Where Retail and Hospitality Fraud is Actually Happening Now (and What to Do About It)
For years, fraud has been a payments problem. Detect it at checkout. Measure success in chargebacks avoided. Build controls around transactions. That model made sense when fraud itself was transactional – and reactive.
That era is over.
The French government eyes alternatives to Windows
For years, fraud has been a payments problem. Detect it at checkout. Measure success in chargebacks avoided. Build controls around transactions. That model made sense when fraud itself was transactional – and reactive.
That era is over.
Modern fraud operations are not waiting for a payment event. They are active earlier in the customer journey, interacting with systems in ways that extract value, distort data, inflate costs, and undermine business decisions – often without triggering a single fraud alert. By the time a chargeback lands, the real damage has already occurred upstream.
This is the central challenge security and fraud teams in retail and hospitality are facing in 2026. And it is the subject Kasada will be exploring with industry peers at this year’s RH-ISAC Cybersecurity Summit, April 13–15 in Austin, Texas.
The current threat landscape
Kasada’s 2026 Benchmark Report on Bots, Fraud, and AI documents a year-over-year surge that should reframe how organizations think about their exposure. Bad bot activity increased 219% year over year. Organizations now report average revenue losses of 45% from bot-driven attacks – and nearly two-thirds have already experienced meaningful impact.
+219%
YoY increase in bad bot activity
45%
Average revenue loss from bot-driven attacks
These are not anomalies. They reflect a structural shift. Fraudsters are no longer opportunistic actors looking for individual exploits. They operate with the consistency and structure of a business. Campaigns run continuously. Tooling is widely available and constantly iterated. Bot-as-a-service platforms lower the barrier to entry. AI tooling accelerates attack development.
The result is a threat environment that behaves more like an organized market than a collection of individual incidents – one that most enterprise defenses were not designed to handle.
“Fraud now operates at industrial scale. Most defenses were not designed for that environment.”
Bot vs. human is the wrong question
Security strategies in retail and hospitality have long been organized around a single distinction: is this traffic automated or human? If it is a bot, block it. If it is a human, let it through.
That distinction is breaking down – and security teams that have not updated their mental models are finding their controls less effective as a result.
The breakdown is happening on multiple fronts. Human attackers use automation to scale their operations. Bots are engineered to mimic human behavior – real device fingerprints, distributed residential IP addresses, realistic session patterns. And agentic AI systems now combine both: they can analyze stolen credential data, generate attack strategies, and execute end-to-end workflows without meaningful human involvement in each step.
How modern attack infrastructure blends the distinction:
• Human attackers rely on automation for scale – the distinction is blurring at the operator level
• Bot traffic is designed to look like real user behavior – device fingerprints, residential IPs, realistic timing
• Agentic AI systems execute attacks autonomously, adapting in real time without per-step human oversight
• CAPTCHA-solving services and AI tools make traditional detection signals unreliable
The question organizations need to be asking is not “is this traffic automated?” It is: “is this interaction harmful?” That requires evaluating intent – and most defenses are not built to do that.
Agentic commerce changes the rules
AI agents are already part of the commerce experience. Shopping assistants browse product catalogs, compare options, and in some cases complete actions on behalf of users. This is happening now across retail and hospitality platforms, and it is growing quickly.
Kasada’s research shows that assistant-driven interactions have grown nearly 10x year over year. AI-driven traffic is now a meaningful share of overall activity on most major retail and hospitality properties.
~10x
Year-over-year growth in AI assistant-driven interactions on retail and hospitality platforms
The challenge is that most of this traffic is not beneficial. Nearly 80% of AI-driven traffic comes from crawlers and scrapers – not user-serving systems. That includes price scrapers, inventory monitors, content aggregators, and automated competitive intelligence tools. Some of this activity sits in a gray area. Much of it represents direct competitive harm.
This creates a genuine operational dilemma. The behavioral signals that indicate a legitimate AI shopping agent look almost identical to those that indicate a malicious scraper or inventory bot. Security teams are being asked to allow and restrict the same patterns of behavior at the same time – often without reliable signals to separate them.
The organizations adapting most effectively are those developing more nuanced models of what beneficial AI interaction looks like for their specific environment, and building controls calibrated to that understanding rather than trying to apply blanket allow/deny rules to AI traffic.
Retail and hospitality are feeling it first
Every sector faces these challenges, but retail and hospitality are disproportionately targeted. The reason is direct: these industries connect digital activity to immediate revenue in ways that make them high-value targets.
Inventory, pricing, promotions, and loyalty accounts are all areas where even small manipulations can have immediate and measurable business impact. An attacker who understands how a retailer’s promotions engine works can extract significant value before any fraud signal is triggered.
Account takeover illustrates the scale of the problem most vividly. In 2025 alone:
13M
Stolen accounts sold on criminal marketplaces in 2025
$151M+
Revenue generated by stolen account sales in 2025
These are not isolated incidents. They reflect consistent, repeatable criminal infrastructure – organized markets with pricing dynamics, specialization, and persistent operations. The accounts being sold include loyalty balances, stored payment credentials, and purchase histories that can be used for fraud, resale, or social engineering.
Retail-specific attacks compound this. Bot-driven reselling manipulates inventory to corner supply before legitimate customers can access it. Automated price scraping gives competitors real-time visibility into pricing strategies. Credential stuffing targets loyalty programs at scale because the accounts are liquid – points and credits can be converted to value quickly and discreetly.
“The activity is consistent and repeatable. It behaves more like an organized market than isolated fraud.”
For hospitality, the vectors are similar but adapted to the context. Room inventory manipulation, rate scraping, and loyalty account compromise are persistent challenges. The operational consequences extend beyond fraud losses to include distorted demand signals, degraded customer experience, and reputational risk.
Traditional defenses failing
Most of the defenses organizations have in place today were designed for a different threat environment – one where bots were less sophisticated, attack infrastructure was easier to identify, and behavioral signals were more reliable indicators of intent.
That environment no longer exists, and the gap is now visible in practice.
Where traditional defenses are breaking down:
• CAPTCHAs are routinely bypassed by AI-powered solving services and trained models
• Attack infrastructure runs on legitimate cloud providers, making IP-based blocking unreliable
• Malicious traffic uses real device fingerprints and residential IPs to appear like normal users
• Behavioral signals that once indicated risk now appear in legitimate agentic activity
• Rate limiting is evaded through distributed execution across large bot networks
The result is a familiar and frustrating pattern: legitimate users encounter friction because controls trigger on signals they happen to share with attackers, while harmful interactions pass through because they have been engineered to look normal.
The real problem: abuse that looks normal
The most difficult challenge in this environment is not detecting obviously malicious traffic. It is detecting harmful activity that has been deliberately designed to blend in.
The most impactful attacks are the ones that operate within normal behavioral envelopes. They follow expected request patterns. They avoid obvious triggers. They spread activity over time to stay below rate limits. They use infrastructure that appears legitimate. And they execute gradually enough that the cumulative impact only becomes visible long after the damage has been done.
This includes interactions that:
scrape data gradually across extended time windows, staying below thresholds designed to catch aggressive crawlers
manipulate inventory or availability without completing purchases, distorting demand signals and degrading customer experience
generate sustained infrastructure cost through coordinated traffic patterns that appear routine in isolation
perform credential validation at low rates across large credential lists, building verified account inventories over weeks
By the time the impact is visible in business metrics – lower conversion rates, inflated infrastructure spend, degraded loyalty program economics – the activity has already spread across systems and compounded over time.
This is what makes the current threat environment genuinely difficult. It is not about missing obvious signals. It is about recognizing patterns of harm that have been carefully engineered to look like normal business activity.
Security is becoming a trust decision
What is emerging from the most adaptive organizations is a reframing of the core security task. It is shifting from “block this traffic” to “make better decisions about which interactions to trust.”
That reframing has practical implications. It means evaluating interactions continuously, developing richer behavioral context across the full session, and combining signals across domains that have historically been treated as separate: fraud signals, identity signals, and bot signals are all expressions of the same underlying question about intent.
The organizations that are ahead are those that have found ways to integrate these signals into a coherent view of what an interaction actually represents – and to act on that view in real time.
“This is less about adding more controls and more about making better decisions with the signals already available.”
This also requires better alignment across teams. Fraud, identity, and security have historically operated in separate organizational and technical silos. The threat environment no longer respects those boundaries. An account takeover that starts with a credential stuffing campaign ends as a fraud event and a customer experience failure – and the signals that could have stopped it were distributed across systems that were not talking to each other.
Building that integration is an organizational and strategic problem. And it is a conversation that the RH-ISAC community is well-positioned to have.
JOIN THE CONVERSATION
RH-ISAC Cybersecurity Summit • Austin, Texas • April 13–15, 2026
Fireside Chat: Fraud, Abuse, and the Agentic Commerce Reality Check
Sam Crowther, CEO, Kasada • John Byun, CISO, Sephora
Wednesday, April 15 • 1:00–1:45 PM CT
These challenges are already affecting day-to-day operations for security leaders across retail and hospitality. The RH-ISAC Cybersecurity Summit provides a rare opportunity to compare notes on what is working, what is not, and where the industry needs to go.
Kasada will participate at the Summit as title sponsor. Sam Crowther, CEO of Kasada, will join John Byun, CISO of Sephora, for a fireside chat on April 15 from 1:00 to 1:45 PM focused on how these trends are playing out in practice and how organizations are adapting.
The post Where Retail and Hospitality Fraud is Actually Happening Now (and What to Do About It) appeared first on Kasada.
*** This is a Security Bloggers Network syndicated blog from Kasada authored by Kasada. Read the original post at: https://www.kasada.io/where-retail-and-hospitality-fraud-is-actually-happening-now-and-what-to-do-about-it/
About Author
