Let’s break this down.
In this solo episode, I’m recording from a hotel room in San Diego during the Merchant Advisory Group conference. And before the full conference chaos kicks in, I wanted to share a few things fraud teams are starting to see that deserve attention.
Because here’s what’s actually happening.
Some of the fraud patterns hitting ecommerce merchants right now are not following the old playbooks. Investigators are seeing attacks that combine account takeover, payment fraud, and device trust in ways that make traditional detection models struggle.
At first glance, the activity looks like normal customer behavior. But when you look closer, the transaction history, payment sources, and session activity tell a very different story.
The first pattern I break down is what I’m calling the Two-Victim account takeover.
In this version of account takeover fraud, criminals compromise an existing customer account that already has a long purchase history and strong reputation signals. Instead of simply using the cards already stored in the account, the attacker adds a completely different person’s stolen credit card.
And this is where the real risk comes in.
Because the account already looks legitimate. It has purchase history. It has a trusted device profile. It may even have years of customer behavior behind it. Fraud systems often treat the transaction as low risk because the account itself appears clean.
But the payment instrument is stolen.
That combination allows fraudsters to bypass many traditional controls.
The second trend involves malware-driven session hijacking. In these cases, fraudsters piggyback on a legitimate customer session that is already active on a trusted device.
Instead of logging in themselves, attackers replay or continue the legitimate session. From a fraud detection standpoint, it looks like the same user, same device, same session.
This is why fraud teams care about this.
If the fraudster can operate inside a trusted session, many of the signals we rely on for fraud detection simply do not trigger.
Later in the episode, I also talk about something that’s starting to show up in retail testing environments: agentic AI shopping behavior.
Autonomous AI agents are beginning to perform ecommerce transactions that look indistinguishable from human shoppers. And that creates a new problem the industry hasn’t fully solved yet.
The key thing to understand is that our current device identification and bot detection systems were designed to detect automation, not autonomous purchasing agents that behave like real users.
Which raises a new challenge.
How do merchants verify the identity and intent of a non-human shopper?
What you’ll hear in this episode:
- How the Two-Victim account takeover fraud pattern works
- Why trusted ecommerce accounts are being targeted by attackers
- How malware enables session hijacking inside legitimate user sessions
- Why gift card retailers are seeing increased session replay fraud
- The emerging risk of AI shopping agents and Know Your Agent challenges
You should listen to this episode if:
- You lead fraud or payments risk at an ecommerce company
- You investigate account takeover and payment fraud cases
- You oversee fraud detection systems or transaction risk controls
If you liked this episode, be sure to subscribe & review the podcast on iTunes, Spotify, YouTube, or wherever you listen to podcasts.
Episode notes & key takeaways
Two-victim account takeover is reshaping payment fraud patterns
At first glance, account takeover fraud follows a familiar pattern. Attackers gain access to a customer account and use the payment instruments already stored inside the account.
But the operational reality is shifting.
Fraud investigators are increasingly seeing attacks where the compromised account and the payment instrument belong to two completely different victims.
Here’s what’s actually happening.
Attackers take over a legitimate ecommerce account that has strong history signals. The account might have years of purchase activity, multiple successful transactions, and behavioral patterns that look trustworthy.
Instead of using the payment cards already stored on the account, the attacker adds a newly stolen credit card belonging to a separate victim.
Operational indicators may include:
- escalation pathways triggered by new payment method additions
- cross-signal correlation between trusted account history and new card risk signals
- typology alignment with blended account takeover and payment fraud
- alert enrichment tied to payment method injection events
- behavioral monitoring for sudden high-value gift card purchases
- network analysis linking compromised accounts to credential abuse infrastructure
And this is where the real risk comes in.
Fraud models often rely heavily on account history. When the account appears legitimate, many transactions pass through risk filters.
Leadership implications require stronger transaction-level risk analysis that considers payment instrument signals independently from account reputation.
Session hijacking attacks exploit trusted device signals
Session hijacking fraud introduces a different operational challenge.
Instead of logging into an account using stolen credentials, attackers inject themselves into a legitimate session already authenticated by the real customer.
The key thing to understand is that the fraudster does not need to authenticate.
The authentication event already happened.
Attackers use malware or session replay tools to piggyback on that legitimate session and continue the shopping flow. To fraud systems, the activity looks like the same customer operating on the same device.
Operational indicators may include:
- escalation pathways triggered after session continuation events
- alert enrichment tied to malware signals or VPN infrastructure
- cross-signal correlation between device fingerprint stability and behavioral anomalies
- behavioral monitoring for sudden purchasing velocity changes
- network analysis identifying shared attacker infrastructure across sessions
- typology alignment with gift card fraud and credential abuse
Because the session originates from a trusted environment, many fraud models classify the activity as low risk.
Leadership implications require stronger behavioral monitoring and real-time session risk analysis that evaluates activity after login, not only at authentication.
Agentic AI introduces a new fraud detection challenge
The final pattern discussed in this episode focuses on something that is just beginning to appear in testing environments.
Agentic AI shopping behavior.
Retailers experimenting with autonomous AI agents are discovering that these agents can complete ecommerce transactions in ways that look nearly identical to human shoppers.
The operational challenge is detection.
Traditional bot detection relies on identifying automation signals, unusual browser activity, or non-human interaction patterns.
But agentic AI systems are being trained to mimic human browsing behavior.
Operational considerations may include:
- governance oversight for AI agent commerce activity
- escalation pathways for transactions initiated by non-human entities
- cross-signal correlation between behavioral biometrics and purchase intent
- alert enrichment using behavioral monitoring signals
- typology alignment between bot activity and legitimate automation
The key thing to understand is that the industry currently lacks a standardized framework for verifying AI agents.
Leadership implications include the emerging need for identity verification models that can evaluate non-human actors in ecommerce environments.
