The proliferation of artificial intelligence agents in e-commerce platforms is driving a dramatic increase in security and privacy risks. Visa's Payment Ecosystem Risk Center (PERC) identified a more than 450% increase in dark web community posts in underground channels mentioning "AI Agent" over the past six months compared to the prior six-month period. Global e-commerce fraud losses are projected to more than double from $40 billion in 2024 to over $100 billion by 2029. In analysis published May 2026, information security and privacy expert Rebecca Herold underscores that AI agents are creating new attack surfaces across five critical system categories, from payment systems to financial management and fraud detection tools.
When AI agents are allowed to act persistently on a customer's behalf, the risk shifts from credential theft to intent drift, and agent-to-agent commerce introduces excessive data exposure risk, especially if negotiation, personalization, or dynamic pricing models require sharing behavioral signals. An international e-commerce company saw its rate of attempted carding attacks triple from July to August of 2025, then triple again early in 2026. Payment sector leaders see synthetic identity fraud (61%), impersonation scams (60%) and cross-border fraud (54%) as the fastest-growing threats over the next year; synthetic identity fraud, which involves combining stolen personal information with fabricated details to create a fake identity, is escalating as fraudsters use AI to sift through massive datasets and build more convincing profiles.
Chatbots are likely to become a common product discovery tool across online marketplaces, and unlike traditional search, conversational interfaces encourage users to share more detailed, natural-language requests, revealing preferences, constraints, and contextual information; this shift expands the privacy attack surface as platforms accumulate richer user profiles through chat interactions, and as a result, chatbot logs may become as sensitive as transactional data, increasing the risks of over-collection, misuse, or exposure of personal information. Image-based product search is expected to make photo uploads a routine part of the shopping experience across major retail platforms; while this feature improves product discovery, it also increases the risk of unintended exposure of personal data, as user-submitted images may contain faces, home environments, or sensitive details such as names, phone numbers, or addresses visible on shipping labels or packaging.
AI agent systems are capable of taking autonomous actions that impact real-world systems or environments, and may be susceptible to hijacking, backdoor attacks, and other exploits. Agentic AI systems may introduce novel attack surfaces; for example, malicious actors may attempt to distort an agent's goals, manipulate its reasoning, compromise supply chains, or poison data in the agent's memory. Leading payment companies are responding to these threats: Visa is developing the Trusted Agent Protocol—a standards-based framework enabling merchants to verify agent identity and intent in real time, preventing impersonation without degrading user experience; this protocol enforces identity verification fields, applies time-based transaction challenges to block credential harvesting, and integrates continuous telemetry into Visa's fraud and risk models to strengthen detection dynamically.
Experts recommend layered controls to mitigate risks from AI agents, including the principle of least privilege, tightly scoped and time-bound permissions, comprehensive traceability, and human review at high-risk decision points. The SEC's 2026 examination priorities reveal a significant shift: concerns about cybersecurity and AI have displaced cryptocurrency. For e-commerce businesses, the challenge lies in balancing the efficiency gains promised by AI with the stringent security frameworks needed to protect customer data and platform integrity.
Note: This summary draws on SupplyChainBrain's publicly visible headline + subhead + opening paragraph and on sector background on AI agents and e-commerce security.
Key Takeaways:
1. Dark web AI agent discussions surged 450%+ in past 6 months as cybercriminals actively weaponize autonomous systems
2. E-commerce fraud losses projected to leap from $40B in 2024 to over $100B by 2029
3. One e-commerce firm saw carding attack attempts triple July–August 2025, then triple again in early 2026
4. Chatbot logs becoming as sensitive as transaction data; image search raises face and home-environment exposure
5. Visa's Trusted Agent Protocol aims to verify agent identity in real time, preventing impersonation attacks
