With shrinking margins, economic uncertainty, and growing cyber risks from automated threats, retailers face continued challenges in 2023. Becoming proficient at navigating these obstacles is key to protecting retail profits. This article reveals effective strategies to safeguard brands’ customers, reputation and revenue moving forward.
2022 saw the fastest pace for inflation in decades. As consumers faced higher prices at the gas pump, grocery stores and other places, many cut back on their spending, increasing the competition among retailers. This was especially evident on Black Friday, when many merchants offered steep markdowns to compete. As a result of inflation, fierce competition, excess inventory and changes in consumer behavior, retail profit margins shrunk.
While ecommerce businesses strategize on how to rebound in 2023, there’s another factor impacting margins completely independent of the economy. Specifically, bot operators continue to siphon retailer profits with increasingly sophisticated automated threats — including account takeover, web and API scraping and more.
According to the 2022 State of Bot Mitigation Report, nearly 70% of companies using anti-bot solutions lost revenue to bot-driven account fraud. Furthermore, 40% of respondents lost more than 10% of their revenue. Even the biggest retailers are losing significant amounts of money due to modern automated threats, which damages their brand and consumer trust.
1. Gift Card Cracking
Bots leverage automation to test millions of digit combinations to identify active physical and virtual gift cards. When valid gift card combinations are identified, they can be abused by quickly purchasing an item, transferring funds to another gift card, or selling the stolen cards at a discount. Oftentimes, the stolen cards are already spent before the gift cards are ever received. The retailer is left having to contend with unhappy customers while incurring the expense of gift card fraud.
2. Credential Stuffing and Account Takeover
Credential stuffing occurs when cybercriminals “stuff” stolen usernames and passwords at scale, taking advantage of the fact that consumers use the same credentials for different accounts. Once fraudsters obtain valid credentials, they automatically perform account takeover (ATO) in order to make unauthorized purchases or steal credit cards and loyalty points. ATO attacks cost retailers millions of dollars each year.
3. Web and API Scraping
Web and API scraping are often used by competitors to undercut retailers’ pricing and promotions. Bad actors also use scraping as the foundation for counterfeit websites — especially for luxury goods. They set up identical online shops on spoofed domains and launch paid search ads to sell discounted counterfeit goods. To make matters worse, these sites often contain malware, causing even more damage.
4. Fake Account Creation
Bots can create fake accounts at scale which are then used to abuse retail promotions. Examples include using fake accounts to receive offers only intended for new customers, or one-time discount codes. By automating the process to create new accounts, fraudsters can use these one-time signup offers over and over again and sell fake accounts to those who wish to get the discount. Fake accounts are often aged so they appear legitimate and circumvent validations during checkout.
5. Inventory Scalping
Threat actors employ scalper bots to quickly scoop up inventory on limited-edition or in-demand items, with the intention to resell on secondary marketplaces for a profit. Even the largest retailers have a difficult time managing scalper bots because of the massive infrastructure scale required to host them. Some retailers even say they lost money on their hype sale due to the cost associated with the bots. Freebie bots work similarly, but the items don’t have to be in-demand. Freebie bots exploit human errors on retail sites, enabling tens of thousands of users to automatically scan and purchase mispriced or misdescribed items.
Cybersecurity is typically viewed as a cost center to the business. When it comes to bots, however, effectively mitigating them instantly improves a retailer’s profit margins. Now retailers are rethinking their cybersecurity defenses for websites, mobile apps and APIs. Some of the key strategies include:
1. Invisible protection for optimal customer experience.
Shoppers expect a frictionless, optimized experience from login to checkout. However, CAPTCHAs continue to interrupt the user experience in an attempt to validate humans. CAPTCHAs have a negative result on conversions, often by as much as 5%. Most CAPTCHAs and “visual challenges” can be easily bypassed using machine learning (ML) or human CAPTCHA farms. So the fraudsters win, and your customers lose.
New bot detection approaches rely only on invisible challenges that never impact the customer experience while achieving orders of magnitude reduction in false positives.
2. Maximize offload for cost savings and site performance.
It’s realistic for more than 30% of a retailer’s web traffic to be from malicious bots, and it can spike to over 99% during peak moments. Because of this, it’s shockingly expensive to process all of this fake traffic. Cloud computing, authentication, payment processing and chargeback costs all increase as a result of large volumes of synthetic traffic.
The more that can be done to stop fraud upfront, the more the cost of managing it downstream is reduced. New proactive defenses are available to achieve even higher levels of efficacy, reducing false negatives to provide maximum infrastructure offload and cost savings. Large retailers can save millions of dollars by improving the accuracy of their bot detection when compared to the status quo. By offloading unwanted bot traffic, website performance will improve. Even improving site speed by fractions of a second can generate large increases in conversions.
3. Let someone else take the fight to bots for you.
Fighting automated threats isn’t easy and often requires dedicated expertise to manage. It requires ongoing knowledge and time to continuously update in an attempt to stay ahead of bots. Studies show that nearly two-thirds of the total cost spent stopping bot attacks — $500,000 on average — is the management and remediation costs, and only one third the solution itself. All of this is exacerbated by the current cybersecurity talent shortage. Plus, there’s an unfortunate gray area as to who’s accountable for successful attacks when configurations aren’t updated.
Companies are embracing a “no management” approach to stopping cyberattacks. Such an approach allows retailers to focus on their business rather than defending it from bots. This dramatically reduces the total cost of ownership — increasing retailers’ profits without sacrificing protection or compromising brand integrity.
Retailers have never been more determined to improve margins. A key element will be creating a proactive security strategy to stay one step ahead of automated threats. With the right planning and foresight, retailers that prioritize bot defense will increase their competitiveness while reducing their risk and operating costs.
Neil Cohen is Chief Marketing Officer at Kasada. He is a versatile tech executive with 25 years of combined marketing, product management and engineering experience. Previously he was VP of Global Marketing at Akamai Technologies, where he ran worldwide marketing for a $1.3 billion cybersecurity and web performance business. Cohen also helped the organization double revenue and repeatedly launched new products and helped grow them into businesses exceeding hundreds of millions of dollars. His passion lies in bringing disruptive B2B technology to market and achieving rapid customer adoption. His diverse tech experience spans across many areas, including cybersecurity, cloud/edge computing, big data and blockchain.