The battle between humans and bots is heating up, with Black Friday and Cyber Monday standing as prime targets. Some “Black Friday” holiday shopping events have already begun. Based on Kasada’s 2023 findings, the trends observed last year offer valuable insights and preparation strategies for 2024.
With threat actors more sophisticated than ever, retailers must anticipate bot-driven attacks to ensure a smooth shopping experience for customers, protect their bottom line, and maintain clean data. Without accurate bot-free metrics, it’s difficult to measure true holiday sales performance or make data-driven decisions that drive business growth.
Key Predictions for Holiday 2024
1. Bots Will Start Early Again – Expect High Bot Activity
Just like last year, bots ramp up their activity well before Black Friday. Bad bot traffic has risen 22% in the past 30 days and scraping is up 35% from September to October.
2024 Prediction: Retailers should be ready for a surge in bot traffic. From tracking product availability to performing automated login attempts, these bots lay the groundwork for peak shopping days.
Proactive Strategies:
- Bot Detection: Implement year-round bot detection, especially on high-demand items, to prevent scalpers from securing inventory before general customers.
- Inventory Monitoring: Track automated requests on high-interest product pages to detect early signs of bot-driven scalping.
2. Black Friday Will See Peak Human Traffic; Cyber Monday to be a Bot-Favored Day
In 2023, Black Friday saw 12% more human traffic than Cyber Monday, while bots favored Cyber Monday for automated login and scalping attacks. Last year, bot traffic surged by 110% on Black Friday compared to the previous week, with Cyber Monday seeing a 3x surge in scalping activity.
2024 Prediction: Expect Black Friday to be the most popular shopping day for humans, while Cyber Monday will likely be targeted by bots attempting to hijack accounts, engage in scalping, and exploit limited-time deals.
Proactive Strategies:
- Advanced Bot Protection: Use behavior-based bot detection, as advanced bots now utilize stealth tactics to bypass traditional CAPTCHA.
- Step-Up Authentication on Cyber Monday: Implement step-up multifactor authentication (MFA) for high-value accounts and logins originating from high-risk IPs to block unauthorized access attempts.
3. Wednesday Before Thanksgiving – The Surprise Favorite for Bots
During last season, bots launched a significant volume of requests on the Wednesday before Thanksgiving, with scalping and login fraud peaking on this day. As exclusive early deals and member-only discounts have become popular, bots were found exploiting these offers ahead of time.
2024 Prediction: Wednesday, November 27, may again see peak bot activity as bots attempt to scoop up deals meant for loyalty members or early access shoppers.
Proactive Strategies:
- Layered Security on Member Deals: Restrict member-exclusive deals to verified accounts and implement CAPTCHA or other verification measures on the login page for early access offers.
- Monitor Scalping Patterns: Track bot-driven scalping activity on high-demand product pages to identify early indicators of planned bot attacks.
4. Cyber Monday: Surge in Automated Login Attempts, Account Takeover (ATO) Fraud, and Grinch Bots
Cyber Monday last year saw a 3x increase in automated login attempts as adversaries attempted account takeover (ATO) attacks on customer accounts. These bots aimed to exploit saved payment details and loyalty rewards to make fraudulent purchases.
Grinch Bots, or bots designed to grab limited-stock items and exclusive offers before human customers, will likely be at their peak on Cyber Monday. Last year, scalping requests spiked by 3x, with bots focused on making purchases before human customers could react.
2024 Prediction: Cyber Monday is expected to be the focal point for ATO attacks, with bots targeting accounts to access saved payment methods or loyalty points. Scalping bots will once again be highly active on Cyber Monday, targeting popular sale items and creating a 3x surge in activity similar to last year’s.
Proactive Strategies:
- Fraud Prevention: Use predictive fraud detection, like KasadaIQ, to monitor login patterns and identify high-risk behaviors in real-time.
- Rate Limiting on Checkout: Introduce rate limiting on checkout processes to prevent scalpers from bulk purchasing limited items.
- Scalping Detection: Deploy monitoring tools to identify scalping patterns, such as repeated purchase attempts or cart manipulations.
5. Bots Will Employ Advanced Tools to Bypass Defenses
With 51% of holiday bots in 2023 classified as highly sophisticated, adversaries are employing tools like Puppeteer Stealth, Playwright, and Solver Services to evade detection. Such advanced bots can mimic human behaviors, bypassing CAPTCHA and other bot management defenses.
In the past month, bots of moderate sophistication have surged by 36%, and bot velocity has jumped by 18.2%, signaling an escalation in advanced adversarial activity as the holiday season has started.
2024 Prediction: Expect adversaries to deploy highly sophisticated bots, with scalpers and fraudsters using tailored tools to bypass detection mechanisms, particularly on Black Friday and Cyber Monday.
Proactive Strategies:
- Monitor Traffic: Identify unusual patterns in login attempts, purchase requests, and checkout behaviors.
- Custom Bot Defense Strategies: Tailor bot defense strategies to specific threat types (e.g., scalping, account takeover) by tracking their unique behaviors and leveraging stealth-resistant tools.
Adversaries Are Adapting – Stay a Step Ahead
The sophistication of holiday bots continues to grow. Beyond simple scripts, bots are now equipped with stealth mechanisms, flexible automation, and configurations with capabilities that enable them to blend in as legitimate shoppers.
Proactive Strategies:
- Bot Defense in Layers: Employ a layered defense approach, combining bot detection, CAPTCHA, MFA, and real-time threat intelligence to identify and mitigate bot attacks effectively.
- Cross-Functional Collaboration: Security teams should collaborate with fraud and customer experience on defense strategies to share data insights, adjust defenses, and identify threats across platforms.
Preparing for Bot Traffic This Holiday Season
Security and fraud teams in retail and hospitality need to stay vigilant leading up to Black Friday and Cyber Monday. Bots can disrupt website performance, steal products, skew analytics, and compromise customer trust. Staying ahead with proactive defenses, bot detection, and fraud monitoring is essential to minimizing bot traffic’s financial and reputational impact.
As we approach the holiday season, let’s keep one thing clear: while adversaries adapt, so can we. With the right strategies in place, security teams can ensure a safe and enjoyable shopping experience for customers while keeping bots at bay.
But bots don’t stop after the holiday rush, and neither should your defenses.
Kasada provides year-round bot protection that’s quick to deploy, easy to configure, requires no ongoing management, and evolves to protect even the most sophisticated attacks. For more insights on protecting your business from bot-driven threats, visit Kasada’s blog or explore our security offerings.
