Skip to main content

Study: Automated fraud poses substantial risk to online retailers

Ecommerce fraud is an ongoing threat.

A wide range of sophisticated cybersecurity threats pose a persistent challenge for the e-commerce industry.

According to “The State of Security Within E-commerce 2022,” a 12-month analysis by digital security provider Imperva, automated fraud techniques including account takeover, credit card fraud, web scraping, API abuses, bots, and distributed denial of service (DDoS) attacks, threaten online sales and customer satisfaction.

During the past 12 months, Imperva research indicates nearly 40% of traffic on retailers’ websites came from bots, software applications controlled by operators that run automated tasks, including those with malicious intent. Of all the traffic analyzed on retailers’ websites by Imperva, nearly one-quarter (23.7%) was attributed specifically to bad bots designed to commit online fraud.

In addition, the study shows that the proportion of advanced bots — scripts that use the latest evasion techniques to mimic human behavior and avoid detection — on retail sites grew 31.1% in 2021 from 23.4% from 2020. During 2021, bot-related attacks on retail sites grew 10% in October and grew another 34% in November, which Imperva says suggests that fraudulent bot operators increase their efforts around peak holiday shopping periods.

Account takeover (ATO) is another form of online fraud analyzed by Imperva, in which cybercriminals attempt to compromise online accounts by using stolen passwords and usernames. In 2021, 64.1% of ATO attacks used an advanced bad bot.

Of all login attempts on retail websites included in the study, 22.6% were malicious, nearly twice the volume of recorded on sites across other industries. Attackers used leaked credentials 94.7% of the time in credential stuffing attacks targeting retailers, compared to 69.6% of the time in other industries.

APIs, or application programming interfaces, enable applications to share data and invoke digital services. Analysis by Imperva finds that traffic from an API accounts for 41.6% of all traffic to online retailers’ sites and applications.

Of that, 12% of traffic directs to endpoints, like a database, where personal data is stored (e.g. credentials, identification numbers, etc.). More concerning, Imperva research reveals that 3 – 5% of API traffic is directed to undocumented or “shadow” APIs, endpoints that security teams don’t know exist or no longer protect. 

Attackers can use an API as a pathway for exfiltrating customer data and payment information. In 2021, API attacks increased by 35% between September and October, and then spiked another 22% in November on top of the previous months’ elevated attack levels as holiday shopping volumes increased.

A distributed denial of service (DDoS) attack is an automated threat that attempts to disrupt critical business operations by flooding the network or application infrastructure with malicious traffic. The attacks are often launched by a botnet, a group of compromised connected devices that are distributed across the Internet and operated by a single party. Imperva analysis found that 55% of websites hit by an application layer DDoS and 80% hit by a network layer DDoS were attacked multiple times. 

[Read more: Survey: Consumers’ online fraud concerns rise this holiday season]

“The holiday shopping season is a critical period for the retail industry, and security threats could undermine retailers’ bottom line again in 2022,” said Lynn Marks, senior product manager, Imperva. “This industry faces a variety of security risks, the majority of which are automated and operate around the clock. Retailers need a unified approach to stop these persistent attacks, one that focuses on the protection of data and is equipped to mitigate attacks quickly without disrupting shoppers.” 

For more information, download the The State of Security Within e-Commerce 2022 report.


This ad will auto-close in 10 seconds