Spot the Bot: 3 Signs You Have a Bot Problem

If you own a business with an online presence, chances are that a significant portion of your website traffic is actually bots, not humans. In some cases, bots serve a valuable purpose, like Google crawler bots, which discover new websites. 

Unfortunately, malicious actors use this technology to automate cybersecurity attacks at an increasing rate. Historically, automated scripts — aka bots — were used to snag reservations at high-end restaurants, hoard concert tickets, or bid on eBay watchlists. Over time, technology has made it easier to create sophisticated bots that can exploit vulnerabilities while simultaneously reducing the operation cost. As a result, no industry is left untouched by the slow takeover of automated and often malicious traffic. 

In 2021, a colossal 27.7 percent of all web traffic across the globe resulted from bad bot activity. But how can you tell if you have a bot problem? After all, you can’t fix a problem if you aren’t aware of it. And you absolutely want to fix a bot problem, as they can ultimately result in decreased revenues and irreparable damage to your brand image. 

The Invisible Bot War 

Malicious bots are used to scale cyber attacks to levels difficult for human effort to match, often robbing real customers of access and slowing down your site and/or apps. For example, bots can carry out the following attacks:

• Credential stuffing: A method where the attacker configures a bot with fake IP addresses and attempts to log into multiple websites using stolen credentials. Successful logins are tracked, and bots scavenge for private information from any compromised websites.
• Card cracking: A similar type of attack where bots conduct brute-force attacks to guess missing information on credit cards, such as the expiration date or three-digit card security code. 
• Scalping: A process where bots compete with genuine users by securing access to products in high demand and creating inventory shortages.

If you feel like traditional approaches block today’s bots, you may be surprised to learn how closely they mimic human behavior, the lengths they go to avoid discovery by the most sophisticated detection software, and how much they affect your bottom line. Bots are as diverse in their assignments as they are in their approach, and it is worth the effort to familiarize yourself with the enemy. 

Because of how advanced some automated bad actors are, it may be hard to spot when you have been breached. The best approach is to prevent a breach from happening in the first place, but there are ways to tell if you have been the victim of a bot by working your way back from its aftermath.

Unexplained spikes in authentication errors 

Attacks such as credential stuffing and card cracking can result in numerous authentication  errors. In the case of credential stuffing, bots rapidly run through password patterns, dictionaries, or common phrases until they gain access to an account, leaving a string of login failures in their wake. A higher-than-usual failure rate is a big red flag, as are multiple login attempts on different accounts, within a short timeframe. 

Card cracking often uses a stolen user account to which it already has access to go through its list of stolen credit cards. In this case, a large number of payment processing failures can occur within a short amount of time. While humans sometimes make mistakes when entering credentials or payment information, a bot automates the task. Its brute force technique may find valid combinations. However, it will have many failures in the process as well. 

Rapid inventory reduction

Every business owner wants to see great sales numbers, but they need to make sure they’re selling to legitimate human customers. One warning sign of a scalper bot attack is online inventory being scooped up at a rate faster than any human shoppers could achieve. The conversion rate relative to the number of distinct concurrent users provides metrics to identify this case. This type of bot attack is particularly relevant when limited edition releases are made available for sale, such as sneakers or some game consoles.

This exact situation happened with the Sony PlayStation 5. During the heart of the pandemic, sites that listed the PS5 quickly were sold out. In the process, they also experienced bandwidth problems and crashed sites due to the pace of bot traffic. These scalping attacks left human shoppers unable to find a PS5 available for direct sale. 

Sudden drops in conversion rates

A rapid decrease in conversions is also a warning sign of a bot attack. Bots masquerading as real human customers on e-commerce sites fill up their carts, hoard stock, and eventually abandon the cart to prevent actual customers from making a purchase. Once again, the metric to watch is conversion rates in relation to web traffic. An abnormal surge in web traffic followed by low conversion rates are tell-tale signs of a bot problem. The idea is to create a climate of pseudo scarcity, causing customers to switch to competitors. If left unchecked, a bot can do serious damage by running cycles of inventory shortages which will earn you the reputation of never having enough inventory.

Bot attacks have become easier to deploy and therefore occur much more frequently. They can compromise the integrity of your website and deter customers from conducting business with you. Malicious actors with these automated attacks in their toolbox can cause security failures and lost revenue, all at the push of a button. They can relax and gain a financial advantage while you are left dealing with the devastating effects of bot attacks. Websites, mobile apps, or APIs without a comprehensive bot management solution are vulnerable. Before your organization suffers a loss of revenue and a scarred reputation, take a proactive approach to identify bots and protect your online business.