Agentic commerce promises frictionless purchasing. It also creates a new class of fraud victim: the AI shopping agent itself.
In August 2025, security researchers at Guardio gave Perplexity’s AI browser a simple task: buy an Apple Watch. The agent navigated to what appeared to be a Walmart storefront, parsed the product listings, and completed checkout, pulling saved credit card and shipping details from autofill without hesitation.
The site wasn’t Walmart. The researchers had built it specifically to test whether AI shopping agents could be deceived by the same techniques that fool humans. The agent completed the purchase anyway. “There were plenty of clues this site wasn’t actually Walmart,” the researchers noted, “but they weren’t part of the assigned task, and apparently the model disregarded them entirely.”
The experiment revealed something security teams haven’t fully internalized: phishing defenses built for human judgment become irrelevant when the buyer has no judgment to speak of. AI shopping agents have task completion, not threat assessment. And agentic commerce isn’t a distant prospect. OpenAI’s Instant Checkout has been live since September 2025, serving 900 million weekly users with direct purchasing inside ChatGPT. Google, Amazon, and Shopify are building competing systems, and McKinsey projects the channel will redirect $3 to $5 trillion in global retail spending by 2030. The infrastructure is arriving faster than the security model that should accompany it.
How AI shopping agents become fraud targets
Traditional phishing targets human psychology. Urgency cues, authority signals, and social proof manipulate victims into overriding their better judgment, and the defenses that emerged over two decades assume a human in the loop, someone who might pause, scrutinize, or feel uncertain. AI shopping agents eliminate that loop entirely.
Visa’s Payment Fraud Disruption unit reported a 450% increase in dark web discussions of “AI Agent” exploitation over the six months preceding November 2025. Attackers were building what Visa termed “agentic honeytraps”: counterfeit merchant storefronts engineered to pass automated verification while harvesting payment credentials from agents operating on users’ behalf.
Where traditional brand impersonation exploits human trust in familiar logos and domains, agentic fraud exploits algorithmic trust in structured data. An AI agent evaluating a product listing checks whether the listing contains expected fields, whether the checkout flow responds correctly, whether the price falls within parameters. A well-constructed fake storefront can satisfy all these criteria while being entirely fraudulent.
What attackers are building
The threat isn’t speculative. Visa documented a network of scam websites deploying conversational AI agents as fake customer support, engaging victims over days or weeks and discouraging them from contacting their banks. By delaying fraud reports, scammers extended operational windows before detection and takedown. Traditional phishing pages are static; they present a credential harvesting form and wait. AI-enhanced fraud infrastructure can adapt, respond, and maintain engagement.
The pattern extends to agent-to-agent attacks. Researchers at Straiker documented an active campaign embedding malicious capabilities in legitimate-seeming agent “skills,” enabling compromised agents to execute unauthorized transactions. “Traditional supply chain poisoning combined with social engineering campaigns that target algorithms, not humans,” they noted.
The commerce protocols emerging to enable these transactions offer no defense. OpenAI’s Agentic Commerce Protocol and Google’s Agent Payments Protocol focus on payments integrity, not merchant legitimacy. An agent can complete a technically valid transaction with a fraudulent merchant, and nothing in the protocol layer flags the discrepancy.
Brand protection at machine speed
The emergence of agentic commerce changes the math on brand protection. When impersonation targeted only humans, the attack surface was bounded by human attention. The defenses that emerged, including takedowns, blocklists, and consumer education, operated on roughly the same timescale as the attacks.
Algorithmic buyers operate at machine speed. The ten-hour window within which most human victims fall for phishing compresses further when the “victim” doesn’t need time to read, consider, or hesitate. Takedowns operating on timescales of hours to days become nearly irrelevant. External monitoring designed to detect brand impersonation in real time becomes the primary defense.
Agentic commerce is arriving simultaneously with AI-generated content that eliminates linguistic tells, trusted-platform abuse that neutralizes reputation signals, and adversary-in-the-middle toolkits that bypass authentication controls. Each trend compounds the others. For security teams, agentic commerce doesn’t obsolete existing brand protection investments; it elevates their importance while compressing the timelines on which those capabilities must operate. For merchant fraud teams, the implications run deeper: the fraud detection models that protect e-commerce platforms were built on behavioral signals that AI buyers don’t generate.
The Bottom Line
Agentic commerce represents a fundamental shift in how consumers interact with digital storefronts, and in how attackers can exploit that interaction. When the buyer is an algorithm, impersonation attacks no longer need to convince anyone. They need only satisfy the criteria an agent uses to evaluate legitimacy.
The protocols enabling agentic transactions optimize for payments integrity, not brand verification. Organizations that depend on brand trust have a narrow window to adapt. The infrastructure for agentic commerce is deploying now. The security model that protects it remains incomplete.
Key Takeaways
When algorithms handle purchasing decisions, traditional phishing defenses built for human judgment become irrelevant. Agents complete tasks without hesitation, scrutiny, or uncertainty, making them vulnerable to fake storefronts that satisfy programmatic criteria while being entirely fraudulent.
Counterfeit merchant storefronts engineered to pass automated verification while harvesting payment credentials from AI agents. Visa documented a 450% increase in dark web discussions of these techniques in the six months preceding November 2025.
Detection speed becomes critical. The ten-hour window in which most human victims fall for phishing compresses when buyers operate at machine speed. Preemptive detection before agents route credentials to fraudulent infrastructure becomes the primary defense.
