873% Surge in API Attacks Puts Healthcare, Retail, and BFSI in the Crosshairs Organisations are adopting APIs faster than they're securing them, creating massive security gaps. Despite the identification of over 26,000 critical vulnerabilities in 2024, a third remained unpatched for over six months, leaving businesses dangerously exposed

As we move toward a direct, contactless market where almost everything is purchased online, APIs (Application Programming Interfaces) have become the lifeline of digital services—quietly powering everything from mobile banking and ride-hailing to insurance claims and retail checkouts. While they enable seamless data exchange and real-time communication, the same open data pathways are being exploited by malicious actors, fueling a surge in cybersecurity threats worldwide.

In 2024 alone, India witnessed a 20 per cent rise in cyberattacks from Q1 to Q4, with Indusface blocking over 7.15 billion malicious attempts on customer sites through its AppTrana platform. On average, each site experienced 6.9 million attacks during the year, according to the latest Annual State of Application Security Report by Indusface.

Distributed Denial of Service (DDoS) attacks remained a global menace, with 2.46 billion incidents. APIs emerged as a key point of vulnerability—facing 30 per cent more attacks per host than websites. India recorded 166 per cent more API-related DDoS incidents compared to web-based ones, with bot-driven attacks increasing by 48 per cent. The holiday season alone saw a 132 per cent surge in bot activity, as attackers exploited high-traffic periods to breach systems.

One of the most alarming findings was the 873 per cent increase in attacks targeting API vulnerabilities, vastly outpacing the 94 per cent rise in website-related exploits. The widespread availability of AI tools like ChatGPT has made it easier for novice hackers to generate and deploy malicious scripts, accelerating the pace of attacks.

Three sectors among the hardest hit

The report found significant variation in attack patterns based on industry. The retail and e-commerce sector experienced over 1 million attacks per website, with a 10x increase in DDoS incidents as fraud bots deployed credential stuffing and carding techniques to exploit payment systems. The manufacturing sector, too, saw 1.37 million attacks per site, with DDoS threats rising sixfold and targeting supply chains, ERP, and production operations. In the BFSI space, insurance firms faced 2.5x more bot threats and an eightfold increase in vulnerability attacks. This indicates a growing need for sector-specific, proactive cybersecurity strategies.

Healthcare and SMEs face unique challenges

Every monitored healthcare website encountered bot-driven attacks in 2024, highlighting the sector's ongoing vulnerability. These automated threats posed serious risks to patient data and hospital infrastructure.

Meanwhile, SMEs (small and medium-sized enterprises) were disproportionately affected—experiencing 236 per cent more DDoS attacks than large enterprises. Their limited access to dedicated security teams and resources makes them attractive targets, often exploited for financial gain or operational disruption.

This surge reflects a broader challenge—organisations are adopting APIs faster than they're securing them, creating massive security gaps. Despite the identification of over 26,000 critical vulnerabilities in 2024, a third remained unpatched for over six months, leaving businesses dangerously exposed.

"Cybercriminals are constantly evolving their tactics, leveraging different attack vectors based on industry, application type, and company size. APIs, for example, face 2x the attacks per host compared to web apps. Similarly, the insurance industry faces 2.5x more bot attacks per app than other industries," says Ashish Tandon, Founder and CEO of Indusface

"Security teams can stay ahead by investing in all-in-one, AI-powered AppSec platforms that adapt quickly to these evolving threats. However, even with AI, manual oversight is essential to prevent AI hallucinations and ensure uninterrupted business operations," Tandon added.