Visibility and Control to Protect Against AI Agent Commerce Fraud

While the internet is no longer human by default, it is still human-prompted. Today, people increasingly rely on AI agents to search, compare prices, shop, and even book reservations on their behalf. According to HUMAN’s 2026 State of AI Traffic and Cyberthreat Benchmark Report, agentic AI traffic grew 7,851% year over year in 2025, with agents facilitating the buying journey by recommending products, logging into accounts, and triggering checkout flows.

But wherever money flows, fraud follows.

Forrester estimates that agentic e-commerce has a long-term potential of $1.7 trillion by 2030. While legitimate consumer agents can create new opportunities for frictionless commerce, malicious AI agents can move faster and cause greater losses than human fraudsters. As AI agents grow in adoption, enterprises must take a trust-based approach to protecting their transaction surfaces, enabling legitimate consumer-driven agents while defending against agent-driven fraud and abuse.

Forrester’s recent Managing AI Agent Commerce Fraud report explores the types of defenses that enterprises will need to protect themselves as agentic commerce grows.

In the report, Forrester outlines the scope of the challenge facing enterprises today. 

On detection, the report states that “traditional device tracking mechanisms, (like device fingerprinting and reputation tracking…) are less effective than with human-generated, more highly distributed traffic.”  

On governance, Forrester argues that the problem extends well beyond detection: “Is site scraping good or bad? Is shopping cart hoarding allowed or not? There are no right or wrong answers to these questions…[but] without a clear mapping of internal policies to AI agent activities, AI agent fraud management will be shooting in the dark.” 

To address these gaps, the report concludes that “agentic AI interactions require brand-new techniques for monitoring agent behavior,” noting that “new risk signals include unknown agent providers, unsigned agents, too fast or too slow interactions, and other signals, which Forrester expects will be discovered and formalized in agentic AI fraud management tools, such as HUMAN.”

HUMAN’s data confirms the scale of the shift Forrester describes, and adds significant detail to the threat picture.

As noted above, agentic AI traffic grew 7,851% year over year in 2025. Over the course of the year, 77% of agentic activity was concentrated on product and search pages, while 8.8% occurred on account pages, 5% on authentication flows, and 2.3% on checkout pages. That checkout figure is small in relative terms, but significant in kind: it represents autonomous transaction execution without direct human involvement, a behavior that was largely theoretical before 2025.

Milestone releases signal that this trajectory will only steepen. Strategic partnerships including ChatGPT’s Instant Checkout, OpenAI retail integrations with Target and Walmart, and PayPal and Perplexity’s Instant Buy program confirm that agent-driven transactions are moving from experimentation into real-world deployment. At the same time, new agent shopping protocols such as Anthropic’s Model Context Protocol (MCP), OpenAI’s tool-use frameworks, and Google’s A2A are making it easier for AI systems to interact directly with services, applications, and online marketplaces.

The interactions that AI agents are reshaping (namely product discovery, account management, and checkout) are the same interactions that threat actors target most. The State of AI Report revealed that carding volume has surged 250% since 2022. Post-login account compromise attempts more than quadrupled, with HUMAN flagging an average of 402,000 attempts per organization in 2025. Web scraping attacks have grown 138% since 2022, with the median percentage of traffic attempting a scraping attack approaching 20% globally.

Perhaps most telling: across all interactions analyzed by the Human Defense Platform, only one half of one percent separates the rate of benign automation from the rate of malicious automation. The old binary of “bot or not” no longer holds.

HUMAN’s Satori Threat Intelligence and Research team proactively discovers, analyzes, and disrupts threats across the web. Their research shows how attackers are already incorporating AI agents into abuse workflows.

Satori found that 16.7% of requests appearing to come from ChatGPT-User were fake: the user agent had been spoofed and another bot was impersonating ChatGPT. Across the board, 5.7% of all observed traffic presenting an AI crawler or scraper user agent was spoofed. Many of these campaigns are sophisticated, going beyond simple user agent forgery to mimic legitimate network details. Operators often route traffic from the correct autonomous systems, use IP addresses adjacent to official ranges, and orchestrate distributed, low-volume attacks via serverless functions to evade detection.

In one documented case, Satori observed an AI agent attempt to add eleven different credit cards to an account within two days, triggering six payment-completion attempts. This pattern aligns with “checking,” a common carding technique in which attackers iterate through multiple cards to identify one that will authorize. The rapid card-addition loop, short-interval retries, and immediate pivot to a secondary payment instrument all match established carding patterns, except in this case the behavior was mediated by an AI agent.

Satori recorded OpenClaw agent requests designed to impersonate organic referral traffic. On a popular news platform, outbound links were systematically tagged with UTM parameters referencing major social media sources to simulate legitimate engagement at scale. In a separate instance, an exposed OpenClaw node ran a directory and file brute-force utility against common WordPress paths, suggesting attackers are using agent frameworks not just for traffic manipulation but also for reconnaissance.

These cases illustrate a broader trend: AI agents are lowering the barrier to entry for automated fraud and abuse.

Forrester is right that new signals and new techniques are required. Traditional fraud models rely on deep machine learning-based risk scores for individual transactions. AI agents disrupt that model entirely, because the behavior that once indicated an attack, rapid page navigation, programmatic form completion, automated checkout, may now be a legitimate agentic commerce workflow.

That is why HUMAN’s approach focuses on trust evaluation rather than risk scoring: determining whether an agent interaction is trustworthy, authorized, and aligned with business policy. HUMAN’s AgenticTrust identifies agent intent, validates agent identity, and enforces policies around what agents are allowed to do.

Instead of applying blanket block or allow logic, organizations gain the ability to:

Continuous threat intelligence from the Satori team ensures that customers stay ahead of emerging attacker techniques as new agent frameworks appear.

HUMAN is working with partners across payments, commerce, and digital platforms to ensure that legitimate agent activity can be trusted and verified.

Riskified, a leader in ecommerce fraud and chargeback protection, brings deep transaction-level intelligence that complements HUMAN’s ability to detect malicious automation earlier in the interaction lifecycle. Together, they help merchants identify fraudulent activity originating from automated agents before it reaches the payment stage.

Tollbit focuses on enabling trusted relationships between AI agents and content publishers. By providing mechanisms for agents to identify themselves and compensate publishers for content access, Tollbit helps establish economic incentives for legitimate agent behavior while reducing incentives for scraping and impersonation.

These partnerships represent an early step toward a broader ecosystem where trusted AI agents can interact with digital services transparently.

AI agents are already shaping how people shop, search, and transact online. The organizations that succeed in this new era of commerce will be those that treat trust as infrastructure.

The Human Defense Platform, with protection of advertising, applications, and accounts—and since mid-2025, agentic AI flows—has been ranked an industry leader for our current offering and strategy in the The Forrester Wave™: Bot and Agent Trust Management Software, Q2 2026 report. Read the report here.

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. This report is part of a broader collection of Forrester resources, including interactive models, frameworks, tools, data, and access to analyst guidance. For more information, read about Forrester’s objectivity here.