Record level of malicious bot traffic contributing to rise in online fraud


Bad bots, software applications that perform automated tasks with malicious intent, accounted for a record 27.7% of all global website traffic in 2021, up from 25.6% in 2020, a report reveals. Imperva. The three most common bot attacks were account takeover (ATO), content or price scraping, and scalping for limited availability items.

Bad bots are often the first indicator of online fraud and pose a risk to digital businesses, as well as their customers. In 2021, evasive bad bots — a group of moderate and advanced bad bots that evade standard security defenses — accounted for 65.6% of all bad bot traffic. This breed of bots uses the latest evasion techniques, including browsing random IP addresses, entering through anonymous proxies, changing identities, and mimicking human behavior to evade detection.

Bad bots enable high-velocity abuse, abuse, and attacks on websites, mobile apps, and APIs. Successful attacks can result in the theft of personal information, credit card data and loyalty points. For organizations, automated abuse and online fraud contribute to non-compliance with data privacy and transaction regulations. Bad bot traffic is increasing at a time when organizations are investing in improving the online customer experience. This has resulted in more digital services, new online features, and the development of expansive API ecosystems. Unfortunately, this array of new endpoints is a ripe target for automated attacks by bad bot operators.

“Enterprises cannot ignore the impact of malicious bot activity, as it contributes to more account compromises, higher infrastructure and support costs, customer churn, and degraded online services,” said Ryan Windham, vice president, Application Security, Imperva. “With automated fraud growing in intensity and complexity, advanced bot protection is essential to prevent the growing threat to digital businesses and consumers from bad bots.”

Main findings

  • Account takeover increased by 148% in 2021: In 2021, 64.1% of ATO attacks used an advanced bad bot. Financial services was the most targeted industry (34.6%), followed by travel (23.2%). The United States was the top source country for ATO attacks (54%) in 2021. The implications of account takeover are significant; successful attacks lock customers out of their accounts, while fraudsters gain access to sensitive information that can be stolen and misused. For businesses, the ATO contributes to lost revenue, risk of non-compliance with data privacy regulations, and tarnished reputation.
  • Travel, retail and financial services targeted by malicious bots: The volume of attacks from sophisticated malicious bots was most notable in travel (34.2%), retail (33.8%) and financial services (8.8%) in 2021. These industries remain a prime target due to the valuable personal data they store. behind user login portals on their websites and mobile apps.
  • The proportion of malicious bot traffic varies by country: In 2021, Germany (39.6%), Singapore (39.1%) and Canada (30.2%) experienced the highest volumes of bad bot traffic, while the United States ( 29.1%) and the UK (29.7%) were also higher than the global average (27.7%) for malicious bot traffic.
  • 35.6% of bad bots hide as mobile web browsers: Mobile user agents were a popular disguise for bad bot traffic in 2021, accounting for more than a third of all internet traffic, growing from 28.1% in 2020. Mobile Safari was a popular agent in 2021 because bots exploited improved user privacy settings in the browser to mask their behavior, making them harder to detect.

The research concludes that no industry was immune to bad bot activity in 2021. While examples of bots hoarding popular game consoles or clogging vaccine appointment scheduling sites have headlines in 2021, any level of bot traffic on a website can cause significant downtime, degrade performance, and reduce service reliability.


Comments are closed.