who knows the rules and wants to break them.
To manage fraud, merchants rely on apps and integrations that require deep access to stores. These tools have access to refund permissions, order data, and customer details.
When these tools are compromised, merchants inherit the fallout. The Disputifier API Leak, where leaked API tokens enabled unauthorized refunds, is a reminder that even anti-fraud tools expand the attack surface.
“I don’t even know where to start… i have poured months of work, time, and money into my store, and now it’s all feeling like it’s slipping through my fingers. Apparently, disputifier the app i trusted to handle chargebacks automatically had a massive api leak. A hacker ran a script and triggered unauthorized refunds, literally taking over $12,000 from my store in seconds. I feel helpless, frustrated, and tbh heartbroken. i thought relying on automated chargeback management would protect me, but now I’m wondering if any system is truly safe.”
- A highly emotional Reddit post by a merchant
At the same time, AI shopping agents like Amazon Buy for Me scrape merchant sites and place orders without consent, creating:
Third-party risk and automation scale problems faster than most merchants can respond. You could be trying to get through a tough day at work, and next thing you know, you lose half your week’s revenue in a matter of seconds.
.jpg)
Every integration is a tradeoff between efficiency and exposure. Signing up for anything without knowing the risks is like getting brain surgery and then reading the waiver.
Account takeovers happen when attackers gain access using reused credentials or phishing. You’ve probably heard of this a million times, but with all the new tech around, phishing methods just keep evolving.
.jpeg)
81% of breaches involve stolen or weak credentials, not advanced hacking. You’d think that people would use secret agent-level tech for fraud, but it’s unfortunately the boring stuff that can get you.
Once inside, they can change shipping addresses, abuse stored payment methods, or drain loyalty balances.
Meanwhile, Magecart-style attacks inject malicious JavaScript into checkout pages, silently skimming payment data without breaking the customer experience.
These attacks affected thousands of ecommerce sites in 2024, often via outdated plugins or third-party scripts.
Nobody even noticed at first.
Orders still went through. Revenue still appeared. People only realized something’s wrong when their customers’ banks flagged fraudulent charges.
What this means is that most breaches aren’t sudden failures. They’re the result of slow neglect.
All hope is not lost. There are solid methods for keeping your business safe, and they don’t involve you getting a tech degree.
While each of these solutions needs a bigger deep dive, we’ll summarize the main points for quick reference here.
Ecommerce security isn’t about eliminating risk. It’s about managing it intentionally.
Bots will keep evolving. Fraudsters will keep testing boundaries. AI tools will continue to move faster than policy and regulation.
The merchants who survive won’t be the ones chasing perfect prevention. They’ll be the ones who expect abuse, design for it, and reduce its impact without punishing real customers.
You don’t need paranoia. You need preparation.
Because security threats have always existed, but now, they just got automated.
.jpg)
