Ecommerce sites around the globe will lose roughly $10 billion to cyberattacks this year, including bot and scraping fraud, according to a new report from New York-based cybersecurity firm Cheq and researchers at the University of Baltimore.
Out of the $585 billion that online retailers in the U.S. will rake in this year, $1.76 billion will be lost to similar forms of fraud, the researchers added. And while these bots are hitting sites all year round, the traffic and revenue spike that hits every holiday season means bots are extra busy this time of year.
“An almost unintuitive portion of the bots that we see day-to-day aren’t related to ad fraud at all,” Cheq CEO Guy Tytunovich said. “They’re bots that are aimed at doing something completely different, yet still malicious.”
These are low-level bots, aptly named “grinchbots,” scrape millions of dollars’ worth of tickets from sites like StubHub or buy out popular holiday gifts, only to resell them at a markup elsewhere.
There are also cases of distributed denial of service (DDoS) attacks, where sites get flooded with traffic by competitors and knocked offline during peak holiday shopping times. In 2016, for example, the digital retail behemoths Etsy and Shopify suffered lengthy and costly downtimes from these sorts of attacks.
According to a 2018 study from cybersecurity company Link11, ecommerce sites get hit with up to 70% more of these attacks on Black Friday relative to the rest of the month. On Cyber Monday, that figure spikes to more than 100%.
To arrive at the $10 billion figure, the Baltimore team looked at the average rate of bot attacks in the past, finding that roughly 6% ($207.18 billion) of the $3.4 trillion that ecommerce retailers will rake in this year would be from sites that are vulnerable to these sorts of attacks. Of that total, up to 5%—or $10 billion—will be directly lost either to missed sales, wasted man hours and customers fleeing the site after it stops working.
There is help on the horizon. Last year, Congress rolled out a bill that deemed shopping bots—grinch-like or otherwise—a criminal offense. Meanwhile, this month saw the U.S. House of Representatives open a massive investigation into ticketing sites worldwide, specifically to crack down on scalpers automating ticketing sales and undercutting consumers in the process.
But outside of wrangling legal action, the best thing ecommerce brands can do to keep themselves safe is just practicing good cybersecurity habits.
Tytunovich said digital merchants “shouldn’t be looking for the best marketing firm that specializes in cybersecurity; they should be looking for cybersecurity firms with marketing experience.”
“That goes for Ticketmaster, sure, but it also goes for mom-and-pop ecommerce setups as well,” he said.