As fraudsters and malicious groups target this year’s numerous upcoming e-commerce holidays, security leaders will need updated strategies to stay ahead.

Across the Asia Pacific region (APAC), from Tokyo to Sydney and Mumbai to Seoul, online retail continues to surge — and so does the criminal innovation that follows it.

The convergence of seasonal festivals such as new year celebrations, Valentine’s day, major public holidays and e-commerce sales campaigns throughout the year is just prime hunting ground for cybercriminals.

From the Philippines to India and Singapore to Australia, threat intelligence firms and law enforcement agencies are warning that 2025 marked a turning point: attackers are no longer opportunistic, but industrialized, automated, and regionally coordinated.

According to Jess Ng, Fortinet’s country head for Singapore and Brunei, post-2025 cyberattacks and scams “are increasingly powered AI. Cybercriminals now use AI-generated phishing messages, automated credential stuffing tools, and website cloning services to create scams that appear highly convincing and personalized. Combined with the exploitation of known vulnerabilities in popular e-commerce platforms, these techniques allow attackers to move quickly and at scale, sometimes even before victims realize something is wrong.”

How attackers are scaling across APAC

In the weeks leading up to peak shopping periods, threat actors register thousands of domains that mimic legitimate retailers, payment services, and logistics providers. These are then used for phishing, fake stores, and gift‑card fraud, often supported by underground marketplaces that sell stolen credentials and compromised accounts at “Black Friday–style” discounts.

According to Kaspersky’s regional managing director Adrian Hia, “the holiday season creates a high‑risk environment for online scams. In the Philippines include phishing emails and text messages… fake online stores and promo pages offering unrealistically low prices… and fraudulent payment requests sent through messaging apps… and account takeover attempts.”

In Japan, authorities and cybersecurity firms are flagging the holiday period as a high‑risk window for ransomware and disruption of critical infrastructure, including logistics and manufacturing.

A Japan Times report had reported that “55% of ransomware attacks in APAC occurred on a weekend or holiday, while 60% followed a significant business event such as a merger,” underscoring how attackers time their operations to coincide with staffing gaps and heightened distraction.

In Singapore, police have repeatedly warned that parcel‑delivery‑themed phishing scams spike during the festive shopping season. In an advisory published by Channel NewsAsia, the Singapore Police Force said at least 360 people had fallen victim to such scams in the first 11 months of the year, with losses exceeding S$560,000.

In a recent comment, analysts from Veriff, had noted: “From account takeovers and refund abuse to increasingly sophisticated authorized fraud powered by AI and deepfakes, online merchants and marketplaces are facing threats that traditional controls can no longer stop. To protect revenue, customers, and brand trust, leading ecommerce organizations are shifting toward a layered, identity‑first approach, combining AI‑driven identity verification, biometrics, and ongoing authentication throughout the user journey.”

Tackling the AI-powered cyber scam surge

For C‑level executives across the region, the message is clear: holiday‑season cyber risk is no longer a “consumer problem” but a strategic resilience issue.

Fortinet and other analysts are stressing that organizations must assume attackers are planning months in advance and are ready to exploit staffing gaps, known vulnerabilities, and peak‑traffic periods. According to Ng: “For businesses, complacency is no longer an option. Proactive security measures such as keeping e-commerce platforms and plugins fully updated, securing administrative access, monitoring for lookalike domains, and deploying fraud and bot-detection tools are essential during high-traffic periods. Equally important is consumer education. Businesses that actively inform customers about common scams and safe shopping practices help strengthen trust and reduce downstream fraud.”

Other industry recommendations for keeping e-commerce a smooth, safe experience in 2026 include:

  • Strengthening visibility into accounttakeover and credentialstuffing activity
    • Deploy AI driven bot management and credential phishing detection that flag suspicious login patterns, brute force attempts, and anomalous transaction behaviour in real time
    • Layer device fingerprinting and behavioral analytics to detect repeat offender devices, mismatched locations, and sudden changes in spending or session patterns
  • Monitoring for lookalike domains and fraudulent ads
    • Use threat intelligence driven domain monitoring and DNS /web filtering to block fake shopping domains, phishing pages, and brand impersonation campaigns before they reach customers
    • Integrate brand protection and ad fraud monitoring tools that scan for counterfeit landing pages, spoofed social media ads, and fake marketplaces mimicking brands
  • Ensuring 24/7 monitoring and incidentresponse coverage during shutdown periods
    • Maintain continuous SOC-style coverage across peak season and holiday windows, including automated alerting and playbooks for account takeover spikes, payment fraud surges, and ransomware driven disruption
    • Implement automated fraud detection and takedown workflows so suspicious transactions, fake listings, and fraudulent accounts can be quarantined or blocked without waiting for manual review
  • Embedding cyber‑awareness into customer‑communication channels (e.g., in‑app warnings, SMS‑based scam alerts)
    • Require multi-factor authentication for admin, merchant, and high privilege accounts, and enforce strong password policies and role based access to e commerce platforms and payment systems
    • Apply risk based authentication so that step-up verification (e.g., biometrics, OTP) is triggered for high value transactions, new devices, or unusual geolocation patterns
  • Hardening e‑commerce platforms and third‑party integrations
    • Keep all platforms, plugins, and third‑party widgets up to date, and remove unused components that can be exploited via known vulnerabilities
    • Enforce HTTPS‑only, secure cookies, and strict‑CSP policies on checkout and admin flows to reduce the impact of injection and session‑hijacking attacks
  • Adopting a layered, identity‑first fraud‑prevention stack
    • Combine identity verification, device intelligence, transaction‑risk scoring, and behavioral analytics into a single, continuously learning system that adapts as fraud tactics evolve
    • Use adaptive rules and human‑in‑the‑loop review to balance fraud‑detection precision with low false‑positive rates that protect conversion and CX
  • Building resilience around payment and refund‑fraud vectors
    • Monitor for authorized‑fraud patterns (e.g., multiple declined transactions followed by one large approval, high‑risk shipping‑address changes, mismatched billing/shipping regions)
    • Implement refund‑abuse controls, including stricter review for high‑value or repeat‑refund requests and tighter linkage between identity, device, and transaction history.
  • Conducting rapid risk assessments and pilot controls
    • Run quick, targeted risk‑assessments of checkout flows, seller‑onboarding, and dispute‑resolution processes to identify where most losses and false positives occur
    • Pilot new controls (e.g., identity‑verification layers, bot‑management rules) on a subset of traffic before rolling out globally, measuring impact on fraud, chargebacks, and conversion.
  • Designing for “prevention over remediation” and trust‑at‑scale
    • Treat fraud‑prevention as a revenue‑protection and trust‑building lever, not just a compliance or security cost, by stopping fraud before fulfillment and protecting customer data
    • Align brand‑protection, fraud‑prevention, and security teams so they share threat‑intelligence feeds, domain‑monitoring alerts, and scam‑takedown playbooks across regions
  • With region-wide concerted efforts by all stakeholders, festive e-shopping seasons this year will not be treated just as commercial peaks, but as critical periods for cybersecurity vigilance.