Holiday Shopping Frenzy Turns Into a Goldmine for Cybercriminals

Retailers rang up more than sales this Labor Day weekend—they also attracted a tidal wave of malicious digital traffic. New data from Cequence shows that attack attempts against retailers spiked by 96% year over year, underscoring how cybercriminals now treat seasonal promotions as opportunities for industrial-scale exploitation.

The findings, drawn from billions of real customer transactions analyzed by Cequence’s CQ Prime threat research unit, highlight just how much fraud and automation have escalated against major brands. Fortune 500 and Global 2000 retailers in particular bore the brunt of the activity.

Bots as Holiday Shoppers

According to Cequence, automated threats evolved aggressively this season. Blocked bot activity rose by nearly 80% over last year, with one major retailer enduring a jaw-dropping 2,724% surge in malicious traffic during a summer sales event. Even with defenses in place, that same retailer reported a 435% increase in blocked bot traffic compared to its normal baseline.

Behind the numbers lies a lucrative target: customer accounts. Cequence said it successfully stopped more than 26 million attempted account takeovers (ATOs) during Labor Day promotions, a testament to just how much of today’s retail fraud is automated and API-driven.

“During holiday seasons, retailers often face a perfect storm of increased vulnerability,” said William Glazier, Director of Threat Research at Cequence. “Reduced staffing levels, coupled with the surge in online activity driven by sales and promotions, create a prime opportunity for cybercriminals to exploit. Retailers risk significant financial losses due to fraudulent activities without robust bot and API protection.”

The API Blind Spot

The report also emphasized how APIs are now the backbone of consumer engagement—and a primary attack surface. Since the release of Apple’s iPhone 16 earlier this month, Cequence has handled 6.7 billion API calls for eight top telecom providers, with more than a third of that traffic flagged as malicious. It’s a stark reminder that attackers don’t just chase retailers during shopping holidays—they follow consumer demand spikes wherever they happen online.

Cost of Doing Nothing

Cequence’s researchers estimate retailers could lose $60,000 every hour if they fail to protect their digital storefronts during peak traffic events. That’s not just payment fraud, but also inventory manipulation, credential stuffing, and downstream reputational damage when consumers’ trust erodes.

A Playbook for Defense

The company outlined a practical response roadmap:

• Run live drills to stress-test defenses from multiple perspectives—enterprise, customer, and attacker.

• Map every API and public-facing endpoint, including the ones teams may have forgotten.

• Balance performance and trust, ensuring user validation is fast but secure through methods like canary headers and trusted IPs.

• Double down on MFA and monitoring, particularly during predictable shopping surges.

• Watch for anomalies, such as dozens of logins from far-flung IPs within an hour, which often signals bot-driven ATO attempts.

Bigger Picture

The data paints a clear picture: cybercriminals no longer wait for Black Friday. Every sales event—Labor Day, back-to-school, product launches—creates a window where retailers are juggling thin staffing and spiking traffic. Attackers are ready and automated, and without equally adaptive defenses, retailers stand to lose more than just holiday profits.