HUMAN Blog

How to Block Bots During the Holiday Shopping Season

Written by Alexa Levine | August 15, 2023

Bots don’t take a summer vacation. They’ve already started prepping for their winter holiday haul. Cybercriminals use bad bots to set up their schemes in the weeks and months leading up to Black Friday/Cyber Monday, so they will be ready when the holiday season rolls around. Then, they can launch large scale attacks during major online traffic periods and sales events.

Their tactics include:

  • Harvesting sensitive data from breaches, leaky databases, phishing campaigns, and dark web lists 
  • Executing automated credential stuffing, carding, and brute force attacks to validate credentials, credit card numbers, and other PII 
  • Submitting fake leads and contaminating web engagement metrics 

Holiday season bot attacks result in chargebacks and revenue losses, wasted marketing spend, and inaccurate data that skews business decisions for months to come. 

Holiday Bot Trends

Knowing exactly what attackers are up to is the first step to stopping them. The 2023 Bad Bot Holiday Report details attack patterns that HUMAN witnesses during the holidays and provides best practices to strengthen your defenses in preparation for the heightened bot activity. Here are the key takeaways:

Cybercriminals start attacking e-commerce sites before the human holiday rush begins

In the months leading up to Cyber Monday, online retailers saw up to 199% more bad bot traffic than the yearly average. Looking specifically at the period from September to November, bot traffic surpassed the three-month average starting October 1 and remained elevated for the remainder of 2022. Human traffic, on the other hand, did not consistently increase until late October and didn’t reach its holiday peak until Cyber Week. 

Bots wreak holiday havoc across the board

Due to increased attacks leading up to and during the holiday season, web applications experienced more bot attacks in the second half of last year as compared to the first. In the last six months of 2022, carding attacks rose 161%, account takeover attacks rose 123%, and scraping rose 112%. Overall, bot traffic accounted for 46.2% of total traffic in 2022, more than half of which was malicious. 

Carding is a top threat to e-commerce retailers during the holiday season

In early November 2022, the percentage of malicious checkout attempts out of total checkout attempts rose 350%. The percentage of carding attacks out of total checkouts increased 900% in the days following Cyber Monday. This was likely due to bots continuing their attacks on e-commerce sites even after human traffic subsided.

Jingle Bots, Jingle Bots, Jingle All the Way

The holiday shopping season will always be a high target for bot attacks. However, other seemingly insignificant days are often prone to automated fraud as well. Here’s why bad bots are attacking in droves leading up to and during the holiday shopping season:

Online and mobile sales growth attracts attackers

Online spending is predicted to reach $1.3 trillion in the U.S. in 2023. Spend has steadily risen for over a decade, even after a global pandemic. As long as the money flows, e-commerce is a ripe target for cybercrime.

More stolen credentials and credit card numbers are at the disposal of cybercriminals

More than 24.6 billion stolen credentials are available on the dark web today. Over 65% of people reuse credentials across multiple sites, which means many accounts are vulnerable to account takeover. Furthermore, more than 6 million stolen payment cards are up for sale on the dark web today, 58% of which are from the U.S. Each of these compromised cards is a potential attack source for your business.

Legacy bot mitigation systems cannot cope with modern bots

Relying on legacy defenses leaves you vulnerable during the holiday shopping season. Today’s advanced bots impersonate real users with distributed IP addresses; they mimic human behavior and piggyback attacks on the valid identities and systems of real users. Fraudsters may have valid user credentials, enabling them to take over and exploit your users’ accounts without ringing alarm bells. Because they have legitimate-seeming accounts, they don’t trigger volumetric or IP reputation alarms and can evade commonly deployed signature-based defenses and web application firewalls (WAFs).

Get Ready for the Holiday Shopping Season

In the months leading up to Cyber Monday, the ebb and flow of bot traffic is better described as just the flow and bigger flow. So, what’s an online retailer to do? Get the Holiday Readiness Guide (no form fill required) for top tips to stop bots in their tracks.