Holiday shopping is officially in full swing, and online holiday sales are expected to grow 12% this year – which would bring the total retail eCommerce holiday sales in the US alone to over $200 billion.
Source: eMarketer Industry Insights – Holiday Preparedness, 2021
As an online provider, you’ve followed the eCommerce holiday readiness tips and been prepared for months. You’ve optimized your digital experience to achieve the best conversion rates across all channels, you’ve configured your CDN for maximum offload, and you may have even locked down your site to decrease the potential for things to go wrong. Now all hands are on deck to manage the spike in holiday traffic.
However, if the pandemic has taught us one thing, it’s that you’re ready, ‘til you’re not.
Ready or Not, Here Come the Bots
The pandemic-driven everything shortage has led to a number of cascading problems that make the online shopping experience much different for consumers and more complex for online providers this year.
In reality, “anything that doesn’t make it onto shelves could be a beacon for the bots,” as Forrester asserts in a recent article.
What this means is more eCommerce providers and retailers than ever before will be subject to scalper bots, or “grinch bots”, even if they aren’t selling the most in-demand electronics or sneakers, and they may learn the hard way what it really takes to be ready for these bad bots.
The Everything Shortage = Arbitrage Opportunities for Bot Operators
It seems like every day there’s a new shortage to add to the list as a result of the current supply chain crisis. In turn, we are experiencing major supply and demand issues in physical and online stores, not just for typical in-demand items, such as the PS5, but for everyday household items as well.
Bot operators thrive on supply and demand challenges. They take advantage of a low or limited supply to profit by reselling merchandise and services on various secondary markets with a high markup.
Fraudsters have been busy gearing up for this holiday season by stealing and testing login credentials, creating and aging user accounts, reverse engineering your defenses, and using your lockdown environment as a playground to see what works and what doesn’t.
At first, you may not know or care if bots scoop up your inventory. However, scalper bots used to scan infrastructure for product availability can increase a given retailer’s traffic by up to 10X, which cuts into margins, as it is expensive to process large magnitudes of non-human traffic. Some of our customers claim they actually lost money selling their in-demand products because the cost to process bot traffic eats away at their operating profit.
In our customer example above, only 19% of the requests are from legitimate users. This major retailer had no idea there were so many bad bots in their traffic. When the bad bots aren’t detected and stopped, you have skewed metrics and pay for it in your hosting platform monthly bill. This illustrates the invisible, yet very real, impact of bad bots.
Ineffective Security Defenses Against Grinch Bots
Online providers’ security defenses and checkout processes don’t work as well as they should against automated threats, as evidenced by grinch bots’ inventory hoarding and denial of inventory attacks that we’ve encountered during previous holiday seasons.
Even organizations that have taken steps to mitigate bots are vulnerable to scalpers due to efficacy issues with their current anti-bot solutions. Our 2021 State of Bot Mitigation report found that 85% of companies say their bot management solution lost its efficacy after just one year, and 76% say they are either playing a game of cat and mouse with attackers or feel like bot mitigation has become an impossible balancing act. This is because sneaker bot builders are some of the most intelligent, motivated, and collaborative in the industry. Years of innovation and learnings used to secure inventory during sneaker hype sales are now applied towards any enterprise application that can help them gain an unfair advantage to profit.
For the most proactive organizations deploying specialized anti-bot systems, our experience tells us that 30-90% of the bad bots that should be stopped, simply aren’t. Bot operators have evolved their methods beyond what traditional architectures are able to detect and stop. Subsequently, all of the work you’ve done to optimize your user experience and CDN controls will be for naught because processing a massive amount of bot traffic results in infrastructure strain and latency. Clearly, this leads to an unacceptable customer experience, and it is exacerbated by false positives, false negatives, and ineffective traditional methods, such as CAPTCHAs. Together, these consequences harm your reputation, brand, and bottom line.
Bots also pose a serious risk to the valuable web metrics you collect and analyze during the holiday season. Heightened bot traffic skews your analytics, making it impossible to gain a true understanding of how your holiday promotions are performing, which can improperly inform future business decisions.
What Can eCommerce Providers and Online Retailers Do Right Now?
Here are four essential steps to help you prevent bot attacks on your website, mobile apps, and APIs, along with questions to ask and quick tips, this holiday shopping season.
Step 1. Understand the unique bot threats and risks to your business.
- Questions to ask: What types of goods or services do you sell that might be especially in demand right now? Do you have a login that can be tested or a checkout experience that can be abused?
- Recommendation: Identify and assess the various OWASP automated threats that may impact your applications.
- Quick tip: Find out what bot threats your site can detect with our instant test.
Step 2. Remove bad bots to uncover insights into your web traffic.
- Questions to ask: Do you know how to accurately distinguish bad bots on your web and mobile apps? Would you have opportunities to optimize your online conversion rates if you knew your human traffic vs. bot traffic during spikes?
- Recommendation: Clean up your bot traffic to deeply understand consumer behavior while saving on infrastructure costs.
- Quick tip: At peak times, your bot traffic can be 10X your usual traffic, which skews metrics and results in an unfavorable experience for customers.
Step 3. Prioritize your customer experience, conversion rates, and revenue generation.
- Questions to ask: Would you get more customers if you had the ability for buyers to purchase what they want in a convenient, secure, and timely manner? Would you improve your conversion rates if you were able to eliminate CAPTCHAs?
- Recommendation: Use technology to help ensure your products can be purchased by legitimate customers, not fraudsters looking to make a profit.
- Quick tip: Invest in security solutions that don’t add additional layers of friction for your users.
Step 4. Continue to expect the unexpected.
- Questions to ask: How quickly and easily can you adapt in the face of evolving bot attacks? Do you have a short list of vendors that can rapidly change defenses against adversarial retooling and reverse engineering and launch an emergency deployment in the case of a sophisticated bot attack?
- Recommendation: The standard holiday preparedness practices don’t really matter if bots are exploiting your website, apps, and/or APIs. The real eCommerce holiday readiness is to expect the unexpected and become agile enough to change at a moments’ notice.
- Quick tip: Make your anti-bot vendor list, and check it twice.
Bots Could Ruin More Than Just Christmas
As a retailer or eCommerce provider, it’s more important than ever to protect your profits against automated attacks — especially if you’re experiencing efficacy issues with your current solution or have never had to contend with grinch bots before.
Unfortunately, the everything shortage is not going to magically end after the holidays. Our current supply chain difficulties will likely extend well into 2022 and beyond.
If you’re not effectively addressing bots this holiday shopping season, then you are at a disadvantage against motivated adversaries and competition.
Stop Bot Attacks Others Can’t
It’s not too late to strengthen your defenses against automated threats for the holidays.
If you’re not sure if bad bots are a problem for your company, you can quickly test your site here to see which bot threats you’re unable to detect and stop.
Either way, we’d love to show you what we’re seeing as we protect $20B in eCommerce revenue from some of the most complex bots – the same ones that are hitting your digital channels.
With a modern approach that stops new bots never seen before and without all of the configuration and maintenance headaches that come with solutions that rely on outdated architectures, we help defend against automated threats, providing a more secure and seamless online shopping experience for your customers.
If you need immediate assistance with stopping bot attacks, we’re here to help. We deploy in under 30 minutes, integrate seamlessly with any CDN, provide immediate time-to-value against new bots never seen before, and offer quick POCs and emergency deployments.