Retailers Brace for a Merry (and Scary) Mobile Shopping Season

With the holiday shopping season upon us, it’s looking to be a watershed year for mobile e-commerce transactions. Whether shopping online or in stores, retail consumers around the world are increasingly turning to mobile applications as their preferred payment method.

Retailers have been tracking this trend for a while now. Many retail apps now include their own built-in financial functions – but without being rigorously secured in the same ways as dedicated mobile wallets or mature banking apps. This is important to note because mobile apps present some very unique security challenges. They run in untrusted environments and retailers have zero visibility into how their apps may be manipulated, cloned, or abused. Users are frequently tricked into sideloading tampered versions of legitimate retail apps from modded app ecosystems. The malicious end goal in most cases is some form of fraud.

And with a huge rise in mobile holiday purchases already being observed, there will be corresponding spikes in the volume and variety of inventive retail fraud attacks.

‘Tis the season for mobile payment domination

According to new data from Adobe, Black Friday 2025 was a record breaker in a couple notable ways. Consumers spent a record $11.8 billion online on Black Friday, up 9.1% year-over-year (YoY). More than half of online sales (55.2%) came through a mobile device (vs. desktop), representing $6.5 billion (up 10.2% YoY). If the current trajectory holds through December, this will be the first full year where more than 50% of online spending happens via mobile devices.

But online sales aren’t the only relevant trend. According to a recent report from PYMNTS, mobile wallet use in stores has surged to 31% (up from only 14% in 2024). Ease of use is the leading motivator across all consumers. Gen Z shoppers favor mobile payment methods because of checkout speed, while older users cite “security” as their main reason for migration.

Another notable trend is that more individual retail apps are incorporating their own embedded services for payments, credit, and rewards. They serve as financial infrastructure, but they very often aren’t secured as financial infrastructure – lacking essential mobile app security capabilities like runtime checks and API protection. Because bad actors typically choose the path of least resistance, this exposure makes retail apps sitting targets for high-value, high-velocity fraud attacks.

Buy now, pay never: BNPL issues

Buy Now, Pay Later (BNPL) credit purchases are also on track to increase this holiday season. Adobe predicts that $20.2B will be spent through BNPL between November 1 and December 31, 2025 (11% growth over 2024). PYMNTS researchers recently shared that among those living paycheck to paycheck with difficulty paying monthly bills, 58% used credit installment features for their Black Friday purchases, up from 49% last year.

BNPL has exploded in the US over the last 12 months to reach 91.5 million users. The services aren’t just being tapped for discretionary purchases; an estimated 25% of current BNPL users are financing their groceries with it. Borrowers aren’t paying it all back, either. According to Lending Tree, default rates are on the rise with 42% of BNPL users having made at least one late payment in 2025 (up from 39% in 2024). It should come as no surprise that BNPL is attracting attention from government officials with an eye on regulatory oversight.

BNPL fraud incidents are also on the rise. Accordingly, the BNPL fraud prevention market is expected to jump from $4.95 billion to $11.82 billion by 2029 (24.3% CAGR).

Subtracting risks from rewards points

Retail apps with built-in rewards systems have become important competitive tools for retailers; 84% of consumers claim they’re more likely to stick with a brand that offers some kind of loyalty program. These points and perks programs are more than just an afterthought; they have real-world financial implications.

Across income segments, customers are actively using rewards as a subsidy. Consumers build program incentives into their spending strategies to offset inflation, tariffs, and higher prices for everyday goods. More than one-third of struggling consumers have used some kind of rewards or loyalty points to cover holiday spending.

The widespread popularity and tangible value of these programs have made retail apps an even more attractive target for bad actors. With an estimated $48 trillion in unspent reward points globally, cybercriminals have established a robust market for selling points stolen from compromised user accounts (resulting from things like improperly stored credentials or cloned app attacks).

Some recent examples of mobile app rewards fraud attacks include:

• In Germany, cybercriminals have been stealing and reselling customer points from the Rewe supermarket chain’s bonus app.
• Earlier this year in the UK, Sainsbury’s supermarket customers lost an estimated 12.5 million Nectar app points (worth more than £63,000) to fraudsters accessing their accounts.

Some customers even intentionally download modified retail app clones to unlock premium loyalty program features or directly exploit app vulnerabilities to tamper with their reward points. It’s also common for customers to abuse coupon codes (e.g., signing up for new user discounts under multiple identities) and referral bonus programs (e.g., referring fake users for cash or points-based rewards).

Loyalty and rewards programs now account for 31% of all fraud attempts against online merchants, and 72% of customer loyalty programs have reported some kind of theft or fraud. Rewards fraud can be very costly to retailers in terms of reputational damage and direct financial damages. Annual loss estimates range from $1 billion to $3 billion.

Holiday fraud spikes: What retailers can expect

To paraphrase legendary hiphop artist The Notorious B.I.G. – more money, more problems. As retail customers increasingly go “mobile first” and choose in-app payment features for their transactions, attackers will look for every possible opportunity to play The Grinch – including client-side tampering, malicious app modifications, mobile app cloning, runtime hooking, and API abuse from automated bots.

Last holiday season, fraudulent transactions rose approximately five times higher on Black Friday and four times higher on Cyber Monday compared to October baselines. Bot-driven attacks surged by more than 400% during Black Friday Week and continued strong through Christmas. This year, Visa blocked 280% more suspected fraud attempts on Black Friday in the UK and 140% more across Europe versus 2024.

Looking at broader year-over-year trends, advanced fraud attacks have surged by 180% in 2025, with phishing continuing to be the primary driver of consumer fraud (used in 45% of cases). The US Federal Bureau of Investigations recently reported that account takeover (ATO) fraud schemes have resulted in losses exceeding $262M since January 2025.

Another new report shows that unauthorized-party schemes (driven by credential theft and ATO) now account for 71% of all fraud incidents and dollar losses. Report findings show that large portions of these incidents damaged customer loyalty (50%) and caused reputational harm (44%), which demonstrates a threat to long-term growth beyond financial losses.

Guidance for retailers: Automated testing and multi-layered protections

Mobile retail is no longer “just retail”, it’s financial infrastructure. Software developers must now secure their mobile e-commerce apps like they would a mobile wallet or banking app. Unfortunately, many mobile retail apps today have weak or missing protections, such as runtime intelligence or server-side API defenses.

To maintain consumer trust in a rapidly changing competitive landscape, today’s mobile retail apps need comprehensive security that covers all phases of the software development lifecycle – from planning and design through ongoing maintenance. This requires purpose-built tools for both automated testing and multi-layered protections.

Guardsquare covers the mobile security needs of modern retail apps. Our portfolio includes AppSweep mobile application security testing (MAST), DexGuard (Android) and iXGuard (iOS) mobile app protection, as well as ThreatCast threat monitoring and app attestation API protection.

Connect with an expert to learn more about how Guardsquare secures retail and e-commerce mobile apps without compromise.