Sales peaks are no longer tied to seasonal events. Black Friday and the festive season aren't going anywhere soon, but product launches, promotions and limited-time sales now happen around the calendar.
The patterns have changed. Observers such as Deloitte (correctly) signaled that the uptick in sales that started on Black Friday 2020 would herald a month-long sales period for multichannel retailers, desperate to make up for sales lost during the pandemic. And with the movement to online shopping now par for the course, it seems like good news from all over. But it’s something that’s attracting attention not only from keen shoppers, but from bots.
Old problems seek new targets
With customer experience a key differentiator in today’s competitive world of eCommerce, businesses are constantly striving to make the user journey simple, smooth and safe for customers. But simplifying the process can leave a business open to bot fraud.
Anybody who has ever tried to buy tickets or get in on the ground level of an exclusive product drop will be familiar with the situation: before you’ve even had a chance to click the Buy button, the inventory has been cleaned out. This is often due to bots scalping product in high demand, forcing legitimate customers to purchase them at highly marked-up resale prices.
It's immediately clear that the only person winning here is the scalper or bad actor; one person buying up half the available stock to resell it causes customer frustration and negatively impacts the brand.
Until recently, tickets for concerts and events were a major focus for bad actors, as were limited-edition or in-demand product releases, something that anybody trying to get their hands on a Playstation 5 might have discovered.
Fraudsters change their focus
With one revenue stream for bad actors – live events – all but taken off the table due to the COVID-19 pandemic, it’s the latter that’s become the primary area of activity for fraudsters.
There’s been a massive global shift from bricks and mortar stores to online shopping. Many consumers are relatively new to the world of online shopping; but with dwindling in-person options, they're forced to make their purchases online. A lack of experience on the part of shoppers could lead to reduced vigilance, or a reliance on weak authentication.
With sales and promotions in the mix, it means that a lot of these purchases will be big ticket items. This, coupled with extended periods of elevated shopping activity, is seeing the fraudsters retuning their bots for new targets. Rather than being forced to rely on those exclusive product releases, they’re seeing the opportunity to lucratively broaden their approach.
What are the attack vectors?
This is the problem: bad actors, unfortunately, are nothing if not adaptable. Their modes of attack vary according to the particular outcome that they’re looking to achieve, the strategy that will profit for them. These can be subtly or wildly different; all of them spell bad news for businesses and customers if they aren’t stopped. And all of them bring risks.
Inventory fraud is the most common bot-based attack vector. As outlined earlier, bad actors use multiple identities and sophisticated bots to buy up the entire inventory of limited-edition or scarce items, and sell them on at a markup.
There are variations. If a product isn’t quite scarce enough to elicit a significant markup, they can use their bots to exploit vulnerabilities in e-commerce systems to create an illusion of scarcity by selecting items and leaving them in the basket.
Another major threat is the heightened risk of Account Takeover (ATO) fraud. 2020 saw an increase in new accounts being registered by first-time customers, and this will only continue to grow. Many of these will follow the path of least resistance, reusing passwords and credentials that they’ve used for other systems and accounts;
If these credentials have been exposed in a previous data breach, it makes these new accounts susceptible to bots using a credential stuffing methodology. And when the higher-than-normal number of new accounts being opened is factored in, the risk of fraud rises steeply.
What are the risks?
The financial impact of these bot attacks is obvious, but it’s not the only area where malicious bot activity can hurt businesses.
Reputational damage is a massive side effect. Customer experience is often a primary concern for many businesses, and it’s common that acceptable levels of fraud are often taken on board as the price of profit.
But that price is just too high. People are often buying with tight deadlines; if you can’t deliver the goods – literally – they’ll go to a competitor. And if their purchase is ruined by fraud, then you can guarantee that, in this day and age of social media proliferation, they’ll have the ear of the whole world.
Then there are the complications that can arise from compliance. Bots using stolen or synthetic accounts that contain real-world contact details can cause a regulatory headache. If a business follows up by communication with customers who’ve had their ID stolen – and who didn’t opt in to GDPR / CCPA – they can fall foul of compliance regulations. That "acceptable loss of profit" will be dwarfed by some of the fines that businesses could face in this situation.
And further downstream is the potential budget impact. Businesses often spend significant amounts of money following up with customers and sales leads. A flood of fake accounts getting through the system can lead to serious expenditure on trying to stay in touch with potential customers who don’t even exist. Even if an organization routinely scrubs its database of fake contacts, it’s still an activity that carries an operation cost.
Fighting the identity crisis
The common thread in all of these scenarios is authentication – or rather, a lack of it.
We understand that convenience is a primary driver for customers, making it difficult to establish and maintain brand loyalty. Making the user journey as slick and easy as possible is a major differentiating factor for customers. But equally, we know that removing friction at the expense of security isn’t the answer.
The answer is to Start More Certain. A strategy that passively identifies the customer at the very outset of the journey reduces friction, builds trust and importantly, keeps the bots at bay. Callsign’s technology takes an inherently welcoming and user-friendly approach, as opposed to the heavy-handed anti-fraud stance that users often encounter.
Callsign actively looks for traits and signs of fraudulent activity by bots (and other bad actors); but that all takes place under the hood. From the user’s perspective, the many authentication checks take place passively and unintrusively.
Our Intelligence-Driven Authentication (IDA) locks out even the most sophisticated of bots by not only analyzing the location and ID of a device, but the behavioral biometrics of the user; how they Swipe and Type, the dynamics and velocity of keypresses or taps.
The (in)human element
Bots are not going to go away; quite the opposite. They have already broken out of the scalper sandbox. Lifestyle brand Supreme, whose marketing model depends heavily on limited-edition releases, has had to deal with the likes of SupBot, an iOS sniper app designed to help users beat other shoppers to the punch; in 2019, it became the number one paid-for app on the App Store.
That does blur the lines between legitimate consumer and scalper somewhat. But for the majority of consumers making purchases via more traditional channels, the ability to purchase the items they want on the first attempt, safely and security, is the dealbreaker.
As the more and more people make the shift to online shopping, the opportunities for turning first time buyers into loyal customers are massive. By adopting a Start More Certain approach for your user journeys, you’ll be ensuring that the winners in this scenario are you and your customers, rather than the bots.
