Now we are experiencing a spike in "Password Reset Request".

It's typically a 'dumb' person / bot that has misinterpreted your affiliate sign up form for a sign-in form, and they're attempting a credential stuffing attack. This is where an entity is trying a database of stolen user/pass combos against your site to see if it can find any that work, with the hope it then leads them to some way to benefit financially, or so they can use the validated credentials as part of a later phishing attack. The latter is where you first obtain some stolen credentials, find sites where they work, and then you send the intended victim an email that looks like "Your password XYZ on Bill Davis' website has been locked out as part of a security upgrade. Please click 'here' to set a new password" People see a password they recognize and are tricked into thinking the email is legit, they click, provide a new password, and then the attacker tries it at every other place of interest that person may have re-used the password at.

I'd recommend a web app firewall in front of your store, with particular attention to pages that accept credentials. Cloudflare's $20/mo plan is the most feature-rich for the price point, and you can set up a transparent javascript challenge that tends to get rid of most bots. From a legit shopper's perspective, it would mean when transitioning to a login screen, they'd see a "Testing your browser" screen for a few seconds, no need to click or anything else. The same plan can also be used to throw up a recaptcha challenge to countries or internet providers you're unlikely to see legit traffic from, but still provide a way for legit users to get in. China's national ISP, for example, is a massive source of malicious traffic and little to no legit; similar with certain web service providers. Our staff can help set everything up.