Some anti-virus/security software includes a feature that pre-scans links in every Web page the user visits, looking for potential threats before they can click on anything -- this feature is sometimes called a "link scanner" or "active browsing protection" or similar marketing-speak -- and some of these may have changed their methods recently in such a way that they can now pre-scan our download links when they couldn't before.
Every single "hit" on a download link counts as an Attempt, regardless of whether the user clicks the link themselves or some function on their computer accesses the link automatically. We've configured the way our download links work to try and minimize these automated hits, so excessive Attempts aren't used up before the buyer even gets to try their link personally, but it seems probable that some security software vendors have figured out a way to scan the download method we use, so that's been boosting logged Attempts and may be expiring links prematurely.
At this point, we can only recommend modifying your expiration settings to allow more Attempts. Maybe allow one more Attempt and see how that goes, then one more if necessary, until your Attempts setting is sufficiently high to avoid excessive customer service issues.