Palo Alto Networks’ Unit 42 has published new research examining how the rise of “agentic commerce” – AI agents that autonomously browse, shop, and transact on behalf of users – could be exploited by cybercriminals to conduct retail fraud at unprecedented scale. Read the full research from Unit 42.
The Coming Wave of Agentic Commerce
According to research cited by Unit 42, agentic AI is expected to handle 15-25% of all e-commerce volume by 2030, potentially generating $3-5 trillion in global retail revenue. However, the World Economic Forum estimates that by 2028, one in four data breaches could result from AI agent exploitation.
The research focuses on Google’s Universal Commerce Protocol (UCP), an open-source standard unveiled at NRF Big Show 2026 that enables AI agents to securely conduct commerce. While UCP implements tokenized payments and verifiable credentials, Unit 42 researchers identified concerning attack vectors through prompt injection.
Attack Scenario 1: Gift Card Theft via Payload Poisoning
Unit 42 demonstrated how attackers could create malicious “deals aggregator” sites that UCP agents crawl to find coupons. Hidden within these sites would be prompt injection payloads designed to reprogram the agent’s behavior:
- The shopping agent visits the attacker’s site looking for discounts
- Indirect prompt injection reprograms the agent’s memory
- When constructing the checkout payload, the agent adds an unauthorized gift card to the order
- If the UI only shows “Total Price,” users approve without noticing the hidden line item
The researchers note: “The real danger isn’t just the $100 stolen; it’s the invisible death of customer loyalty.”
Attack Scenario 2: Returns Fraud via Logic Hijacking
A second attack scenario involves manipulating UCP’s state machine to issue refunds without proper verification. Attackers could embed hidden instructions in marketplace listings that trick agents into bypassing return verification steps:
- A bot purchases an item with malicious metadata
- When initiating a return, the agent reads the product page for instructions
- Hidden prompt injection triggers instant refund without shipping verification
- Organized crime groups could automate 10,000 fraudulent returns per hour
The Scale of the Threat
Organized Retail Crime (ORC) already costs retailers approximately $700,000 per $1 billion in sales, with 57% of retailers reporting increased ORC activity. The researchers warn that agentic commerce could “supercharge” existing fraud patterns by enabling automated exploitation at scale.
Defensive Recommendations
Unit 42 recommends that organizations implementing agentic commerce adopt:
- Know Your Agent (KYA) frameworks for identity validation
- Agent reputation scoring to validate behavior patterns
- Implementation of Agent Payments Protocol (AP2) security principles
- Unit 42 AI Security Assessments to identify AI-related risks
The research emphasizes that while protocols like AP2 address authorization and authenticity, additional guardrails will be necessary as agentic commerce evolves. Organizations should also engage with the NRF Center for Digital Risk & Innovation for collaborative fraud prevention efforts.
Why This Matters
As AI agents become trusted intermediaries in consumer transactions, the attack surface for prompt injection expands significantly. The “invisible” nature of these attacks – where customers may not notice unauthorized charges until reviewing bank statements – poses both financial and reputational risks for retailers.
Organizations deploying AI agents for commerce should prioritize security assessments and implement robust verification mechanisms before threat actors begin exploiting these new attack vectors at scale.
