Cequence has unveiled new insights from its CQ Prime threat research team that highlight the cyber threats targeting the global retail sector during the holiday season.

The research reveals that businesses could face average potential losses of £2.02 million ($2.58 million) per hour throughout December due to malicious bot traffic and fraud attempts.

Drawing on billions of real transactions and attack data from Cequence’s Unified API Protection (UAP) platform, the report highlights the expanding attack surface that cyber-criminals exploit during peak shopping periods like Black Friday and Cyber Monday.

Key findings

• E-commerce growth and risks: Total e-commerce transactions doubled year-over-year (YoY) from 5.1 billion in 2023 to 10.4 billion in 2024, with 34.62% flagged as malicious—up 138.57% from the previous year
• Financial impact of cybercrime: Cybercrime during the 11-day period from November 22 (Black Friday) to December 2, 2024 (Cyber Monday) resulted in £533.67 ($681.12 million) in potential losses worldwide, with projections for December 2024 averaging £2.02 million in losses per hour, totaling £1.4 billion ($1.79 billion)
• Sophisticated attack techniques: Sophisticated attack techniques, including credential stuffing, SMS pumping and token farming, experienced a 700% YoY increase
• Real-world mitigation: A major e-commerce company mitigated an SMS pumping attack that cost £2,350 ($3,000) every four hours, successfully blocking fraudulent account creation and preventing further financial losses with Cequence’s advanced bot and API protection
• Real-world mitigation: Cequence managed a 125% traffic surge on Black Friday, blocking 11.5 million malicious attempts while maintaining seamless customer experiences

E-commerce growth

With the growth of legitimate e-commerce transactions, businesses face an unprecedented challenge of defending against increasingly sophisticated and high-volume attacks.

Cequence’s research found a 72.6% increase in mitigated malicious traffic from 2023 to 2024, highlighting the urgent need for proactive security measures.

“Maintain customer trust and stay competitive”

Randolph Barr, CISO, Cequence commented: “Cybercriminals are seizing on the rapid growth of digital commerce, using increasingly sophisticated tactics to target both businesses and consumers.

“This year’s findings are part of a broader trend: As e-commerce continues to evolve, so too does the scale and complexity of cyber threats.

“These findings highlight the critical need for businesses to adopt robust API and bot management solutions to protect revenue, maintain customer trust and stay competitive in an increasingly digital world,” Barr added.

Cequence’s business advice

To navigate heightened cyber threats, Cequence advises businesses to take these steps:

• Enhance incident readiness: Conduct regular security drills to simulate various attack scenarios. Continuously review and refine response plans based on evolving threats, ensuring all stakeholders are prepared
• Map your attack surface: Create and maintain a comprehensive inventory of all public-facing applications and APIs to eliminate blind spots that attackers often exploit
• Align security with business objectives: Ensure security measures support key goals, such as seamless user experiences or faster performance. For instance, implement secure user validation techniques that balance speed and protection
• Deploy multi-layered security: Combine solutions like API protection, web application firewalls and bot mitigation tools to address complex, multi-faceted attacks effectively
• Monitor anomalous behaviour: Continuously analyse user activity for suspicious patterns, such as repeated failed login attempts from diverse IP addresses, which may indicate credential stuffing or account takeover attempts
• Strengthen access controls: Use robust authentication measures like multi-factor authentication (MFA) and dynamic token-based security to guard against unauthorised access
• Invest in real-time threat management: Leverage tools that provide 24/7 monitoring and automated mitigation to quickly detect and neutralise threats without impacting legitimate traffic
• Optimise for high-traffic events: Prepare for spikes in activity during critical periods like Black Friday by stress-testing systems and scaling security measures in advance