Bots Don’t Take a Summer Vacation: Avoiding Malicious Attacks
Sleigh bells ring, are you listening? In July? While carols and snow might seem far away, spending peaks are no longer relegated to the holiday season. In fact, summer can generate significant and unexpected retail revenue.
Consider this: Online shopping grew nearly 20 percent in the last 12 months. July marked the highest year-over-year increase in recorded history, and in August there were reports of record levels of non-store sales. This year the market continues to see a surge in online purchases even as storefronts reopen. Amongst the drivers of this consumer activity are the slew of summer sales when major retailers with a significant online presence — think Target and Old Navy — tend to extend Fourth of July sales while Amazon Prime Day has many of us glued to our screens stocking up on back-to-school essentials.
Despite their anticipation of summer sales, retailers need to remember that the expected online surges come with the threat of bot attacks. In fact, up to 40 percent of traffic on an e-commerce site consists of automated bot traffic. According to Forrester, 71 percent of companies have experienced successful bot attacks, with e-commerce being the largest target. A flurry of online traffic appeals to attackers who make it their mission to hide in plain sight to carry out their malice. Unfortunately, most retailers lack the tools to identify bad vs. good traffic.
Why are bot attacks a threat to retailers? Bad bots mostly aim to steal customer information, including usernames, passwords, loyalty points, and credit card data. But they also put inventory at risk. Across individual e-commerce sites, we’ve seen as many as 1 million attempts per week. These attacks can take several forms, including:
- Credential stuffing: Attackers take stolen usernames and passwords that are available for sale on the dark web and use bots to speed up the process of accessing other accounts belonging to an individual. Once in, the attackers steal anything of value — personal information, credit card numbers, loyalty points — and make fraudulent purchases or resell the information.
- Card cracking: Bots perform the continual, automated injection of stolen credit card details, in particular three-digit security codes (CV2), until the correct combination is found. The card is then used by the attacker to carry out fraudulent activity or resold.
- Loyalty points and gift card fraud: Bots are used to decipher passwords so that either the points or cards are used to fraudulently obtain items, or the cards are sold online for a fraction of their value.
- Product scalping and inventory abuse: When retailers offer limited-edition items or items in high demand, bots quickly purchase the entire stock or hold it in a cart to make it unavailable. If bought, criminals resell the items for a higher price elsewhere.
All of these tactics put sites at risk and leave customers frustrated. To help consumers protect themselves, retailers can encourage them to take the following five actions:
- Use a credit card or payment service instead of a debit card. Credit cards offer more consumer protections. Payment services, like PayPal, also protect consumers since scammers can’t directly access bank details.
- Use strong and unique passwords. A secure password is created using a combination of upper and lower case letters, numbers and special characters, and it is not shared across multiple accounts.
- Ensure a website is secure. Consumers should look to see if a web address begins with “https” instead of “http” before entering any information online. They also should know that sites with a padlock in the address bar mean a security certificate is in place.
- Avoid public Wi-Fi. Public connections are often unsecured and readily accessed by fraudsters. Any information entered online in this environment, including payment details, is at risk of being stolen.
- Update software and virus protection. Encourage consumers to keep software and browsers up-to-date to safeguard against malware and threats.
Of course, the onus isn’t just on the consumer. Retailers need to be more diligent and aware of threats as well. Attacks can put sales and loyalty at risk, delay payments, and even shut down real transactions when large volumes of transactions are suspected as fraudulent. Bots also distort the integrity of a site by manipulating traffic and twisting analytics to create a false narrative about performance.
So What Can a Retailer Do?
One step is to recognize threats. If you're orchestrating a big holiday sale or have stock of a popular product, expect bot traffic. One red flag is high traffic patterns but a lack of sales during a promotion. And if an item sells out within minutes even though you have precautions to control inventory, you’ve probably been targeted.
Another critical step is to devise a formal bot management strategy. Most e-commerce organizations don’t have clear ownership of bot management despite evidence that a coordinated effort to manage good bots and combat bad ones will help you rapidly mitigate threats without impacting customer privacy or the customer journey.
Now that the summer online shopping season is in full swing, retailers must prioritize bot management. With proper defenses in place, you can thwart threats, protect customers and your brand reputation, improve decision making with accurate website metrics, and increase profitability by focusing on what you do best: selling.
Online retail doesn’t have to be dangerous. Without bot awareness, however, you risk a cruel summer shopping experience — for your customers and for your own business.
Thomas Platt is the head of e-commerce at Netacea. Platt works with leading retailers to identify, understand and manage sophisticated and targeted bot attacks.
Related story: Retailers and the Credential Stuffing Crisis
Thomas Platt is the head of e-commerce at Netacea. Platt works with leading retailers to identify, understand and manage sophisticated and targeted Bot Attacks. His team drives industry research, thought leadership, and knowledge sharing alongside the product and threat research teams to keep customers and the wider community ahead of emerging bot threats.