This holiday season, U.S. online sales are projected to grow nearly 5 percent over last year’s numbers, which is good news for retailers hoping to close out the year with a strong Q4. Unfortunately, cybercriminals are targeting retailers with growing regularity. During the holiday season, any website downtime or service outage can result in significant lost revenue — not to mention the lingering reputational damage that a breach or outage can incur.
From data skimming, bot-based attacks, account takeover (ATO), distributed denial-of-service (DDoS), and API attacks, retailers face a variety of security threats not only during the holiday season, but throughout the year. While threats are growing in volume and complexity, there are steps retailers can take to mitigate the impact on the customer experience and their bottom line.
How Bad Bots Target Retailers
Last year, 67 percent of all bot traffic on retail sites in the U.S. was associated with advanced bots, which are particularly difficult to detect and stop due to their ability to imitate human behavior. For example, sophisticated “Grinch bots” are notorious for impersonating real shoppers and buying up sought-after inventory before consumers can get their hands on it. The resulting frustration can cause reputational damage to the retailer and prompt consumers to take their business elsewhere.
Account takeover (ATO) attacks, which involve cybercriminals using compromised or stolen credentials to access online accounts, are another example of the danger posed by sophisticated and malicious bots. Thanks to the availability of billions of breached credentials, attackers use bots to autonomously cycle through various username and password combinations to attempt to log in. In fact, 15 percent of all login requests across all websites are associated with ATO attempts, with the number of malicious login attempts spiking 82 percent between October and November this year.
Attackers also leverage bots to target retailers with massive amounts of unwanted, automated traffic. Often, this comes in the form of DDoS attacks that cause a significant strain on network infrastructure and can take websites and services offline. Every minute a website is down is a minute of lost sales, which retailers can ill afford during the holiday shopping season. The ability to recognize and turn away malicious automated traffic is critical for retailers seeking to avoid costly downtime.
How to Stop Automated Retail Threats
Stopping ATO attacks, DDoS incidents, Grinch bots, and other common automated attack tactics requires the right combination of security solutions and preventative planning.
Implementing a waiting room queueing system to manage web traffic more effectively is one of the most important steps retailers can take to address the threat of DDoS attacks. A queueing system limits traffic from overwhelming the site’s infrastructure and minimizes the risk of revenue loss. These waiting rooms can also include features to identify and verify visitors, helping to ensure that those waiting in line are people and not bots.
Robust DDoS protections can also help mitigate the risks associated with increased levels of malicious traffic by safeguarding the stability and availability of your online platform. Downtime is never good for a retailer — much less during the holiday shopping season — and the ability to detect and deflect automated traffic that may be associated with a DDoS attack can ensure your website stays live. On a similar note, having solutions in place that can identify repeated unsuccessful login attempts, large volumes of login attempts, and other signs of a potential ATO attack can dramatically decrease the odds of data theft and ensure customers retain access to their own accounts and information. Additionally, organizations should have a strict policy on resetting the passwords of users whose credentials have been compromised or leaked as this can prevent future fraud from occurring.
Attackers aren’t the only ones who can use automation to their advantage. Having the right automated detection and remediation solutions in place can help keep retailers safe this winter.
Managing Cyber Risk During the Holiday Shopping Season
Stopping today’s increasingly advanced bots should be a priority for retailers, especially during the holiday shopping period, which often accounts for a significant percentage of a retailer’s annual revenue. Preparing for the increase in attacks, identifying the most common attack tactics, and understanding how to protect customers and their data will keep retailers well positioned to enjoy success and avoid disaster this holiday season.
Lynn Marks is senior product manager at Imperva, overseeing the product and innovation road map for Imperva Advanced Bot Protection and Imperva Client-Side Protection.
Related story: As Bad Bot Activity Skyrockets, Retailers Must Take ActionÂ
Lynn Marks is senior product manager at Imperva, overseeing the product and innovation roadmap for Imperva Advanced Bot Protection and Imperva Client-Side Protection. With more than 10 years of B2B security product experience, Marks helps customers protect their applications and websites from online fraud and other security threats. Prior to Imperva she was product manager at Model N and Distil Networks (acquired by Imperva). She holds a Bachelor’s Degree in Economics from UC Santa Barbara.