Website down? Bad bots may have caused it. Online shopping carts abandoned? Bots might be responsible for that, too. Bad bot activity is on the rise in the retail industry, and the impact isn’t just being felt during the holiday season and other high-traffic times.
Motivated adversaries are using bots throughout the year, driving loss of revenue and lower conversion rates — not to mention reputational damage. Imperva Threat Research found that 22.7 percent of all website traffic in the retail sector originates from bad bots — the second highest rate among all targeted industries. Identifying and mitigating bad bot traffic is critical for retailers that want to avoid financial and reputational damage.
Recognizing the Threat
Disruptions caused by automated traffic can cost retailers millions in lost annual revenue stemming from customer churn, higher infrastructure or support costs, degraded or unreliable online services, and other negative consequences. And as retailers use a growing number of APIs, attackers are finding that many API security defenses are unable to stop automated threats, making it easy for them to scrape valuable data. Retail also faces a higher percentage of “advanced” bots than most other industries, with 67 percent of retail bots in the U.S. classified as advanced. These bots use the latest evasion techniques and can closely mimic human behavior to evade detection, making them a particularly dangerous threat.
Bad bots can have a negative impact on the customer experience, too. Ask anyone competing with a bot to buy a gaming console or pair of sneakers. In addition to buying up products before humans can even get to checkout, bad bots are also capable of taking down entire websites through distributed denial-of-service (DDoS) attacks. This doesn’t just have financial repercussions, as the reputational damage it incurs can be difficult to overcome and disillusioned consumers may never return.
Retail is a popular target among attackers, and one particularly vulnerable to attack. Bots are regularly used to perpetrate online fraud, often in the form of account takeover (ATO) attacks, which capitalize on credential stuffing and password cracking activity to take control of online accounts. Those accounts can be used to gather personally identifiable information (PII), credit card details and other valuable data. In short, bad bots can lead to a litany of headaches for retailers — from skewed website analytics to IT infrastructure disruption, financial and reputational damage, and even violation of data privacy regulations.
Taking Corrective Action
The first step for retailers is improving their risk identification capabilities. This starts by understanding when site traffic could be elevated, such as during a marketing campaign or the launch of a high-demand product. During these periods, automated traffic is likely to increase. In advance, implement additional security features in areas bots are likely to target, such as login forms and checkout pages. Vulnerability reduction is also key. Retailers can’t just focus on website traffic; they need to protect exposed APIs and mobile apps as well. It's critical to share blocking information between systems so bots cannot simply switch to another attack vector.
Retailers should also implement solutions capable of detecting bad bot indicators like outdated browsers, proxy services, and automated tools. The ability to monitor and evaluate traffic for these and other warning signs can help retailers detect — and subsequently block — suspicious traffic engaging in potential attack activity. It's also a good idea to invest in specific bot mitigation solutions. As bad bot behavior becomes increasingly sophisticated, retailers can benefit from solutions specifically designed to adapt and respond to the continuously evolving threat landscape.
Awareness is Critical
In 2022, “advanced” bad bots accounted for over 50 percent of all bot traffic — effectively doubling the previous year’s rate. Moving forward, those numbers will likely increase. As bad bot activity continues to grow, retailers must be aware of the potential damage that bot-based attacks can cause. By understanding the threats they face and implementing the necessary security solutions to mitigate them, retailers can avoid becoming easy targets for today’s attackers.
Lynn Marks is senior product manager at Imperva, overseeing the product and innovation roadmap for Imperva Advanced Bot Protection and Imperva Client-Side Protection.
Related story: Bot Armies Are Targeting Loyalty Points; Here’s How to Safeguard Your Customers
Lynn Marks is senior product manager at Imperva, overseeing the product and innovation roadmap for Imperva Advanced Bot Protection and Imperva Client-Side Protection. With more than 10 years of B2B security product experience, Marks helps customers protect their applications and websites from online fraud and other security threats. Prior to Imperva she was product manager at Model N and Distil Networks (acquired by Imperva). She holds a Bachelor’s Degree in Economics from UC Santa Barbara.