With the first major eCommerce holiday of the year rapidly approaching, Valentine’s Day is projected to surpass last year’s sales of $21 billion USD, nearly a third of which was generated through eCommerce. Online retailers like 1-800-Flowers and Edible Arrangements are preparing for the influx of customers looking to secure their gifts for the upcoming holiday.

While online retailers are looking to maximize their sales, cybercriminals are on the lookout for ways to exploit the holiday and turn a profit, using bots as their weapon of choice. Bot attacks not only threaten a company’s sales but their customer’s experience and brand reputation as well. Malicious bot attacks can result in degraded website performance, competitive information being scraped, compromised accounts, payment fraud, and exposure to sensitive customer data.

Web and Price Scraping Threaten Online Sales

Web scraping affects many eCommerce websites year-round, but following the 2021 holiday season retailers should be extra wary of fake websites used to sell counterfeit goods or by competitors to gain an upper hand.

As consumers look to purchase the perfect gift for their loved ones, they may not realize they’re browsing fake websites designed to look like the real-deal. Most common in the luxury space, bad actors scrape retailers’ websites, set up identical online shops on spoofed domains, and use paid search ads to be easily found, all to sell discounted counterfeit goods which results in lost revenue for the retailer. To make matters worse, these sites often contain spear phishing attacks that attempt to skim credentials or download malware to a consumer’s device, causing even more damage. These attacks harm the victim company’s brand and reputation as consumers think they are interacting with the real company, not a counterfeit.

How Fraudsters Use Content Scraping To Sell Counterfeit Goods to Make a Profit

Figure 1: Fake Websites – How How Fraudsters Use Web Scraping to Profit

In addition, competing brands and websites may also use scraping bots to gain insight into pricing and offer items at slightly lower prices, steal catalog images and other intellectual property, or perform competitive analysis.

Physical and Online Gift Card Fraud

Another attack vector we see cybercriminals exploiting this holiday is gift card cracking to steal money off of physical and virtual gift cards. Bot operators will steal the gift card codes and offer them for sale on secondary markets.

How is this done? Bots leverage the scale gained from automation to test millions of digit combinations to identify active gift cards that hold various amounts. When valid gift cards are identified, there are three ways they can be used: by quickly purchasing an item, transferring funds to another gift card, or selling the stolen cards to users at a discount. Oftentimes, the stolen cards are already spent before the physical cards are ever given as a gift.

Kasada threat researchers observed a 4x increase in automated gift card balance lookups during the Christmas season. As we enter early February, we continue to observe automated gift card lookups indicating cracking attempts continue to pose a threat for retailers.

Kasada automated gift card lookup January 2022

Figure 1: Digital gift card fraud represents a $950 million loss to the industry annually. Both retailers and gift card companies should protect themselves against automated gift card attempts. As evidenced above, fraudsters apply automated cracking attempts throughout every day of the year to exploit recently purchased gift cards.

Coupon and Promotion Abuse

Considering sign-up coupons or discount codes for promoting sales this Valentine’s Day? While these promotions are fruitful to businesses, cybercriminals can use bots to exploit and abuse these coupons. By automating the process to create new accounts, fraudsters can use those one-time sign up offers over and over again, and sell fake accounts to those who wish to get the discount.

Similar to gift card cracking, bots can automate guessing coupon codes to share with others or discover codes that might have meant to be internal only, for select customers, or those which had expired but remain active in systems.

Valentine’s Day Hype Sales

Limited edition Valentine’s Day-themed apparel and sneakers, such as the sold out Converse Embroidered Hearts shoe, are staples of the season and make for a great gift. Hype sales are one of the most common targets for scalper bots and frustrate many consumers looking to get their hands on the most in-demand products. Bad bots buy up the product stock and resell them on sites like eBay with a significant markup, achieving a quick profit given the abundance of demand relative to supply.

With bots flooding a retailers website to buy up limited edition goods, traffic to the site increases by as much as 100x in minutes as does the costs associated with processing that traffic. By eliminating bad bots from web traffic, we’ve seen retailers ensure their profit margins don’t erode due to the exorbitant cost of processing such bot traffic.

Lost Online Conversions

Cart abandonment for retail during Valentine’s Day is historically high at 76%. As such, retailers must make sure they provide an optimal user experience to convert as many website visitors into buyers.

Preventative measures, such as CAPTCHAs or customized challenges, create friction in a customer’s buying experience and result in abandonment and lost conversions. These measures are easily worked around by bot operators; the only ones paying the price are the retailer and the frustrated consumer verifying they are human.

Website performance also directly impacts conversion rates, which is why retailers need to keep bad bot traffic at a minimum. This will improve operating costs and ensure  humans receive optimal site performance and availability.

Finally, optimizing conversion rates requires clean analytics that are data free of bad bot traffic. Optimizing the effectiveness of promotions or performing A/B testing requires clean data. An organization should have data from their anti-bot provider that not only provides insight into what’s been blocked, but also what gets through, and be able to tie that in with other analytics reporting via API systems.

What Online Retailers Can do to Protect Themselves

To safeguard earnings this Valentine’s Day from malicious bots and ensure consumers are having great experiences, online retailers should take the following action:

  1. Determine and analyze where bots are getting in or potential doors they could exploit, including websites, mobile apps, and APIs.
  2. Remove bots from your traffic by employing a zero-tolerance policy across web and mobile platforms.
  3. Optimize your solution by replacing obstacles that may negatively impact sales and conversions such as CAPTCHAs with invisible challenges that don’t impact the user experience.
  4. Educate your customers on buying from fraudulent websites and continuously scan the web for acts of counterfeiting and phishing.
  5. Adapt and respond quickly to new attacks using a bot mitigation solution that’s able to detect and stop automated threats that have never been seen before without any updates to your configuration.

Kasada currently protects more than $20 billion in eCommerce traffic annually, $10 billion in gift cards, and hundreds of millions of account logins. 85% of our customers had tried another anti-bot solution prior to contacting us.

See how well protected your website is against modern bot attacks with a free, instant test accompanied by a customized threat report specific to your website.

Want to learn more?

  • Kasada’s Reflections on the Q3 2024 Forrester Wave™ – Bot Management Evaluation

    Kasada named a Strong Performer. Here are some of our own reflections having taken part in this evaluation.

  • Exposing the Credential Stuffing Ecosystem

    Through our infiltration of the credential stuffing ecosystem, we reveal how various individuals collaborate to execute attacks and expose vulnerabilities for profit.

Beat the bots without bothering your customers — see how.