What is Agentic Commerce Fraud? Risk, Tactics and Prevention

What is agentic commerce fraud?

Agentic commerce fraud is the misuse of AI shopping agents or the permissions customers give them. Instead of breaking into accounts directly, bad actors exploit delegated access to place purchases or abuse post-purchase actions in ways the customer never intended.

How agentic commerce fraud differs from ecommerce fraud

Automation isn’t new to ecommerce fraud. In fact, it’s been part of it for years. Bots test stolen cards, take over accounts and probe checkout flows at scale. Even when automated, those attacks still move through human-facing sessions (i.e. logins, forms and checkout steps), which creates retries, failures and other noisy signals traditional fraud systems are built to catch.

Agentic commerce changes how that abuse plays out. Instead of mimicking a shopper step by step, fraudsters target delegated access — the moment a real customer authorizes an AI agent to act on their behalf. That access can span the entire journey, from product selection and checkout to post-purchase actions like returns and refunds.

This flips how fraud detection works:

• Non-human behavior is no longer a red flag: Agent-led orders often move from product selection to checkout in seconds, with little or no browsing, scrolling or content interaction. This means a fast, clean, non-interactive session isn’t automatically suspicious anymore.
• The human session disappears: When an AI agent handles the shopping, there’s no browsing, hesitation, mouse movements, retries or backtracking. On top of that, product selection and checkout happen in seconds, leaving little of the behavioral context fraud systems normally rely on.
• Fraud doesn’t hide behind odd behavior anymore: In agentic flows, risk often shows up as orders that look too clean, with no retries or failed payments over and over again.

Why agentic commerce strains traditional fraud detection

Fraud systems are trained on patterns. For years, those patterns have been shaped by how people shop. Models learn what “normal” looks like by observing friction and circumstances: how long someone takes to decide, where they hesitate, how often they retry a payment or abandon a cart before coming back, what device they use, where the device is located compared to where the product will be delivered.

Agentic commerce strips much of that context away. When an AI agent executes a purchase, the transaction reaches the fraud system without the behavioral buildup it’s used to evaluating. There’s no gradual formation of intent. No sequence where risk increases step by step. Furthermore, the IP address accompanying the order is most likely that of the data center hosting the agent — often far from the billing and delivery addresses. In the end, the system sees a completed order without the trail that usually explains how it got there or precisely where it came from. And that creates a blind spot.

Often, the only clear indicator is that the order came through an agentic API that gives far less context about how the purchase actually happened.

As agentic commerce grows, fraud detection can’t rely on asking if a transaction looks human. It has to answer a different question: “Does this action align with the customer’s identity and intent, even when the customer never touched the keyboard?”

How AI agents can be used for fraud

Many of the underlying fraud patterns look familiar from traditional ecommerce. What’s changing is how attackers are adapting to agent-led shopping. That shift is already showing up in underground communities. Visa PERC recently reported a more than 450% increase in dark web posts referencing “AI agents” over a six-month period, suggesting growing interest in exploiting agent-driven flows.

Agents using stolen cards to place orders

In ecommerce fraud, stolen cards are often tested through small transactions and retries. With agentic flows, fraudsters can feed stolen card details directly into automated purchasing logic. Orders can clear quickly, cleanly and without the trial-and-error behavior models expect to see.

Fake storefronts designed to fool AI agents

Fraudsters are beginning to think less about tricking people and more about tricking machines.

AI-friendly fake storefronts are optimized for how AI agents scan and evaluate options, not how humans browse. That often means these sites have:

• Clean, well-structured metadata
• Competitive pricing that consistently undercuts real ecommerce retailers
• Standardized product feeds with clear specs and availability
• Minimal checkout friction

Because these fake websites are built to rank well inside an agent’s comparison logic, these storefronts can surface as the “best” option when an agent compares products across multiple merchants. Once the agent proceeds to checkout and enters payment details, credentials are captured by the fraudster and the product is never shipped since it didn’t exist in the first place.

Abuse of stored payment credentials and trusted tokens

AI agents often rely on stored cards, wallets or tokens to streamline checkout. That convenience can be exploited.

In these scenarios, fraudsters manipulate agent behavior so legitimate credentials are reused repeatedly or in unintended ways. Since the payment method is already tokenized and trusted, transactions can appear low risk at first glance. Because of this, they usually clear bank authorization and merchant fraud checks with little friction — even when the items, timing or destination don’t line up with the customer’s regular behavior.

From account takeover (ATO) to bot takeover (BTO)

Instead of taking over a customer account, attackers target the agent acting on that customer’s behalf. Once an agent is compromised, fraudsters don’t need to navigate logins or security challenges. Instead, they can instruct the agent to do things like:

• Reroute shipments to new addresses
• Place orders for high-resale or high-liquidity items, like premium electronics or luxury goods
• Make back-to-back purchases using the customer’s payment method until spending limits are hit, balances are drained or the card is declined

Agent-driven phishing and impersonation

As agentic commerce becomes more visible, attackers will exploit confusion around how agents communicate. They’ll send messages designed to create urgency and uncertainty via email or SMS like “Your AI assistant placed an order — click here to cancel.” But the link won’t cancel anything. 

Instead, it will lead to a fake login or confirmation flow that looks like a trusted merchant, wallet or AI assistant interface. And once the shopper enters credentials, payment details or account information, they’re immediately captured and that access can be used to place additional orders, drain stored payment methods or take over the agent itself.

Agent-assisted enumeration and probing

Agents can also be used to quietly explore merchant systems at scale. Instead of noisy attacks, they probe through normal-looking activity:

• Testing checkout limits and thresholds
• Seeing how promotions and coupons stack
• Mapping return and cancellation windows
• Identifying where policy enforcement breaks down

This kind of “low and slow” activity blends into legitimate traffic. The risk often isn’t obvious until fraud shows up later through abuse, order disputes or operational losses.

Automated abuse of returns, refunds and cancellations

Agents can be explicitly programmed to exploit post-purchase policies. That can look like orders placed and canceled within minutes or returns initiated immediately after delivery or shipment scans to trigger faster refunds. Because each action follows policy rules on paper, the abuse doesn’t always trigger fraud alarm bells. Without network-level visibility, these patterns can persist quietly for weeks or months.

How to protect against agentic commerce fraud

Focus on behavioral drift, not isolated actions

In agentic commerce, individual actions often look valid on their own. Risk tends to surface when behavior starts to drift away from what is normal for a specific customer.

That drift may show up as changes in what is being purchased, how much is being spent, or where orders are being shipped. For example, an AI agent may move from low-risk items to higher-value products, place orders more quickly than usual, or send purchases to unfamiliar addresses. When those changes coincide with agent-led execution, they can signal elevated risk because they no longer reflect the customer’s established behavior or intent. Where available, pairing those shifts with account-level signals, like unusual account changes or login activity, can help surface bot takeover scenarios that otherwise appear fully authorized.

Treat delegated access as a risk surface

As we know, traditional fraud detection is built around sessions, devices and accounts. Agentic commerce introduces a new layer in between: delegated authority.

Protecting against that risk requires changing what you evaluate. Instead of focusing only on whether a transaction looks valid at checkout, teams need to assess how agent-led orders behave over time. That includes whether an order aligns with a customer’s past buying patterns, how it compares to similar activity across other customers and what tends to happen after those orders are placed.

Platforms like Signifyd support this approach by linking checkout behavior with downstream outcomes. Rather than treating fast, clean authorizations as automatically low risk, orders are evaluated across their full lifecycle. This makes it possible to let legitimate automation move forward while still identifying cases where delegated access is being misused.

Extend protection beyond checkout

Agent-led abuse doesn’t always surface when a payment is authorized or approved. In many cases, payments clear cleanly and issues only appear later through rapid cancellations, refund requests or disputes framed as confusion rather than fraud.

To catch these patterns, protection has to extend beyond the moment of purchase. Account creation and changes, orders, cancellations, returns, refunds and chargebacks should be reviewed together so behavior can be understood over time instead of in isolation. When post-purchase signals are connected back to how an order was placed, it becomes easier to spot misuse even when each individual action technically follows your ecommerce policy.

Balance trust with scale and visibility

As agent-led shopping grows, no single merchant has enough data on their own to define what “normal” actually looks like. Agent activity only becomes clear when it’s viewed across a large number of orders, customers, retail verticals and use cases.

You can use a solution like Signifyd’s Commerce Protection Platform to access that broader context. By combining machine learning with global ecommerce data, Signifyd establishes clearer baselines for both human and AI-driven purchases. This wider view makes it easier to fast-track trusted activity while still identifying subtle misuse that would be difficult to spot in isolation.

Prevent agentic commerce fraud without blocking good agents

Agentic commerce introduces buying flows that won’t always look familiar, even when nothing is wrong. The signal to watch isn’t whether an order looks human, but whether it aligns with the customer’s normal behavior and intent. And that distinction isn’t always easy for ecommerce merchants to make.

Signifyd’s Commerce Protection Platform helps you make those calls with context rather than assumptions. Trusted agent-led activity can move through quickly, while misuse is surfaced when it matters. And if fraud does slip through, our Complete Chargeback Protection helps prevent those losses from landing in your court and provides a financial guarantee. This approach makes it possible to support agent-led shopping as it becomes more common, letting good automation scale while stopping bad actors, without taking on unnecessary risk as the agentic commerce ecosystem evolves.

Photo by Getty Images

Want to learn more? Talk to an expert about agent-led risk to understand how Signifyd separates trusted automation from misuse.