Kasada’s 2023 Holiday Bot Report offered a clear view of how bots disrupted eCommerce and online sales last season. Looking ahead to Holiday 2024, businesses can expect even more sophisticated bot tactics, likely impacting everything from customer accounts to sales performance. Here’s what retailers, travel platforms, and eCommerce businesses should anticipate—and may already be noticing—as bot activity has ramped up this holiday season.
1. Early Bot Activity Before Sales Events
Last year, global bot traffic surged by an astounding 444% from September to October as attackers geared up for early holiday sales. This trend is already taking shape in the U.S., with bad bot traffic rising 22% in just the past 30 days and scraping up 35% from September to October. We can expect this wave of automated traffic to intensify in the lead-up to Black Friday, as adversaries ramp up credential stuffing, fake account creation, and price scraping to age accounts, test stolen credentials, and track inventory changes.
Suggestion: Start monitoring unusual account activity and login attempts now to catch signs of fraud early in the season, before it impacts your peak sales.
2. Account Takeover (ATO) and Login Abuse
The holiday period last year saw a 250% spike in automated login attempts during the Cyber Five weekend, putting a large volume of user accounts—and customer loyalty—at risk. Already this season, these attacks are escalating, with account takeover (ATO) attempts surging by as much as 15x. External threat intelligence also indicates a 31% increase in the number of retail companies targeted by credential stuffing attacks from October to November, emphasizing the need for strong defenses as the holiday shopping season intensifies.
Suggestion: Strengthen login security by implementing measures that detect automated login attempts, monitor for unusual login behaviors, and require multi-factor authentication (MFA) when possible. While MFA is highly effective at preventing account takeovers (ATO), it can introduce friction in the purchasing journey if overused and can be difficult to adopt uniformly for B2C. To balance security with a smooth customer experience, consider applying MFA selectively based on risk, such as on unusual account activity or high-value transactions. This approach allows you to protect customer accounts from fraud without interrupting the shopping flow for most buyers.
3. Scalping Attacks During Peak Sales
In 2023, scalper bots or “Grinch Bots” accounted for over 63% of all bot traffic during peak sales days like Black Friday, Cyber Monday, Travel Tuesday, and even the day before Black Friday. These bots buy in-demand items before real shoppers get a chance, leading to stockouts and disappointing customers. On Cyber Monday, in particular, scalping requests spiked by 3x, with bots focused on making purchases before human customers could react. So far this year, one U.S. retailer saw a 202% jump in automated checkout attempts during a November sales event.
Suggestion: Deploy advanced bot detection measures that focus on high-speed activity and repetitive purchase patterns to curb scalpers.
4. Surge in Gift Card Fraud in November
Gift card fraud has seen a significant spike, with a 3.7x increase in fraud attempts observed in November 2023 compared to October. This trend is already repeating, as gift card fraud attempts have surged by 146% in the last month alone. Bots target gift cards by rapidly testing various code combinations and then selling valid codes on secondary markets, exploiting their high resale value. Attackers use bots to automate the testing of gift card balances and account for the rapid increase in fraud as holiday sales ramp up.
Suggestion: Secure your gift card systems and validate every attempt to check card balances. Abnormal usage patterns can signal attempts at gift card fraud.
5. Increasing Bot Sophistication & Velocity
Basic bot attacks—such as fake Google crawlers — currently make up a large portion of bad bot traffic, but attackers are increasingly shifting to more sophisticated tactics. In the past month, bots of moderate sophistication have surged by 36% and bot velocity has jumped by 18.2%, signaling an escalation in activity as the holiday season has started. These moderate bots employ advanced evasion techniques and would likely have gone undetected without Kasada’s randomized defenses.
Last year, during peak sales events, 51% of holiday bots employed advanced tools like Puppeteer and Playwright to bypass defenses, and we anticipate similar levels of sophistication this year. Adversaries are likely to deploy even more evasive tools, like Puppeteer Stealth and Solver Services, which require adaptive, behavior-based defenses to detect and block.
Suggestion: Layered bot defense strategies are essential for addressing threats across all levels. Adaptive security can identify and mitigate even the stealthiest bots that imitate human behavior.
What This Means for 2024
Bot attacks show no sign of slowing down. Retailers, travel platforms, and eCommerce sites should consider Kasada’s current trends and 2023 findings as a blueprint for preparing their defenses this season. Here are some strategic actions to take:
- Regularly Test and Update Defenses: Keep your anti-bot systems dynamic and responsive to the latest threats.
- Cross-Team Collaboration: Security, fraud, eCommerce, and marketing teams must work closely to ensure bots aren’t skewing metrics, impacting user experiences, or causing fraud and chargebacks. Pooling data points from various teams can help you understand and better address underlying issues.
- Continuous Monitoring: Stay vigilant and keep an eye on traffic patterns and account activity, especially during high-stakes sales events.
Stay Ahead of Automated Threats This Holiday Season
As bots become more pervasive and harder to detect, proactive, robust bot management solutions are essential. With Kasada, eCommerce and retail businesses gain an edge in bot defense, ensuring a safer and more seamless holiday shopping experience for everyone.
Clean analytics are critical in this process; without accurate data to monitor sales performance and checkout metrics, it’s nearly impossible to gain a true view of your business’s success or make informed decisions. Kasada’s bot mitigation not only protects your sales but also ensures you get clear, actionable insights to drive your business forward.
But bots don’t stop after the holiday rush, and neither should your defenses.
Kasada provides year-round bot protection that’s quick to deploy, easy to configure, requires no ongoing management, and evolves to protect even the most sophisticated attacks. See how Kasada stops automated threats before they impact your business.