The 6 most dangerous bot threats in online retail and what can be done to prevent them

According to cyber security firm Netacea, Botnets earned $5 million per day in 2019, that equates to $1,825,000,000 annually.

A bot is a software application that runs automated scripts over the internet, often used to perform simple tasks faster than a human could do, such as bagging the new pair of AirJordans…or stealing your card information.

Netacea data shows that bots account for up to 40 per cent of ecommerce traffic, with fraudsters commonly using malicious bots to carry out a range of illicit activities including denial of inventory, scalping, scraping and credential stuffing.

While not all bot activity is illicit, malicious bot attacks can affect a retailer’s website performance, its customer-base’s privacy and cause loss of revenue.

As ecommerce adoption breaking records during the pandemic, the levels of online fraud have increased with it. According to HMRC, there was a 74 per cent increase in phishing scams between January and June last year. Separate data from LexisNexis found that the cost of bot attacks to UK merchants is 2.66 times the amount lost in the transaction.

“The conditions of the pandemic have created a veritable petri dish for the growth of fraud,” security firm Ravelin’s co-founder and chief information officer Martin O’Riada said.

So what are some of the biggest bot threats to online retail and what can retailers do to prevent it?

6. Fake account creation

Fake account creation is a common way for fraudsters and bots to mask card cracking, loyalty points abuse or credential stuffing activity and is the automated creation of a large number of user accounts, that are not associated with a real person.

Fake account creation often utilises real people’s details without them giving their consent or knowing about it in the first place.

They are often used to perform malicious and criminal activities including: financial fraud, abuse of special offers and discounts, spam and the spreading of fake news.

How can retailers prevent it?

Detecting fake account creation is tough and requires specialist bot management tools that are offered by cyber security companies.

5. Scalping

Malicious scalping bots are very common within the fashion industry and enable consumers to purchase limited stock items and then sell them at a much higher price on platforms such as StockX or Ebay.

Scalper bots are able to bag an item and check-out using details that are pre-entered before the release much faster than is humanly possible.

Any legitimate consumer attempting to buy the item will encounter an ‘Out of stock’ message and then have little choice but to pay the extortionately high mark up price from the resellers.

Scalper bots are difficult to beat and can frustrate a customer base leading to loss of business. Popular streetwear brands such as Supreme are often susceptible to scalper bot software as the highly coveted items are usually sold at low quantities to drive interest in the products and brand to generate “hype”.

How can retailers prevent it?

While scalper bots are hard to detect and prevent, specialised bot protection solutions are able to detect them and block them.

This means that when a consumer tries to access the site from their IP address they will be unable to do so, thus preventing bad actors from doing the same again.

Retailers are able to map malicious attempts with specialised software which enable real-time monitoring.

4. Gift card Cracking

Gift card cracking is a very popular tool used by fraudsters to attack ecommerce sites. Just about any merchant that sells gift cards is susceptible to gift card cracking. There are a number of ways in which organised criminals are able to exploit gift cards.

These include simple fraud schemes that leave the merchants stuck with the chargebacks to hacking the databases that host the gift cards, stealing details that are then used by hackers to purchase goods.

Gift cards are anonymous and basically untraceable, which makes them easy to snatch digitally, each gift card is like digital cash, with no one permanently linked to the card as most gift cards are purchased in-store with cash.

This makes it incredibly easy for criminals to use bots to crack gift card codes that are then sold on digital market places such as the dark web.

Criminals are able to purchase merchandise with the intent to resell for tangible currency or trade the card value for cryptocurrency.

How can retailers prevent it?

  • By tracking gift card data. Retailers can track each card from purchase to the redemption, this means that businesses are able to flag unusual behaviour, like instant activation and uses.
  • Strengthen internal control. Strict reconciliation processes are helpful in identifying suspicious behaviours that could indicate employee fraud. It’s also worth cross-checking confirmed gift card fraud with employees activity as well.
  • Postpone card activation. Instead of instantly activating gift cards, retailers are recommended to activate cards at the end of the transaction to avoid fraudsters activating cards before completing the transaction.

3. Card Cracking

Card cracking can be very dangerous for consumers and relies on bots to obtain card details, including names and private account numbers, before using bots to “guess” the CV2 codes on the back of cards.

Fraudsters use their bot software to test three-digit combinations until they find the correct numbers and then validate it for criminal use or resale on platforms like the dark web, which is littered with stolen card details readily available to purchase.

These types of attacks can be incredibly costly for retailers and ecommerce sites as they must perform checks from their payment providers.

How can retailers prevent it?

Fraudsters sometimes will put random items in their carts to deceptively appear like a real customer.  Specialist machine learning offered by cyber security companies is capable of analysing millions of requests to identify bot attacks in real time.

2. Abuse of loyalty points

According to CyberSource loyalty programs are very popular amongst the younger generations, with 40 per cent of millennials and 44 percent of Generation X making purchases that earn rewards or benefits several times a week.

While they are very popular amongst consumers, they are also favoured by criminals as a way of defrauding businesses of their money.

Fraudsters are often quite willing to take their time with attackers if it pays off in the long run. When it comes down to loyalty point abuse, fraudsters will sometimes successfully access somebody’s account using bot software and monitor their loyalty point balance for months until the value of the points are deemed worthwhile to steal for themselves or sell on the dark web.

Loyalty point fraud costs ecommerce and retailers directly through lose of merchandise and, potentially more dangerously, attack customer bases that then lose the trust in the brand, thus resulting in loss of business from some of the organisation’s most loyal customers.

How can retailers prevent it?

  • Re-think your rewards. Analyse the costs of your products and their margins and make sure you’re offering reasonable incentives and that they’re not too valuable. If it’s effortless to get the rewards or they’re too valuable then you could be open to fraudulent activity. Alternatively, if it’s too difficult to get rewards or the value is low, then no one will take notice of the loyalty program.
  • Creating customer segments. Customer segments are groups of customers that can be categorised by a purchasing profile or characteristics such as location, newsletter subscribers, new customers etc. By making sure loyalty schemes are only invoked by customers from certain groups, you minimise the risk of fraud as loyal customers are unlikely to defraud a company they have shopped with for a long period of time.

1. Credential Stuffing

One of the most dangerous and common bot threats to ecommerce and retail sites is Credential Stuffing. This is the process by which fraudsters steal billions of breached customer usernames and passwords and sell them on the dark web.

If the fraudster manages to access the account, then the customer’s account information including loyalty points and card details are stripped and listed for resale online for someone to purchase and use to make fraudulent purchases.

Credential stuffing able to be so commonly used because, according to SecureAuth, 81 per cent of customers use the same password across two or more sites, while a quarter use the same password across all their accounts.

According to Google’s former fraud czar Shuman Ghosemajumder, a typical credential stuffing attack has up to a two per cent success rate on major websites.

This means that with a set of 1 million stolen passwords from one website, attackers are able to easily take over 20,000 accounts on another website.

How can retailers prevent it?

AI and machine learning tools are able to detect patterns of buying and assess what signifies “normal” consumer behaviour over time, by path or location within the website.

This valuable intelligence can help you determine which customers are attempting to defraud your business and which aren’t.

Click here to sign up to Charged free daily email newsletter



Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.