The COVID-19 pandemic saw cybersecurity attacks on online retailers increase exponentially. As bricks and mortar shopping became near-impossible with lockdown restrictions, e-commerce became the primary sales channel with four in five Australian households shopping online.

Globally, retail is the fourth most targeted industry for cyberattacks, and as Australians increasingly scrolled the internet for the perfect pair of sneakers, cybercriminals continued to grow their presence finding new ways to target brands and their customers.

Data from Imperva’s latest Bad Bots Report showed malicious, “bad” bots were the primary culprits of cyberattacks. Last year, bad bots accounted for almost a quarter of global online retailing – with a jaw-dropping 788% increase in just one month triggered by the launch of next-gen gaming consoles and pre-Christmas sales. Using bots to buy at volume and then reselling these highly-sought-after gaming consoles at a hiked up price saw US$82 million in profits for these nefarious bot operators.

Now more sophisticated than ever, bots are learning to mimic human behaviour in ways that make them harder to detect and prevent. This allows bot operators, attackers, unsavoury competitors, and fraudsters to perform a wide array of malicious activities from web scraping and competitive data mining through to transaction fraud.

Five types of bad bots

Bots are software applications widely used on the internet to run automated tasks, such as online help chats and Googlebot, which crawl the internet to index it for search. “Bad” bots use this function for dishonest purposes and interact with applications in the same way a legitimate user would, making them hard to detect and prevent. They scrape data from sites without permission to reuse it and gain a competitive edge, enabling high-speed abuse, misuse, and attacks on websites, mobile apps, and application programming interfaces (APIs).

While illegal bots are a serious business threat, many businesses use legitimate bot applications to help grow their business. For example, to ensure their products and services can be found by current and prospective customers, helping people match their digital search queries with the most relevant websites.

So, what types of “bad bots” should retailers be on the lookout for?

  1. Price scraping: Bots that scrape competitor prices to undercut brands within the marketplace, resulting in lost business and a decline in the lifetime value of customers. Things to look out for on your site include declining conversation rates, a sharp decrease in SEO rankings or unexplained website slowdowns and downtime.
  2. Gift card balance checking: Bots that mimic human behaviour, accessing gift cards which contain a balance and stealing money. To monitor for this type of issue, keep an eye out for a spike in requests to the gift card balance page of your site or an increase in customer service calls about missing balances.
  3. Credit card fraud: Criminals use these bots to iterate and test a number of credit cards to identify missing data, for example the expiry date or CVV. Monitor for multiple larger than normal failed credit card transactions at the checkout phase of purchases. Other key triggers to look out for include an increase in customer support calls claiming credit card fraud and an increase in chargebacks processed.
  4. Denial of service and inventory: These bots hack your website, slow its performance, hold items in shopping carts, and as a result, prevent goods from being sold to valid paying customers. To catch them in the act, monitor for abnormal and unexplained spikes in traffic and an unexplained increase in customer service calls about a lack of availability of product.
  5. Scalping: Grinchbots and Sneakerbots target rare items, like the latest PS5, Xbox Series X, or Nike sneakers, and make it their mission to obtain and resell to the highest bidder. Similar to denial of service and inventory, retailers should keep an eye out for website slowdowns, decrease in conversion rates and an increase in customer service calls about these precious items running out.

Battling the bots

Automated threats consistently top the list of concerns for many retailers, and with nefarious bots thriving throughout the global pandemic, no retailer is exempt from being targeted. However, there are a number of things retailers can do to remain cautious of the threat and protect themselves and their customers.

From planning ahead when it comes to website updates, investigating traffic spikes rather than just acknowledging them, and considering an end-to-end cybersecurity solution – there are several simple recommended actions retailers can consider in order to combat the ongoing threat of nefarious bots and other criminal cyber activity. 

Most importantly however, with the level of bot sophistication only increasing, it’s almost impossible to keep up with all the threats as an individual – considering an effective bot defence solution will not only reassure customers that their data is safe but give businesses peace of mind.

Reinhart Hansen is director of technology for Imperva CTO Office.