The AI Fraud War Reshaping Retail

A new and deeply unsettling threat has taken root in retail. Generative artificial intelligence, the same technology that enables personalised shopping recommendations and conversational customer service, is being systematically weaponised against the brands and retailers that are racing to adopt it. The scale and sophistication of the resulting fraud crisis have caught much of the industry off guard, creating an asymmetry in which attackers move faster than the institutions charged with stopping them. As the Association of Certified Fraud Examiners and SAS concluded in their landmark 2026 report, fraud is evolving faster than most organisations can defend against it, and AI-powered threats are not on the horizon. They are already here and they are accelerating quickly.

Record Losses and the AI Multiplier

The financial toll is staggering and accelerating along a trajectory that has alarmed regulators and corporate boards alike. According to the Federal Trade Commission, consumers lost more than $12.5 billion to fraud in 2024, a figure that climbed sharply to $15.9 billion in 2025, representing a nearly 27% increase in a single year. The Commission received 3 million fraud reports in 2025, up from 2.6 million the prior year. Nearly 60% of companies reported an increase in fraud losses from 2024 to 2025, according to Experian data, and financial losses ballooned by 25% even as fraud report volumes held relatively steady, a clear signal that individual schemes are becoming dramatically more effective at extracting money from consumers and companies alike.

Within this broader picture, AI-powered fraud has become the frontline threat. Deepfake detection specialists estimate that three in ten retail fraud attempts are now AI-generated, and some large chains report receiving more than 1,000 AI-generated bot calls per day. Over 50% of modern fraud now involves generative AI tools used to create convincing phishing emails and deepfake videos capable of bypassing verification checks. Juniper Research projects that global e-commerce fraud losses will climb from €56 billion in 2025 to €131 billion by 2030, while the Merchant Risk Council reports that 2% of total e-commerce revenue is currently lost to payment fraud. Independent analysis values the total cost to retailers far higher: every euro lost to fraud costs retailers approximately two euros in total when shipping, chargeback fees and lost inventory are included.

The numbers from digital identity fraud are equally sobering. US consumers lost $47 billion to identity fraud and scams in 2024 alone, with 18 million individuals falling victim to traditional identity theft, according to the Javelin Strategy & Research Identity Fraud Study. Global losses from identity fraud exceeded $50 billion in 2025, and early indicators suggest 2026 will surpass that figure. Fraud losses facilitated by generative AI are predicted to reach $40 billion in the United States by 2027. The Federal Trade Commission recorded more than 1.1 million identity theft reports in 2024, with total losses surpassing $12.7 billion, a 23% year-on-year increase. Experian’s UK Fraud and Financial Crime Report for 2025 revealed a sharp rise in AI-related fraud, climbing from 23% of cases in 2024 to 35% in early 2025.

The crisis is not merely financial. A 2025 study by the MIT Technology Review found that 68% of consumers felt betrayed by a brand after interacting with a deepfake advertisement or an AI-generated counterfeit listing, illustrating that the damage extends well beyond immediate financial loss to long-term brand equity. Social media has become the primary vector: the FTC reported that consumers lost $2.1 billion to scams originating on social media platforms in 2025, an eightfold increase since 2020, and nearly 30% of people who reported losing money to a scam said that it started on social media. Facebook emerged as the single largest source of these scams, with investment scams accounting for more than half of total social media fraud losses at $1.1 billion.

Perhaps the most alarming data point comes from the 2026 Anti-Fraud Technology Benchmarking Report, jointly published by the Association of Certified Fraud Examiners and SAS. The study, which surveyed 713 anti-fraud professionals across eight global regions and more than ten industries, found that 77% of fraud fighters report deepfake attacks are on the rise, and 55% expect such attacks to increase significantly within 24 months. Yet only 7% of organisations feel more than moderately prepared to detect or prevent AI-fueled fraud. The report documented that every AI-powered fraud modality examined has risen over the past two years: deepfake social engineering saw the sharpest surge, followed closely by consumer fraud and scams at 75%, generative AI document fraud and forgery at 75%, and deepfake digital injection at 72%. This is no longer a future threat scenario. It is the operational reality of 2026.

The Industrialisation of Deception

What makes the current threat landscape qualitatively different from earlier waves of retail fraud is the industrialisation of deception. In 2026, automation and artificial intelligence are no longer merely driving productivity for legitimate businesses; they have industrialised fraud at a velocity the retail sector has never encountered before. Criminals use generative AI to create synthetic identities that blend real and fabricated data, bypassing standard verification procedures and creating a structurally new level of risk.

The 2026 cybercrime report from LexisNexis Risk Solutions, which analysed over 116 billion online transactions globally in 2025, documented the staggering scale of this shift. Automated agentic traffic, AI systems that execute logins, payments, and orders fully automatically while mimicking natural human behaviours such as cursor movements, grew by 450% between January and December 2025. The volume of malicious bot attacks grew by 59% globally last year. Attacks on the login phase surged by 216% as account takeover became one of the most common entry points. The e-commerce fraud attack rate grew by 64% overall. These are not marginal increases; they represent a fundamental restructuring of the threat landscape around automated, AI-driven attacks that operate at machine speed and machine scale.

Synthetic identity fraud, which the LexisNexis report identifies as the fastest-growing fraud type worldwide, has undergone an eight-fold global increase year-over-year. More than one in ten frauds now involve a synthetic identity, where fraudsters stitch together new, fictitious profiles from various stolen identity attributes to commit financial crimes. Because there is no immediate victim to raise the alarm, this tactic offers high potential returns and is notoriously difficult to detect. Eleven percent of all fraud cases now involve synthetic identities created by AI. Estimated US economic losses from synthetic identity fraud could reach $30 to $35 billion annually, and 8.3% of digital account creations were suspected to be fraudulent in the first half of 2025. Deepfake usage in biometric fraud attempts surged 58% year-over-year, while injection attacks rose 40%. Fraudsters now use AI to convincingly replicate real individuals at scale, defeating traditional identity verification tools that rely on static signals.

Compounding the external threat is a rapidly escalating internal one. Sixty-four percent of retailers report a steady increase in first-party abuse, also known as friendly fraud, where customers dispute valid transactions with their bank to receive refunds while retaining the goods. Friendly fraud now accounts for 45% of all chargebacks and remains the leading source of fraud globally for the second consecutive year, accounting for 38.3% of all reported incidents. In the EMEA region, this figure jumped to over half of all incidents. The methods employed have grown increasingly sophisticated. In rock-in-a-box fraud, a worthless object of similar weight is returned in place of the purchased item. In address manipulation schemes, return labels are altered so that a parcel is recorded as returned even though it never reaches the retailer’s warehouse. A newer and particularly troubling variant involves shoppers submitting AI-generated images of damaged or incorrect products to claim refunds on merchandise they received in good condition. E-commerce returns are expected to cost brands $379 billion in 2026, and AI-generated damage claims are spreading fast enough to prompt a wide response from merchants and their logistics partners.

The economics driving this crisis are brutally simple. Automation has driven attacker costs close to zero. Generative AI has made it cheap and fast to create convincing scam infrastructure: websites, product listings, and marketing content can be replicated in seconds. Scale is essentially free, and legitimacy can be fabricated instantly. Modern scammers operate like businesses that track return on investment, and the objective of modern brand protection is therefore not to stop every single attack, mathematically impossible when attacks can be generated at near-zero marginal cost, but to make abuse economically unattractive, ensuring that bad actors move to softer targets.

From Counterfeit Goods to Weaponised Identity

The threat has moved decisively beyond product counterfeiting to full-scale identity theft and brand impersonation. AI-generated text, voice, and video have weaponised identity in ways that directly erode consumer trust. It is now common to see executives or employees impersonated on professional platforms via deepfakes, with attacks exploiting the authority of leadership to lend credibility to fraudulent communications. When consumers and partners cannot distinguish between an authentic executive message and AI-generated content, trust, the fundamental currency of retail, erodes.

The numbers from the brand protection front are stark. According to a 2026 survey of 96 US-based B2C companies with more than $10 million in annual revenue across fashion, electronics, health, beauty, and consumer goods, nearly nine in ten brands now face AI-accelerated threats. Sixty percent of brands have encountered AI-generated fake product listings, and 48% have encountered AI-generated fake websites. Seventy-eight percent of brands estimate they are losing at least 5% of annual revenue to counterfeits and impersonations, and almost half put losses at 10% or more. These attacks are not random; they follow marketing campaigns with industrial precision. Some 57% of brands spot fakes within a week of a viral moment, and nearly a quarter see counterfeits appear within 24 to 48 hours. The result is what industry analysts have termed an AI tax on marketing spend: every dollar invested in brand building and customer acquisition now generates an immediate, parasitic shadow economy that diverts demand to fraudulent channels.

The scale of the counterfeit economy is breathtaking. One AI-powered brand protection platform monitoring over 1,500 e-commerce and social media platforms globally identified approximately 21 million counterfeit products in 2025 alone, a more than 200% increase from the 6.4 million cases detected in 2024. Cybersecurity researchers identified 100,000 AI-generated websites impersonating almost 200 different brands in 2025. The OECD has estimated that counterfeit goods account for $467 billion in global trade. The perpetrators are no longer confined to back-alley operations; they are sophisticated, AI-enabled enterprises that replicate brand assets, product images, shopping interfaces, domain names, and marketing content, with a fidelity that consumers cannot reliably distinguish from the genuine article.

The impersonation threat extends beyond products to people and institutions. Visa has documented that cybercriminals are using generative AI to create synthetic identities, deepfake videos, and forged digital documents that bypass traditional verification methods. Scores of companies now use AI to portray themselves as struggling small businesses, generating fake images and videos of craftspeople who do not exist. Fake influencer partnerships have become a major vector: attackers use AI deepfake technology to generate fake video endorsements from celebrities and micro-influencers, hijacking the trust that influencer marketing has built over the past decade.

The US consumer has been left exposed. Some 79% of Americans report being rather or extremely concerned about deepfakes, yet 90% of consumers are unable to correctly identify AI-generated voice clips. A small but high-risk cohort, roughly 7% of users, performs poorly at detecting deepfakes yet remains confident in their ability and rarely verifies what they see. This confidence-vulnerability gap is precisely what sophisticated fraud operations exploit. The impersonation scams that resulted from this dynamic became the most reported fraud category in the United States, with consumers losing $3.5 billion to imposter scams in 2025 alone, a 40% increase in government imposter scam reports, and romance scams costing consumers $1.48 billion, up 22%.

AI Fighting AI and the Regulatory Response

The defensive response to this crisis is coalescing around a simple principle: AI must fight AI. Manual enforcement cannot keep pace with automated deception. The most effective strategy combines automated AI detection with API-based enforcement, allowing brands to monitor millions of listings around the clock and execute takedowns instantly, rather than relying on slow manual reporting forms. Machine learning models are language-agnostic, capable of identifying brand assets across scripts and languages without requiring separate configurations for each market.

The industry is also grappling with a more fundamental challenge: how to distinguish between good and bad AI agents in an e-commerce ecosystem where both are proliferating. Experian’s 2026 Future of Fraud Forecast identified machine-to-machine mayhem as the number one threat to companies, a scenario in which cybercriminals blend good bots doing legitimate shopping with bad bots tasked with fraud, making it increasingly difficult for retailers to distinguish between the two. As Kathleen Peters, chief innovation officer for fraud and identity at Experian North America, put it: “It’s not enough anymore to say that it’s a bot, so we need to stop this traffic. Now, we need to say, ‘Is it a good bot or is it a malicious bot?'” The company predicts that 2026 will be a tipping point for AI-enabled fraud that forces urgent conversations about liability and regulation around agentic AI in e-commerce.

Major retailers are responding with concrete measures. Amazon, for example, generally blocks bots from independent third parties from accessing its marketplace, a defensive posture that reflects the growing recognition that unfiltered AI agent traffic poses an existential threat to transaction integrity. Walmart and Target have deployed AI-driven fraud prevention systems that reduce fraud losses by 30% to 50%, helping to keep margins stable despite inflationary pressure on other cost lines. The broader retail industry is investing heavily: more than 70% of businesses responded to increased fraud losses by boosting their fraud prevention budgets, according to Experian.

The US regulatory environment is also evolving rapidly in response to the crisis. Since March 20, 2026, new Nacha rules for fraud monitoring have applied to payment service providers in the United States, imposing stricter requirements on transaction monitoring and fraud detection. The rules, which rolled out in two phases with Phase 2 following in June 2026, require all nonconsumer originators, third-party service providers, and third-party senders to establish and implement risk-based procedures to identify potential fraudulent transactions. The rules expand the scope of mandatory fraud monitoring to cover both unauthorised transactions and those made under false pretences, a direct response to the surge in authorised push payment fraud and scam-induced transactions that legacy rules did not adequately address. The ACH network, which processed more than 33 billion payments in 2024, has effectively been transformed from a system that relied primarily on the honour system to one with mandatory, proactive fraud monitoring requirements.

Yet the regulatory response, while necessary, is widely acknowledged to be insufficient on its own. Only one-quarter of organisations currently use AI and machine learning in their anti-fraud programs, according to the ACFE and SAS study, up from 18% in 2024, but far below where the threat landscape demands. Governance lags dangerously behind technology adoption: while 86% of organisations rate accuracy of results as important in adopting generative AI for fraud detection, less than one in five test their AI models for bias or fairness. Some 82% say explainability is important, but just 6% feel completely confident explaining how their AI models make anti-fraud decisions. This governance gap is not merely an academic concern. For banks, insurers, and retailers whose anti-fraud decisions directly affect consumers, the inability to explain how a model reached a decision creates legal, regulatory, and reputational risk that compounds the direct financial damage of the fraud itself.

The Strategic Imperative

What emerges from these developments is a picture of an industry caught in an escalating arms race. The same generative AI capabilities that enable personalised shopping experiences and conversational commerce also enable synthetic identities, deepfake executive impersonations, and automated fraud at a scale that manual defences cannot match. The convergence of these trends, record fraud losses, the weaponisation of agentic AI, the explosion of synthetic identities, the industrialisation of brand impersonation, and the regulatory response defines the threat landscape of 2026 with unusual clarity.

The strategic picture is not without precedent. The cybersecurity industry spent two decades learning that perimeter defence is necessary but insufficient, that breaches are inevitable, and that resilience, detection speed, containment capability, and recovery readiness matter as much as prevention. Retail fraud prevention is undergoing the same maturation under fire. The objective is no longer to build an impenetrable wall; it is to make the cost of attack exceed the expected return, to shrink the window between breach and detection, and to ensure that when, not if, an AI-generated fraud attempt succeeds, the blast radius is contained.

For retailers and brands, the implications are increasingly clear. Investment in AI-native defence capabilities, automated detection, behavioural biometrics, device intelligence, and real-time risk scoring is no longer a discretionary line item. It is a prerequisite for preserving the trust upon which all commerce depends. The 93% of organisations that, by their own admission, are not firmly prepared to detect or prevent AI-fueled fraud face a stark choice: close the readiness gap now, or become the soft targets that sophisticated fraud operations actively seek out. In an era where deception scales at machine speed, trust is no longer merely a brand value. It is a defensible asset that must be actively protected, continuously verified, and never assumed.

Sources: