Boxing Day bots: Threats to e-commerce and how to stop them

(Image credit: Shutterstock)

Black Friday may only be just behind us, but already the Boxing Day sales will be front of mind for retailers looking to end 2020 on a high. And it’s critical for retailers to find and take advantage of every opportunity this holiday season, especially online. Last year, Brits spent £100 billion during the holiday shopping season. With coronavirus depressing in-person shopping opportunities and more than 4,200 stores closing in the UK alone during 2020, the retail industry has had to transform as we ditch our cars for our keyboards.

Yes, this does present a fantastic opportunity for retailers in that there are new audiences who will be receptive to online shopping in a way they may not have been before. What’s more, shoppers may find that they’re buying more things online than they have in the past, e.g. groceries and toiletries. Retailers have a chance to win the loyalty of customers who’ve never considered or engaged with products or services like theirs.

But this growth comes at a price - when there are new audiences and new opportunities for success, there also follow new audiences and new opportunities for fraud. A common axiom in the anti-fraud business is that “fraud follows money”. And if more money is coming from shoppers less familiar with basic cybersecurity measures, then the fraudsters will be hot on their heels, trying to snatch a portion of that money.

About the author

Bethann Noble is Head of Product at White Ops

As 2020 comes to an end, there are a number of fraud models that both retailers and e-commerce companies should be aware of, each presenting different threats. These threats siphon thousands of pounds every day from leading retailers. What’s more, they have a dramatic impact on the way retailers are perceived by current and potential customers. When a consumer fails to complete a transaction because of a bot-based fraud scheme, it’s not the fraudster they blame, it’s the retailer.

Fraud models threatening retail and e-commerce

Sophisticated bots—and the fraudsters who deploy them—have a wide variety of attack vectors at their disposal, targeting different budgets or aspects of the e-commerce experience. Some of these models are more common than others, but each poses a distinct threat to a retailer, especially during a busy period like Boxing Day sales and return periods.

The damage that each style of attack is capable of varies widely: some attacks focus almost entirely on an organisation’s budget, seeking in large part simply to make a retailer waste money chasing ghosts. Others can have a more dramatic impact, depleting inventory and wrecking customer sentiment by making it impossible to purchase highly sought-after items.

But even if the bots are hitting a retailer where the public can’t see it, those bots are still making a holiday shopping strategy that much harder to carry out.

Re-targeting fraud
Many retailers have a retargeting tool in place - it’s a fundamental component in retail digital marketing. A cookied visitor is served ads throughout the web pertaining to the brand or items that they’ve looked at in the past. But if the person on the other side of those retargeting ads isn’t a person at all, that conversion rate is zero. And the money spent following that bot all over the web is money lost and performance metrics spoiled.

Today’s bots come from the personal devices we all use every day, and as a result, they carry with them characteristics that make them look human to the tools retailers need to succeed. Browsing histories, purchase histories, realistic patterns of use - all of these make today’s sophisticated bots hard to identify. Even if a contact has all the hallmarks of being a real person, it may still be a sophisticated bot. 

Those bots make their way into the marketing and advertising databases through lead-generation fraud. Bots will spy a form on your website and automatically fill out the information requested to gain access to whatever’s on the other side of the gate.

With email providers deploying new anti-spam and bulk mail measures all the time, the more bouncebacks that each email blast creates, the more damage is done to the email server’s reputation and the more likely that further emails from that retailer will be pulled into spam filters, even for real customers.

In addition, fraudsters will often arm their bots with thousands of real email addresses from a data breach, leading to numerous potential GDPR failures when the owners of these addresses suddenly start receiving communications they didn’t sign up for.

Inventory fraud
Inventory fraud occurs when bots swoop in at the launch date and snatch up high-value items before humans can possibly complete the process. Machines, as a general rule, work faster than humans ever could. And those items inevitably find their way onto third-party resale sites at an enormous mark-up.

And it’s not the fraudsters that are blamed in this situation - it’s the retailers themselves. Sentiment can turn rapidly from positive to extremely negative when a promised item becomes unavailable before a customer has a chance to complete the transaction.

Account takeover
Account takeover is a blanket term used to describe a number of different tactics, but the end result is the same: the owner of an account is no longer the person in control of the account. Rather, a fraudster can use any saved information—including credit card and other payment information—to conduct fraudulent transactions. The fraudster could also simply harvest that information for resale on a black market later.

And it’s often the retailer who’ll be blamed, not the user’s own insufficient cybersecurity tactics. The retailer’s reputation, in this way, relies in part on the customer’s personal data hygiene.

Fake/automated account creation
Imagine the advantage a fraudster can create for themselves on a limited-edition sale when they have a thousand accounts at their disposal instead of just one. Or imagine the lost margins a retailer will experience when a thousand accounts daisy-chain referral bonuses onto one another before purchasing big-ticket items. 

So what's the cost?

Accenture estimates that cybercrime cost UK businesses £8.7 million in 2019 with average annual costs up 31% from 2018.

Recent research indicates that retailers across the globe may be losing more to retargeting and lead-generation fraud than they might expect. A conservative estimate revealed that top retailers with e-commerce capabilities could lose as much as £15,000 every day to marketing fraud, with an additional £15,000 per day lost to costs of using tools that manage fraudulent contacts. That translates to more than £11 million lost to marketing fraud every year for those businesses.

And that number may get worse before it gets better: recent research from analyst firm Gartner revealed that while 53% of respondents expected a decline in their revenue in the next 12 months, 86% planned to increase their digital investment anyway, as businesses look to digital as the primary channel for commerce.

Taking the fight to fraudsters

All is not lost; the fight against sophisticated bots and their numerous attack vectors is still one that’s winnable, and it’s winnable by humans.

What it takes is investment in technology just as clever as the botnets described above which looks beyond the characteristics that make earlier generations of bots easy to uncover. It takes looking at behavioural and contextual signals that these bots and the devices they live on send out. They’re often very, very subtle, but they exist, and they make it possible for a bot-or-not determination to be made.

Bethann Noble is Head of Product at White Ops