Breaking Bad Bots: A Lesson to Online Retailers on How to Beat a Bot Attack

Retailers offering online services should be aware of a cybersecurity threat that can impact operations, customer satisfaction, and revenue: automated bots. Leading the charge to an unprecedented surge in malicious bot-driven activity in the retail industry are scalping bots, sophisticated programs designed to purchase high-demand products in bulk.

The retail industry is particularly vulnerable. Research from Imperva found that retail experienced the highest volume of bot attacks, with 569,884 artificial intelligence-driven attacks daily. In these conditions, online retailers must adopt a proactive security strategy.

Tread Lightly: Scalping Bots Cause Major Disruption

Scalping bots aren't selective — they target any industry retailer where demand outstrips supply or where high-value products are involved, taking advantage of flash sales, limited-edition product drops, and major retail events to stealthily secure inventory before legitimate customers have a chance. In severe cases, retailers can face a monthslong attack that targets their inventory system by exploiting vulnerabilities, leading to damaging financial loss.

Organizations cannot afford to ignore bots. Imperva’s Threat Research found that automated bots and insecure application programming interfaces (APIs) cost businesses up to $186 billion annually. Still, the consequences of unchecked bot activity go beyond lost sales. Retailers can experience inventory manipulation, inflated costs due to artificial demand, website interruptions, and reputational damage as consumers lose trust in the fairness and convenience of online purchasing. Still, retailers struggle to identify and mitigate bot attacks, allowing bad actors to exploit security gaps.

During prolonged attacks, an online retail platform may initially mistake the increase in server load for a typical spike in traffic. Careful investigation is required to understand when bots have capitalized on a vulnerability to swipe inventory. This is often through a publicly exposed API.

Related story: As Bad Bot Activity Skyrockets, Retailers Must Take Action 

No Half Measures: Identifying Early Signs of a Bot Attack

When a bot penetrates a system such as APIs, there are two major impacts: (1) high server and API gateway costs, where bots create continuous requests with individual associated charges, and (2) hoarded inventory, meaning products are “scraped” and held by bots in a virtual shopping cart, preventing purchases from human shoppers.

Detecting bot activity early is crucial to preventing large-scale damage. Though bots are designed to mimic human behavior, the first sign of attack is typically an unusually high server usage. Retailers can identify suspicious activity by leveraging specific tools to monitor and analyze traffic patterns to quickly detect malicious activity

Stay Out of Bot Territory: Secure the API and Protect Inventory

Retailers must implement a multilayered security approach to safeguard their platforms and prevent potential incidents. A robust defense strategy includes:

1. API Protection: APIs are an attractive target for bots because they provide direct access to product data and checkout processes. Retailers should secure their APIs with an advanced bot protection (ABP) token that forces bots to reveal themselves, yielding better threat detection and defense tuning.
2. Bot Fingerprinting: An effective ABP will also ensure bot fingerprinting, which uniquely identifies and tracks bots to precisely target specific risks. Bad bots are constantly adapting, and many are not detectable through basic rule-based filtering.
3. Proactive Monitoring: Deploy solutions that continuously monitor for unusual traffic to capture real-time threat intelligence and ensure that potential bot activity is quickly neutralized.

Taking a Proactive Stance Against Bots

Scalping bots will continue to evolve, and retailers’ defenses should take heed. It’s not a matter of if a bot attack will occur, but when — and once the attack happens, retailers may be stuck playing catch-up and stalling mitigation. Proactivity is the best strategy for securing all critical endpoints, reducing fraud, bot attacks, and clearing the path for customers to complete their purchases. By investing in advanced bot protection, retailers can avoid falling victim to these attacks and protect their revenue and their reputation.

Lynn Marks is senior product manager at Imperva, a Thales company, where she oversees the product and innovation road map for Imperva Advanced Bot Protection and Imperva Client-Side Protection.