From Bots to Boardroom: How Bad Bots Negatively Impact Your Balance Sheet

Automated bot attacks can also contribute directly to financial losses and lost economic opportunities by:

• Losing customer trust after account takeover. Customers are justifiably unhappy if an organization’s inadequate bot defenses result in account takeover (ATO) and costly fraudulent activity, leading to declines in customer satisfaction, damaged reputation, and termination of relationships. Over a quarter of U.S. consumers surveyed say they would switch banks if they were dissatisfied with how the bank responds to their fraud case. 
   
• Increasing losses due to fraud and chargebacks. Bot-driven ATO attacks and fraudulent account creation impact the bottom line when criminals use stolen credentials to make purchases or set up fake accounts. Chargebacks harm the merchant’s reputation with credit card processors and lead to chargeback penalties.
   
• Increasing labor costs. Bot attacks like credential stuffing, which lead to ATO, require investigation by fraud analysts, taking time away from their more critical, in-depth investigations. Even when credential stuffing bots fail to take over an account, they often lock out accounts by trying many passwords in quick succession, forcing customers to call support, adding to support costs with each call.
   
• Distorting investor valuations. When a publicly traded company’s valuation is dependent on the number of followers, users, or engagements, the presence of non-human bot accounts can dramatically skew accurate assessments. For example, recent attempts to reach an accurate valuation for Twitter, based on the number of accounts operated by humans versus bots, dominated the news in 2022. 
   
• Mistaking bots for humans, and vice versa, with unreliable bot mitigation solutions.  Poor bot mitigation efforts will produce these errors, but they must be limited and prevented. False positives (when a bot management tool accuses a real human of being a bot) and false negatives (when the tool marks a bot as human) both impact both top and bottom lines. One will cause you to lose customers and the other will cause you economic losses due to fraud. In fact, a false positive that prevents a strategic customer from making a money transfer may be more damaging to a bank than a false negative that results in fraud or chargebacks. Both situations will also require the time and labor of a fraud analyst to investigate.
   
• Failing to protect consumer data. Legislation and standards such as the General Data Protection Regulation (GDPR) in the EU, the California Consumer Protection Act (CCPA), and the Payment Card Industry Data Security Standard (PCI-DSS) are designed to ensure consumer data privacy and impose large monetary penalties in the event of data breaches. These include ATO and content scraping attacks that expose private data to bots. Data breaches that result from failure to comply with these regulations can be very costly: under the GDPR, the EU's data protection authorities can impose fines of up to up to €20 million or 4% of worldwide turnover for the preceding financial year. 

Bot attacks don’t just impact revenue. They also make businesses more expensive to operate by:

• Impeding application performance and uptime, with potential for increased infrastructure costs. Bot scraping attacks, because of their volume, can compromise app and platform performance and, if left unchecked, can require over-investment in infrastructure capacity and incur extra cloud usage charges to maintain required performance levels.
   
• Reducing app availability and business resiliency. Web applications that are overwhelmed with bot activity aren’t available for real-time customer inquiries and e-commerce activity, causing loss of revenue, reputational damage, customer churn, and disrupted user experiences.
   
• Damaging relationships with third-party ecosystem partners. Platforms and apps that are overburdened with unwanted bot traffic can lead partners within the API economy to miss SLAs, breaching contract commitments.
   
• Skewing business decisions. Bot activity can distort otherwise valuable website statistics, log data, and customer interaction metrics that businesses rely on to guide business decisions, such as pricing and paid and organic SEO optimization.
   
• Manipulating inventory management. Automated bots can purchase online goods or services in bulk the moment they go on sale, enabling criminals to gain mass control of valuable inventory, which is usually resold on secondary markets at a significant mark-up, leading to artificial scarcity, denial of inventory, and consumer frustration.
   
• Increasing customer support cost. Automated bots can increase pressure on customer support teams when attacks succeed, generating more calls and communications to deal with account takeovers, gift card or loyalty point fraud, and other customer complaints about compromised accounts. Using CAPTCHA tools and multi-factor authentication (MFA) to protect against fraud can also have the unintended consequence of increasing user friction and customer support calls, as these processes can be challenging to complete correctly and can lead to account lockout for legitimate customers. This may increase operational costs in customer support centers, lost customers, and damage to brand reputation through Net Promoter Scores (NPS) and bad reviews and ratings on social media platforms.
   
• Rising cost of person-hours spent mitigating bot attacks. Confronting malicious bot attacks through web application firewalls (WAFs) and manually blocking IP addresses is time-intensive and requires an escalating number of trained staff to execute. Basic WAFs don’t learn in real-time; they rely on pre-set rules to detect bad bots, and to keep WAFs up to date typically requires incrementally patching and rule-setting. The only way to scale defenses using these manual processes is to increase the number of dedicated IT and security staff.

Qualitative impacts may be more difficult to measure than quantitative metrics, but this does not mean they are less important to organizations. Automated bot attacks can also contribute directly to these subjective value drivers through:

• Impacting the employee experience. Infosec expertise is in short supply, and many organizations are grappling with cybersecurity workforce shortages even as automated bot attacks are growing in number and sophistication. Despite their best efforts, many SOC and fraud teams are unable to keep up with the ability of cybercriminals to immediately pivot and retool bot attacks multiple times a week. Without smarter and more technically refined bot defense solutions, it’s challenging to keep talented security professionals on staff, especially when they feel burned out and overwhelmed. 

Explaining how bot attacks can impact operations and metrics as they relate to specific roles and functions in an organization is an important way of presenting the value of successful bot management.

The CISO cares about information security, cost control, and ensuring that IT enables the business mission; bots impact each of these concerns.

Bots compromise each aspect of the information security triad of confidentiality, integrity, and availability. A credential stuffing bot that takes over an account exposes data that should be kept confidential. Likewise, these bots enable attackers to alter data and perform transactions, violating integrity. Scraping bots skew data as do fake account creation bots, all violating the integrity of key business metrics. Finally, scraping and scalping bots can put such an increased load on a site’s infrastructure as to make it unavailable.

Bots impact costs in many ways:

• Credential stuffing bots raise support costs due to account lockouts and raise financial liability as criminals empty account balances.
   
• Carding bots raise chargeback fees and may trigger fines.
   
• Scraping and scalping bots increase traffic load and infrastructure costs.
   
• Fighting bots with ineffective tools like a WAF incur high SecOps costs.

Bots also concern CISOs in that they stand in the way of IT enabling the business. Ineffective bot management, such as CAPTCHA and excessive reliance on multi-factor authentication, create friction that harms the customer experience and reduces revenue. Bots skew business metrics to such an extent that it becomes difficult to evaluate the business strategy. How do you implement a business strategy when you do not even know whom you are interacting with?

The SecOps team is charged with efficiently managing cybersecurity risks to the business, and bots stand in the way of that mission. Like the CISO, SecOps will be concerned with confidentiality, integrity, and availability, which are all impacted by bots. In addition to these shared concerns, when it comes to efficiently addressing security risks, bots pose the challenge of creating a lot of noise that drowns out the signal, hiding threats in a sea of malicious traffic.

When bots account for most of the traffic to a site, it is more difficult to analyze logs for signs of vulnerability scanning and injection attacks. And security tools such as SIEMs and intrusion detection and prevention systems will be overwhelmed, increasing costs and causing far too many false positives to investigate. When too little is normal, tracking down the anomalies becomes impractical.

Successful bot management removes the noise and enables SecOps to focus effectively on remaining threats.

Like SecOps, bots impact fraud operations teams by dramatically increasing the noise. With so many bots taking over accounts, locking out accounts, creating fake accounts, and triggering anomaly alerts, the workload becomes impractical.

When fraud and security teams work together to manage bots, each team wins. Security teams can focus on a much smaller set of security incidents, and the level of fraud is reduced so fraud teams can focus on more complex fraud cases that require their expert judgment to resolve, reducing the caseload and improving success metrics. From the fraud perspective, bots are a prelude, a means by which fraudsters gain access, and stopping bots upstream reduces downstream workload.

NetOps teams are responsible for running the infrastructure that serves the business, maintaining uptime and performance while controlling costs.

In some cases, scraping bots on e-commerce apps account for over 90% of traffic, meaning that most of the infrastructure is serving bots, wasting the bulk of the budget for infrastructure, a metric that can be made very clear in a cloud services bill.

These bots have no concern for a site’s performance or uptime and can ramp up traffic at any time without warning, causing unpredictability and higher costs to ensure the necessary scalability.

In a DevOps culture, DevSecOps takes responsibility for incorporating security into the continuous integration/continuous development (CI/CD) pipeline, ensuring rapid feedback to developers on security bugs, and continuously improving the integration of security into the technology value stream.

DevSecOps moves security to the left, making sure any gaps are planned for earlier in the workstream. Bots are relevant here because new features need to be evaluated for how bots might exploit the feature, what harm could be caused, and what measures should be taken upon deployment to prevent the harm.

DevSecOps teams are particularly concerned with telemetry. According to the DevOps Handbook¹, telemetry is essential for predicting, diagnosing, and resolving problems in complex systems. For DevOps to succeed, telemetry should cover multiple layers including business metrics, feature usage, network performance, and infrastructure load so that a problem in one layer can be traced across the stack for the rapid identification of root causes.

Bots distort telemetry in a big way. Many customers of F5 Distributed Cloud Bot Defense discovered that most of their user accounts were fake and that bots accounted for over 95% of login traffic. In some cases, the bulk of an organization's infrastructure did nothing more than serve scraping bots. DevSecOps needs to remove this distortion from the telemetry if they are to serve their security mission.

It all comes down to who owns the numbers. Is the VP of e-commerce responsible for the cost of fraud, infrastructure, and chargebacks? Are those charges cutting deep into the profits of the online business? Are conversion rates and revenue impacted by security friction such as CAPTCHA? If yes, then, this VP will care very much about how bot management can improve both top-line revenue and bottom-line profits.

The same applies to the leaders of any product or service lines sold online through web or mobile apps. Seeking to maximize profit necessarily involves addressing the largest source of traffic to your apps.

Marketers have their own set of reasons for caring about bots. Bots that slow the site, take down the site, and take over customer accounts all tarnish the brand. Bots skew website analytics that marketers depend upon for decision making. And click fraud, driven by bots, drains advertising budgets without producing any revenue.