June 16, 2022
How bots are stealing your customers, your inventory – and your reputation
By Alex Forss, Commercial Director, Callsign
Bots are one of the main weapons of choice of bad actors, particularly for malicious activities such as account takeover fraud (ATO) and identity theft. Versatile and adaptable, bots can stage a wide range of malicious activities, ranging from credential stuffing attacks using information exposed in data leaks to the creation of multiple online identities.
But bots are also pivotal for another threat vector: inventory fraud. And it’s one where a mounting number of customers are also getting in on the act, with scalper and sniper bots blurring the lines between opportunism and fraud.
Bots widen their net
Bad actors had already made incursions into the retail arena, particularly for limited-edition runs of products with a high resale value, such as sneakers. As purchasing habits changed to primarily online, the fraudsters upped their game.
Nowhere was this more evident than in the marketplace for gaming consoles and GPU cards. With production impacted by a global chip shortage, fraudsters have been staging heavily organized bot attacks, meaning that genuine customers stand little or no chance of buying the items at the real price.
Attacks on multiple frontsThe situation is complicated by the fact that there are a variety of approaches that bad actors employ.
The first – and most prevalent – is AIO (all-in-one) bots. These can scan thousands of websites every second, looking for an item to drop into stock. The instant it does, they’re able to clean out the entire inventory, as they’re pre-loaded with multiple accounts and cards.
A variation on this inventory fraud are bots that exploit failings in e-commerce systems to create an illusion of scarcity by selecting items and leaving them in the basket; they can then hold these items until a bid from a third party triggers the purchase; or the bad actor might simply sell the checkout slot for a fee.
And of course, ATO and credential stuffing are still factors, and essential ones for the fraudsters: successful inventory fraud relies on them having huge portfolios of accounts at their disposal. With merchants expecting a flurry of new accounts to be created at the time of a product launch or a peak sales season such as Black Friday or Christmas, it’s easy to see how many of these can slip through undetected.
We spoke to Jordan Harris, Senior Director of Fraud Prevention at iHerb about the growing bot problem and he stated "Bots are a major and rising problem for all organizations. They are creating shell accounts to abuse promo offers, hitting gift card balance checkers to brute for cards, hitting refund requests, and still data scraping. Refund abuse right now is probably costing your company more than any fraud losses are. It’s important to monitor places you might not normally think about. Bot abuse can hit almost any place there is an exploit of any kind, and the fraudsters will find it”
The huge upswell of scalper and AIO bots has elicited a strong response from customers. Many have felt that the retailers have been complacent – or even complicit – in allowing the bad actors to get away with these frauds. It’s unsurprising, then, that some have decided to get in on the act themselves.
At first glance, the Apple and Android app stores are packed with a huge range of sniper bots available for purchase or hire on a Robot as a Service (RaaS) basis, allowing consumers to take on the organized scalpers at their own game.
But only at first glance. Supply and demand is very much at play here too, and the bots themselves are changing hands for escalating fees, with one bot valued at $350 being brokered for over $6000. The result is still the same; those with access to the money and resources win out, and the average customers are left out in the cold.
Counting the cost of bot fraud
For businesses, that’s perhaps the most serious aspect of the matter. Many customers feel that their complaints fall on deaf ears, that a retailer is happy as long as it makes a sale. Although that’s seldom the case – after all, the merchants aren’t the ones benefitting from an item eventually selling at a 1000% mark-up – especially since this narrows the odds of those customers being willing to do future business with the company.
Consumers have other outlets for their frustrations. Major product launches attract a lot of attention from the press, who will be quick to ask questions about why social media is awash with complaints from dissatisfied customers who have fallen afoul of inventory fraud. The reputational damage from allowing it to happen is potentially massive.
There’s another significant impact to a business’s revenue. The increased traffic from bot activity can put a massive load on a company’s infrastructure, and it’s not uncommon for servers to buckle under the pressure, locking out all other regular transactions. Businesses may find themselves facing the choice between lost transactions or paying for additional servers or microsites to manage the traffic loads. Harris again adds “I think a lot of people don’t realize how much they are paying in things like AWS fees just letting bots get to their site and attempt to log in or go page by page scraping data. Eliminating that traffic ‘noise’ can lower your costs in those areas too.”
How businesses can fight back
There’s an element that’s common to every form of bot fraud, and that’s authentication – or rather, a lack of it. With time being the critical factor, bots have to bypass whatever authentication mechanisms a business has put in place; and if that’s limited to a username and a password, it’s not going to present too much of a challenge.
Harris also shared his thoughts on how companies can help solve the bot problem: “Most engineering solutions are to slap a captcha or some form of interdiction into the process to help separate people from the bots, but that leads to customer frustration and site abandonment - when they have to click 15 squares that 100% were a boat! People need to look at the larger picture of the session - from first touch to check out and look for passive signals. Only then should you introduce friction as needed. It should not be a static experience for all customers.”
Businesses are in a tricky situation. Customer experience is a primary concern but there is also reluctance to introduce any unnecessary friction to the customer journey. In fact, it’s not uncommon for businesses to take on a certain level of fraud as the price of doing business. Harris says “It’s important to understand that each business has a different risk appetite. You don’t want to be putting friction up or blocking fuller percentage points of your customer base in an attempt to maybe save yourself a couple basis points in chargebacks. If your business is in a competitive space a single false positive could have a large ripple effect on repeat customer business.”
But with bots continuing to proliferate in every way, that price might turn out to be just too high; and that’s a risk no business wants to take. Fortunately, you don’t have to. Callsign provides the technologies that keep businesses secure from any form of bot attack – silently and passively.
Our intelligent bot detection checks for threats such as bots and malware, ensuring that the device isn't compromised, and gives you full confidence that activity is not being initiated by a sniper bot. And because Callsign’s device recognition it doesn’t rely on cookies, legitimate customers are welcomed back even if they’re using a different browser.
Going hand in hand with that, our positive identification technology ensures that those purchases are coming from genuine customers – whether that’s from a logged-in user or a customer opting for guest checkout. By combining device and threat intelligence with our Muscle Memory Technology behavioral biometrics, you’re able to recognize your users from their unique patterns of typing, swiping and gestures – patterns that no bot is able to emulate.
That means that it’s your genuine customers who are able to make those critical purchases, with a smooth and seamless checkout experience – and it’s the scalpers and fraudsters who are the ones left empty-handed.
It’s important to remember that fraudsters are opportunists; and opportunists will always follow the path of least resistance. Bot fraud might not be going away any time soon; but Callsign can help you make sure that it at least goes somewhere else.
Learn more about the threats posed by bots – and how Callsign can help you defend against them.
Callsign makes digital life smoother and safer by helping organizations establish and preserve digital trust so people can get on with their digital lives. The first true representation of identity online, Callsign positively identifies users by their unique characteristics, replicating real-life recognition signals with AI models. The only solution to identify people across every journey, channel, and brand, Callsign makes digital identification seamless and secure, helping drive business growth.