APIs are becoming a worrying security target - here's what your business can do to stay safe

That being said, attacks targeting the business logic of APIs constituted 27% of all attacks last year, which is also up by 10% compared to 2022. Account Takeover (ATO) attacks targeting APIs also rose, from 35% in 2022, to 46% in 2023. 

Lucrative attacks

Elsewhere, the report claimed the average number of API calls to enterprise sites is 1.5 billion. The high volumes of non-human, automated traffic, are “undeniably” linked to the rise in automated attacks on APIs, the researchers added. 

As a result, businesses need robust security measures to defend against things like Distributed Denial of Service (DDoS) attacks, or ATOs. In fact, 46% of all ATO attacks targeted API endpoints, they said. Finally, attackers are honing their strategies, and 28% of all DDoS attacks on APIs are going after financial services organizations. 

Traditional security tools, like Web Application Firewalls (WAF), will not suffice, Imperva concludes. API attacks will adeptly masquerade as regular traffic, rendering these defense mechanisms useless. 

Many IT professionals seem to agree with Imperva, as a recent Barracuda report found 55% stating attacks on APIs to be the most lucrative ones for criminals. Barracuda claims that "attackers will often target old vulnerabilities that security teams have forgotten about," and that "multiple layers" of security are needed to secure web apps and APIs.

More from TechRadar Pro

• Web apps and APIs were attacked more than ever last year
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now