The Holiday Shopping Bot Survival Guide

The holiday shopping season is upon us; Black Friday and Cyber Monday have passed, and retailers across the country are in the thick of their busiest season of the year. While people are used to jostling with their fellow customers at the checkout counters of brick-and-mortar stores, this year’s pandemic-related restrictions mean more consumers than ever will be rubbing virtual shoulders with a different kind of competition — online bots. According to the 2020 Identity Fraud Report, released by Javelin Strategy & Research, between 60% and 70% of traffic to checkout pages is made up of malicious bots.

Bots are extremely prevalent in online retail settings. U.S. shoppers spent a record $34.36 billion on retail websites over the five-day period from Thanksgiving to Cyber Monday 2020, up from $28.49 billion for the same period last year. During this same period, safeguarding some of the largest and most reputable websites and mobile applications, PerimeterX detected 8.1 billion bot requests.

...between 60% and 70% of traffic to checkout pages is made up of malicious bots

What are bots and how do they work?

A bot, short for web robot, is a software application programmed to execute automated tasks over the internet. In a retail environment, some bots are helpful, good bots, such as search engine bots that use machine learning to index content, or customer service bots that help users with questions. Others, however, are sinister bad bots, such as those behind automated attacks on websites and web applications. These attacks include account takeover (ATO), carding and web scraping that can result in data breaches, identity theft, lost customer conversions and other undesirable outcomes for digital businesses and web users.

A bot, short for web robot, is a software application programmed to execute automated tasks over the internet.

There are many varieties of malicious bots. For example, those that buy up e-commerce products online are called denial of inventory and scalping bots. In denial of inventory attacks, bad actors use malicious hoarder bots to add an item thousands of times to a shopping cart over the course of a few days until the item’s inventory is depleted. By hoarding a high-demand product–such as a game console, toy or sneaker–bots keep it out of stock, annoying customers, taxing a retailer’s infrastructure and reducing conversions and revenue. In scalping attacks, cybercriminals unleash automated scalping bots to buy sought-after products, such as limited editions of sneakers, popular concert tickets, designer clothing or hot toys. They set up fake accounts that browse product pages and execute checkouts to increase their chances of success. Then, after they’ve snapped up a retailer’s best inventory, they sell it at inflated prices on third-party sites or the black market. Sneaker bots are a “flavor” of denial of inventory and scalping bots. Serious sneakerheads and sneaker resellers use bots to buy out many  low supply, high-demand sneakers for subsequent high-margin resale. Grinch bots are also a flavor of denial of service and scalping bots that target their attacks over the holiday e-commerce season. Sophisticated toy shoppers and resellers use these bots to gain an unfair advantage and buy up limited edition, high-demand items, with popular game consoles being the latest prize.

Bots harm regular online shoppers by preventing them from buying coveted products or jacking up the prices on secondary sites. They also hurt the retail brands that want to ensure fairness and a good online customer experience for their customers, and dislike seeing their offerings going for such high prices on secondary markets. Bots can also impact an e-commerce business’s infrastructure and can crash websites.

How can retailers and consumers fight back?

A variety of tools are effective at battling bots. Most solutions involve the monitoring of basic environmental information of website users, such as IP addresses and service provider information, and the volume of traffic coming from these sources in order to detect sophisticated bots that mimic human behavior.

Solutions that use machine learning to recognize the behavioral patterns of bots based on a vast collection of data points can identify the different ways bots interact with a website. Along with environmental data, traffic volume and device fingerprints, these solutions are able to provide highly effective bot mitigation. If the e-commerce industry embraces these solutions, frustrated shoppers losing out to bots will be a thing of the past, and e-tailers will be able to prioritize real consumers who become living, breathing evangelists for their brands.

For consumers, there are some basic steps they can take to keep bots from disrupting their shopping experience. These include actions such as keeping computers and mobile devices up to date with patches, creating complex passwords or using a password manager, selecting multi-factor authentication when it is offered, and monitoring credit card statements and overall shopping safely, only on the sites of known and trusted brands. Consumers can also continue to influence their retailers to adopt best practices when it comes to protecting their retail sites, and deploying state of the art bot management solutions. Be vocal about fraudulent charges. If you complain to merchants, they are more likely to see patterns in their user activity and take better care of your data.

Consumers nevertheless need to accept that bots are — and will likely remain — a constant in online shopping as long as there is a financial motivation for them to do to remain as ubiquitous as they have become. The real onus needs to be on online retailers to take responsibility for their customer-facing online ecosystems, and to keep their customers safe. Failure to do so will inevitably affect their brand reputation, customer loyalty and ultimately their bottom line. 


More Recent Blog Posts