Online bots are more of a nuisance than ever before, but as Amir Nooriala shows, they can be stopped.

Changes are afoot. Online shopping is still on the rise, and the loosening of social distancing measures is bringing opportunities such as live events back onto the table. That’s good news for consumers and businesses alike, but less welcome is the equal rise in bot fraud and online scams.

Over the last year we’ve seen huge increases in online scams affecting a multitude of industries. Our recent survey delving into this rise in online scams has shown that no one is safe, with 45% of consumers suggesting that simply receiving a scam message claiming to be from your company is enough for them to lose trust in your business (regardless of any real association with the message).

It’s an evergreen problem, and one that’s evolving rapidly. We’re all acutely aware of the issues bots pose in credential stuffing and data mining in the hope of accessing accounts for nefarious gain. To a point, authentication techniques such as OTPs have gone some way in preventing credential stuffing attacks. However, this is just the beginning of the problem bots pose to online retail, and organizations need to ensure their authentication is evolving at a quicker rate.

Businesses need to ensure their authentication technologies are evolving at a quicker rate than the bots are.

Right place, right time – every time        

The evolution of the bot has been significant over the last few years. Now, readily available on the app stores, they are beginning to wreak havoc for brands, particularly those who specialize in large sales and limited edition runs. After a quick download from the app store, your customers can become owners of limited-edition stock or even top the eBay bidding without being at their desks; all thanks to these bots using data injections to input checkout details including billing and shipping data. Whilst many of these bots are likely to be genuine customers simply trying their hand and getting a slight advantage, it’s a different game when it comes to criminals operating at scale. 

Scalpers have long been adept at using bots to buy event tickets in bulk to be resold for a greater price on reseller platforms. However, with opportunities diminished over the last year or so, and fueled by the increases in limited edition runs and new seasonal sales such as Black Friday, we’re seeing bots being used to clean out inventories of high-demand items for resale at a huge markup, as well as artificially creating an illusion of scarcity by selecting items and abandoning the transactions. While device fingerprinting is going some way in preventing such attacks, it’s not a failsafe solution and bots are evolving at a faster rate.

These issues aren’t leading to scarcity demand or hype on your product, it’s leading to customer frustration and loss of trust. Which, if you read the start of this article, you’ll know is easier to lose than you’d think. And it doesn’t end there.

Old dog, new tricks

We’re all aware how bots are also being used for Account Takeover (ATO) fraud from social engineering through to loyalty point fraud. For many, second factor authentication has been seen as a robust solution to manage the bot headache – until now.

The trouble is, bots evolve, and at the moment they’re outpacing authentication solutions such as one-time-passwords (OTPs) with the latest evolution of bots designed to socially engineer victims into passing over their personal information. Using scripted programs, they are being used to call unsuspecting victims to convince them into handing over OTPs. With such advances already underway, it’s not just bots directly crawling your site that you need to be aware of, they’re bypassing you and heading straight for your customers.

We’re now at a stage where bots have bypassed current authentication solutions and we need to consider a more robust defense, one that combines layered intelligence.

Identifying the customer at the very outset of the journey reduces friction, builds trust and keeps the bots at bay

So what can you do?

The common thread in all these scenarios is authentication. Often the challenge for retail businesses is balancing user experience with necessary security. With advances in digital technologies (just as there has been in bots), this needn’t be the case.

By adopting an approach that recognizes the customer from the first interaction, organizations can Start More Certain. A strategy that passively identifies the customer at the very outset of the journey reduces friction, builds trust and importantly, keeps the bots at bay.

Technologies that use layered intelligence (such as Callsign) combining traits such as device fingerprinting (that isn’t reliant on cookies) with behavioral biometrics such as keystroke dynamics will help to ensure that not only are bots detected, but they are also blocked from being able to access systems.

This same protection can be applied to guest checkout experiences, such as being able to detect (from input methods) whether a user is genuine or fake. Even aspects such as location can play a role in detecting customer fraud.

Bots aren’t going away; in fact, we’ll need to learn to live with them. The challenge is balancing fraud with customer satisfaction. It’s not something that will be solved overnight but, with the right digital technologies it’s certainly going to be a lot easier.

Find out more at

To find out more about Callsign and the services they provide to the retail industry, click here.

This article was also published in The Retailer, our quarterly online magazine providing thought-leading insights from BRC experts and Associate Members.