A Roadmap to Outsmart Bad Bots and Protect Customer Experiences This Holiday Season

While many holiday shoppers favor online experiences to avoid waiting in endless checkout lines or battling over parking spaces, many now face competition from a new challenger: automated bad bots. 

Bad bots are software applications that run automated tasks with malicious intent. Operating around the clock at incredibly high volumes, bots are becoming more sophisticated and use the latest evasion techniques to mimic human behavior that avoids detection. 

In 2021, an analysis of web traffic data by Imperva Threat Research revealed that four out of every 10 shoppers on a retail site were not human. During a peak holiday shopping period in November 2021, bad bot traffic increased by 73%, negatively impacting customers’ online experiences in the process.

While bad bots cause disruption across all industries, retailers are a prime target because of the valuable personal data they store behind user login portals on their websites and mobile apps. 


However, don’t assume all bots are bad; some automation makes tasks easier. For example, good bots can be programmed by reputable companies to “crawl” the internet to serve up relevant content for users. Good bots enable search engine results, web analytics, third-party aggregation sites and more.  

What Makes a Bot ‘Bad’?

Bad bots are programmed to perform a variety of tasks to conduct fraud online. Price scraping, account takeover and gift card abuse are just some of the ways bad bots impact the retail industry. In some cases, bad bots can hit websites in such large volumes that it overwhelms the site’s infrastructure and takes the website or application down with a distributed denial-of-service (DDoS) attack.

For retailers, inventory hoarding by bad bots has become a critical challenge to manage during the holiday shopping season. Bad bots quickly scoop up limited-edition products before legitimate shoppers have a chance to purchase them. The bot operators then resell the goods at a higher margin to make a profit.

These “Grinchbots” were responsible for the gaming console shortage in 2020 and early 2021. In response to the rise in bad bot traffic across ecommerce sites over the past several years, the United States Congress passed the Stopping Grinch Bots Act of 2021. 

Malicious traffic on a website impairs user experiences for legitimate shoppers. Organizations dealing with bad bots experience lost revenue and tarnished brand reputation. In addition to the financial losses, online retailers’ IT teams are left scrambling to respond to these disruptions, driving up infrastructure and support costs. The time they spend reacting to bad bots is time they could be spending on other critical revenue-generating initiatives. 

While the holiday shopping season should be a brand’s most profitable period of the year — more than one-third of businesses say sales rise in Q4 — bad bots threaten to disrupt these gains. As retailers prepare for the upcoming holiday shopping season, they need a strategy for managing the inevitable bad bot traffic that will land on their site.

A Roadmap to a Bad Bot-Free Holiday Shopping Experience

Luckily, retailers aren’t defenseless from the threat of bad bots. By taking a few proactive steps, brands can deliver a world-class customer experience while managing the impact of malicious automated traffic. The ideal strategy can be broken down into four steps:

1. Audit website framework: Through regular evaluations, security and fraud teams can locate functionality on their website and applications that could be a target of bad bot activity. This can include login credential portals, pricing displays, exposed APIs and more.

2. Evaluate traffic: Web traffic data can be an indicator of potential bad bot activity. High bounce rates, low conversion rates, unexpected traffic spikes to a specific URL and increases in failed gift card requests can all point to bad bot traffic.  

3. Review the calendar: Work cross-functionally to review the upcoming retail calendar and identify any sales events that could draw bad bots, from limited edition releases to Black Friday or Cyber Monday events.

4. Bolster digital defenses: Security solutions like two-factor authentication, web application firewalls and bot prevention software should be implemented to protect websites and applications from bad bots.

Get Ahead of the Bad Bots: Start Planning Now

As bad bot sophistication increases, consumers and retailers alike will bear the burden of the disruption. Expect to see another record-breaking year of bad bot traffic during the holiday shopping season. 

The key to a successful bad bot management strategy is to be proactive, not reactive. Don’t wait until your website or application is targeted. Instead, take time to understand and prepare now by deploying defenses and testing them to ensure they’re ready for Q4.  

With a strategic bot management roadmap guided by data and thoughtful technology deployment, retailers can protect their customer experience, their reputations and their bottom lines this holiday season.

Lynn Marks is Senior Product Manager at Imperva, overseeing the product and innovation roadmap for Imperva Advanced Bot Protection and Imperva Client-Side Protection. With more than 10 years of B2B security product experience, Marks helps customers protect their applications and websites from online fraud and other security threats. Prior to Imperva she was product manager at Model N and Distil Networks (acquired by Imperva). She holds a Bachelor’s Degree in Economics from UC Santa Barbara.

Feature Your Byline

Submit an Executive ViewPoints.


Access The Media Kit


Access Our Editorial Calendar

If you are downloading this on behalf of a client, please provide the company name and website information below: