CYBERSECURITY
Read
3min
Agent-spoofing
It is a malicious bot that impersonates an AI agent, a search engine crawler, a price comparison tool, etc., in order to bypass the security of an online retail site.
By gaining unrestricted access, the bot can, for example, scrape information or manipulate SEO data. With the proliferation of AI agents, this identity spoofing has become the most difficult attack vector to detect.
Joint study by DataDome / Botify / AWS / Retail Economics (6,000 consumers in the UK, US, and France), published in late February 2026:
Direct consequences for retailers: distorted analytics, inflated AI referencing signals, biased commercial decisions, and greater exposure to fraud.
The technical reality
The two traditional methods for distinguishing a legitimate agent from an impersonator, the User-Agent header (a text string indicating the client’s name and version) and the IP range (the network address of origin), are no longer sufficient to identify the nature of the connecting user.
The emerging industry response is based on a principle borrowed from digital signatures: HTTP Message Signatures (RFC 9421).
The agent cryptographically signs each outgoing request with a public key exposed at a canonical URL. The origin validates the signature server-side, ensuring the identity of the sender.
For 80% of retailers, now is the time to audit their Bot Management and WAF solutions, identify signed agents, and apply precise security rules based on their nature.
For merchants engaged in a UCP (Universal Commerce Protocol) approach, these signatures are rapidly becoming the standard of trust.