The holidays ring in good cheer for e-commerce retailers, with Black Friday and Cyber Monday often delivering the pot of gold at the end of a lean year. Yet the concentration of e-commerce revenue during the holiday season can create a significant risk: If something goes wrong to inhibit revenue during these weeks, there is little time to recover. As businesses perform risk management for the holiday season, there is one potential threat that can be well understood, quantified, and mitigated: the risk of bots.
Bots are software programs or scripts that perform automated, repetitive tasks. Bots are omnipresent on the web; it is estimated that up to 50% of internet traffic is from non-human visitors. While some bots are helpful to businesses, such as search crawlers, malicious bots cause significant financial pain to e-commerce businesses by slowing web and app performance, snapping up goods, hoarding inventory, and carrying out account takeovers via credential stuffing, which leads to fraud and identity theft.
According to the 2022 Holiday Season Cyber Threat Trends report released by the Retail and Hospitality Information Sharing and Analysis Center (ISAC), “the holiday season is the most intense time of year for consumers and cybersecurity professionals facing persistent threats. From the beginning of October through the end of December, cyber threats to organizations expand in both scale and intensity to match the rise in consumer traffic.”
That’s because criminals who utilize bots follow the money, and during the holiday season, that unfortunately may include targeting your e-commerce site. (Read the article How Bot and Fraud Mitigation Can Work Together to Reduce Risk by Joshua Goldfarb to learn about a three-pronged approach to more effectively monitor online applications for security and fraud issues.)
Bot attacks can take on multiple forms and damage your sales, operations, and customer relationships in different ways. Anticipating how bots can compromise your apps with sophisticated automated attacks—and understanding how you can mitigate these exploits—can help your business achieve its holiday revenue projections. The following bot attack types in particular are primed to ruin the shopping season.
Content scraping involves the use of automated bots to collect large amounts of content from target apps to analyze, reuse, or sell elsewhere. While content harvesting has legitimate uses (for instance, online travel aggregators scrape airline websites to gather airfare information), scraping can also be used for illegal purposes, including price manipulation by competitors and the theft of copyrighted content. In addition, high volumes of scraping can impact site performance and cause outages, preventing legitimate users from accessing a site.
The impact of scraping can be particularly damaging during periods of high shopping activity, when your e-commerce site is already busy with prospective customers. Competitors may be extra motivated to gather up-to-date pricing data from your site to make their own rapid price adjustments, and the extra traffic can bring down or slow your site, making it unresponsive to your shoppers. In online shopping, performance counts as competitors are just a click away.
Holiday inventory is hard to manage at the best of times, but retailers will face particularly difficult trials during today’s supply chain crisis. Inventory hoarding bots can add to the logistic challenge by placing large numbers of products on hold, thereby removing them from your inventory and preventing actual customers from making a purchase. Sustained inventory hoarding, and other forms of bot manipulation, can frustrate shoppers and threaten customer loyalty and brand reputation, to say nothing of impacting revenue, as consumers can easily make their purchase elsewhere.
Retailers who offer limited time offers run the risk of reseller bots, which can complete the online buying and checkout process instantaneously to purchase goods in bulk the moment they go on sale. These items are then resold on secondary markets at a significant mark-up.
Both hoarding and purchasing bots allow criminals to control valuable inventory and price levels, leading to artificial scarcity, denial of inventory, and consumer frustration.
Credential stuffing is another bot-driven exploit that can interfere with holiday shopping and revenue. Exploiting the fact that many users reuse passwords across apps, attackers test large numbers of compromised credentials against logins to take over accounts to commit fraud. The holidays present an excellent opportunity for criminals to stage these exploits: Attackers take advantage of heavy cybersecurity team workloads, knowing it will take longer for organizations to detect the fraud. (To learn more about credential attacks, read the blog How Online Accounts Get Taken Over by Cybercriminals by Frank Kyei-Manu.)
Even when bots fail to take over accounts, they frequently cause account lockouts by trying incorrect passwords multiple times, which forces customers to go through a forgotten password process or call customer service. When a shopper has their cart full of holiday gifts, it’s a bad moment to tell them that their account is locked out.
While it’s critical to mitigate bots to achieve your holiday revenue objectives, there are right and wrong ways of fighting bots. Some conventional anti-bot defenses, which add friction and annoying challenges to the purchasing process, can be just as disruptive to shoppers as the exploits they seek to prevent. When shoppers are ready to buy, do you really want to torment them with irritating CAPTCHA puzzles or force them to sign up for multi-factor authentication? With competitors just a click away, any obstacle can impact conversion rates. To learn more about CAPTCHA Defeat and how F5 Distributed Cloud Bot Defense helps protect your applications without puzzle solving, read the article OWASP Automated Threats – CAPTCHA (OAT-009) by Kyle Roberts.
As you think about bots and the holidays, keep in mind that malicious bots take a toll on already busy security and customer support teams. Customer support teams deal with irate customers who have been locked out of their accounts. InfoSec teams work long hours throughout the season trying to block bots before they can harm your revenue and damage your customers' experience. Successful bot mitigation can bring a measure of relief to employees on the frontlines, allowing them to enjoy the holidays with their families.
To learn more about how bots can impact your business, use F5’s free bot business impact assessment calculator to show the tangible effects of bots.