“Bots” (short for robots) aren’t new, but they have become mainstream in recent years, accounting for more than 40% of all website traffic in 2017. Unfortunately, more than 50% of that traffic came from “bad” bots — threats that are part virus, part bot — that can be used to launch fraud attacks against e-commerce merchants.
When it comes to performing repetitive tasks, bots are perfect for the job. Bots enable Google and Bing to constantly troll the web and index new pages at lightning speed; they’re also the helpful tools behind those pop-up messaging apps that answer questions and help customers place orders on e-commerce websites.
But bots can also cause great damage. Some bot attacks can be fraud attacks, designed for theft, while other bot attacks can simply be launched by hackers trying to sabotage a website. It’s important, therefore, for online retailers to recognize the signs of a fraud bot attack, so they can take steps to protect themselves.
Fraudsters can use bots to execute multiple types of attacks, including:
In a denial of service (DoS) attack, a hacker attempts to flood a website with phony requests, which brings the website to a near standstill and prevents legitimate users from accessing the website. Signs of a DoS attack include unusually slow network performance or the inability to access a website or specific web pages.
Hackers can use bots to hold valuable inventory in carts, which prevents legitimate customers from purchasing the inventory. This is a particular risk for merchants who deal in scarce or sensitive items, like tickets or collectibles.
E-commerce merchants might notice an increase in “customers” either checking gift card balances online or reporting lost gift cards. These requests might really be bots stealing funds from gift cards, leaving behind disgruntled customers.
Websites that require users to create password-protected accounts are vulnerable to bots that test stolen credentials to gain access. These bots can then lock out legitimate customers and commit fraud. Most e-commerce retailers routinely face account takeover attacks as often as two or three times monthly. But after a large data breach, this can triple, as bot operators know customers frequently use the same passwords across multiple sites.
Fraudsters can use bots to take advantage of merchants that offer promotions for customers who set up new accounts. These bad bots will rapidly create new accounts to exploit these promotion credits. The first sign of a problem for merchants is often decreased conversion ratios between new accounts and paying customers.
Merchants using payment processors are especially vulnerable to bad bots, which fraudsters can use to quickly test large batches of illegally obtained credit card numbers. For example, if the credit card information is incomplete, the bot can automatically fill in any missing data (like expiration dates or CVVs) with all possible combinations, rapidly submitting phony order after phony order until it hits the right information, which it then exploits to rapidly make a series of big-ticket fraudulent purchases.
Sadly, fraud bots are becoming increasingly sophisticated, making them incredibly difficult to stop. So what can e-commerce merchants do to prevent the losses these fraudsters create?
When customers come to a brick-and-mortar location to pick up an order they placed online, confirm they are who they say they are by requiring the customer to present the email confirmation for the order, the credit card used for the purchase and a government-issued ID.
Ticketmaster implemented a Verified Fan system, which has resulted in a 90% success rate for tackling ticket-buying bots. Customers create an account by proving they’re a real person — submitting email addresses, phone numbers and shows they’re interested in attending. Ticketmaster uses artificial intelligence to review the applications and provide approved customers with a unique code that lets them purchase tickets for the requested shows. This has cut bots out of the loop, preventing them from purchasing tickets before legitimate fans have the chance to.
Many e-commerce retailers have built captchas — challenges that require customers to click on specific squares or retype distorted words and numbers — into their checkout pages to defeat bots. Unfortunately, bots have become advanced enough that captchas are no longer the deterrent they once were. So Nike tried something new with their recent release of a limited-edition pair of shoes: They required customers to scan (either in-person or online) and submit the menu of a specific New York City restaurant. It turned out to be a challenge that bots were unable to complete.
Even if e-commerce merchants aren’t the direct victim of a data breach, bots may try to use the stolen credentials on their sites, hoping the fraud victim used the same user name and password across multiple accounts.
Hackers are incentivized to maximize their financial returns after launching bots, and they’re constantly tweaking their strategies to circumvent any fraud protection strategies an e-commerce merchant might have in place. As a result, e-commerce merchants are finding it tough to keep up with attacks on their own.
To help defend your business against fraud bots, put a fraud protection solution in place that can help identify fraud before it affects your business. ClearSale’s all-in-one solution delivers a complete and effective fraud prevention strategy that maximizes approvals and minimizes fraud and chargebacks. Contact us today to learn why more than 2,000 companies worldwide trust their fraud protection to ClearSale.