Newsletter

Newsletter

Agent Spoofing: 80% of retail sites are unprotected

Malicious bots are impersonating AI agents and crawlers to slip past retail-site defences, and the traditional ways of telling friend from foe no longer hold up.

What is agent spoofing?

Agent spoofing is a malicious bot that impersonates an AI agent, a search engine crawler, a price-comparison tool, or any other trusted client in order to bypass the security of an online retail site.

By gaining unrestricted access, the bot can scrape information, manipulate SEO data, and more. With the proliferation of AI agents, this kind of identity spoofing has become the most difficult attack vector to detect.

Key figures

A joint study by DataDome, Botify, AWS, and Retail Economics, surveying 6,000 consumers across the UK, US, and France, published in late February 2026, paints a stark picture:

  • 80% of retail sites are not protected against agent spoofing.
  • 80% of AI agents do not correctly identify themselves to the sites they visit.
  • AI bot activity on retail sites increased fivefold in 2025.
  • 38% of consumers use an AI assistant during their online shopping journey.

The cost to retailers

Agent spoofing leads directly to distorted analytics, inflated AI referencing signals, biased commercial decisions, and greater exposure to fraud.

The technical reality

The two traditional methods for distinguishing a legitimate agent from an impersonator are no longer sufficient to identify the nature of a connecting user:

  • The User-Agent header, a text string indicating the client's name and version, is simply a self-declaration. Any malicious bot can present itself as a known AI agent with a single line of code.
  • The IP range, the network address of origin, is just as unreliable. AI agents are deployed on shared cloud infrastructures such as AWS, Azure, and Google Cloud, where thousands of legitimate and malicious services share the same address blocks, which change constantly through dynamic allocation.

The emerging response: cryptographic signatures

The industry's answer borrows a principle from digital signatures: HTTP Message Signatures (RFC 9421).

The agent cryptographically signs each outgoing request with a public key exposed at a canonical URL. The origin validates the signature server-side, ensuring the identity of the sender.

For the 80% of retailers currently exposed, now is the time to audit their Bot Management and WAF solutions, identify signed agents, and apply precise security rules based on each agent's true nature.

For merchants engaged in a Universal Commerce Protocol (UCP) approach, these signatures are rapidly becoming the standard of trust.

Audit your defences against agent spoofing

Talk to our team about Bot Management, WAF configuration, and verifying signed agents across your retail estate.

Get Started