E-Commerce Security 2026: AI Fraud, Deepfakes and New Regulations Challenge Retailers

E-Commerce Security 2026: AI Fraud, Deepfakes and New Regulations Challenge Retailers

Abstract. AI-powered attacks, synthetic identities and so-called friendly fraud are fundamentally reshaping the threat landscape for German and global online retail. By 2030, Juniper Research projects annual fraud losses of €131 billion. At the same time, new Nacha regulations came into force in the United States in March 2026. The E-Commerce Institute Cologne provides an academic assessment of these developments and identifies the protection strategies that work in 2026.

Important Facts

  • +450% growth in automated “agentic traffic” in 2025 – AI systems execute logins, payments and orders fully automatically (LexisNexis Risk Solutions).
  • 11% of all fraud cases involve synthetic identities created by AI from real and fabricated data.
  • +216% more attacks on the login phase – account takeover is one of the most common entry points.
  • 64% of retailers report rising friendly fraud: customers dispute valid transactions to keep goods while receiving refunds.
  • 2% of total e-commerce revenue is lost to payment fraud (MRC 2026).
  • Fraud losses rise from €56 billion (2025) to a projected €131 billion by 2030 (Juniper Research).
  • Since 20 March 2026, new Nacha rules for fraud monitoring apply to payment service providers in the United States.
  • Every euro lost to fraud costs retailers approximately two euros in total – including shipping, chargeback fees and lost inventory.
e-commerce security
source: pixabay.com

Threat Landscape at a Glance

Threat type Growth / Share Source
Automated “Agentic Traffic” +450% (Jan–Dec 2025) LexisNexis Risk Solutions
Attacks on login phase +216% LexisNexis Risk Solutions
Synthetic identities (AI-generated) 11% of all fraud cases LexisNexis Risk Solutions
First-party abuse (“friendly fraud”) 64% of retailers affected Merchant Risk Council (MRC)
Payment fraud loss rate 3.2% of e-commerce revenue MRC 2026
Fraud losses 2025 → 2030 €56bn → €131bn Juniper Research

Table: LexisNexis Risk Solutions, MRC, Juniper Research 2026 – own analysis E-Commerce Institute Cologne

 

AI as a Weapon: Deepfakes, Synthetic Identities and Automated Attacks

The most significant technological shift in e-commerce fraud is the industrialisation of deception. Criminals use generative AI to create synthetic identities that blend real and fabricated data, bypassing standard verification procedures. This development creates a structurally new level of risk.

Particularly alarming is the rise of so-called agentic traffic – automated AI systems that execute complex tasks such as payments and logins – which surged 450 per cent in 2025. At the same time, “all-green fraud” is increasing: legitimate users are manipulated into authorising fraudulent transactions themselves.

Agentic traffic – automated systems that execute complex tasks such as credit card payments or logins – grew by 450 per cent between January and December 2025.

— LexisNexis Risk Solutions, Fraud Report 2026

 

Friendly Fraud: When Your Own Customer Becomes the Threat

Alongside external attacks, the “inside threat” is becoming the greatest danger to retailer profitability. Sixty-four per cent of retailers report a steady increase in first-party abuse: customers dispute valid transactions with their bank to receive refunds while retaining the goods.

The methods are growing ever more sophisticated. In so-called “rock-in-a-box” fraud, a worthless object of similar weight is returned. In address manipulation, return labels are altered so that a parcel is recorded as returned – even though it never reaches the retailer’s warehouse.

 

New Regulation: Nacha Rules from March 2026

Regulators are responding with stricter requirements. In the United States, the first phase of new Nacha rules came into force on 20 March 2026: the previous standard of “commercial reasonableness” has been replaced by a requirement for documented, risk-based processes. The aim is to detect fraud “upstream” – intervening before a fraudulent transaction is completed. The second phase follows in June 2026, covering all remaining originators.

For the European market, the Digital Services Act (DSA) is increasing pressure on platforms to address fraud prevention and data protection simultaneously – a balancing act that demands technological agility.

 

Effective Protection Strategies in 2026

  • Behavioural biometrics: analysis of typing speed, mouse movements and navigation patterns to distinguish between humans, bots and malware.
  • Liveness detection: anti-spoofing solutions during account creation prevent deepfakes and synthetic identities.
  • Consortium data: sharing known fraud patterns between banks and retailers is becoming the standard.
  • Agentic AI defence: proprietary AI models continuously learn from new fraud patterns and trigger alerts within seconds.
  • Risk-based authentication: high-security measures (e.g. biometrics) are only triggered when a transaction deviates from a customer’s normal behavioural profile.

 

Academic Context

Research by Julian Thiers and the team led by Prof. Dr. Richard C. Geibel at the E-Commerce Institute Cologneinterprets the current fraud wave as a structural escalation rather than a cyclical phenomenon. The AI arms race between attackers and defence systems will permanently reshape the sector: as global e-commerce revenues grow to around €7.38 trillion by end of 2026, fraud prevention is consuming an ever-larger share of retailer margins.

The decisive competitive advantage will belong to retailers who integrate invisible, behaviour-based verification seamlessly into their customer journey – without creating additional friction in the checkout process. Compliance is thus shifting from a back-office issue to a central strategic success factor.

 

Frequently Asked Questions (FAQ)

Question: What is friendly fraud in e-commerce?

Answer: Friendly fraud, or first-party abuse, refers to fraud committed by legitimate customers: they dispute valid transactions with their bank to receive refunds while keeping the goods they ordered. In 2026, 64% of retailers report an increase in this form of fraud (MRC).

Question: What are synthetic identities?

Answer: Synthetic identities are created by criminal AI systems by combining real and fabricated personal data. They bypass standard verification procedures and already account for 11% of all fraud cases (LexisNexis 2026).

Question: What are the Nacha rules and who do they affect?

Answer: The new Nacha rules (Phase 1: 20 March 2026, Phase 2: June 2026) require US companies and payment service providers processing ACH transactions to implement documented, risk-based fraud monitoring systems. They replace the previous standard of “commercial reasonableness”.

Question: How large are e-commerce fraud losses projected to be by 2030?

Answer: According to Juniper Research, fraud losses will rise from €56 billion (2025) to €131 billion by 2030. Fraud involving physical goods alone is projected to reach €10 billion per year.

Question: What is risk-based authentication?

Answer: With risk-based authentication, demanding security measures (e.g. biometric checks) are only triggered when a transaction deviates from a customer’s normal behavioural profile. This maximises security without slowing down routine purchase processes.

Leave a Reply

Your email address will not be published. Required fields are marked *