Top 10 Bot Threats for ECOM

Smart Bot Verification

Top 10 Threatening Bots Every Ecommerce Site Needs to Know

“Ecom businesses make rich targets for bot attacks. Anywhere that goods and money exchange, is a good chance for cybercriminals to make money. Although a lot of the bot activity used to be targeted at major ecom sites, cyber criminals are now targeting smaller sites who don't have the luxury of a full time Chief Information Security Office (CISO) and dedicated security monitoring tools."
Bot Threats for E-Commerce platorms:

How to spot the major bot threats to ecom sites in 2023

In a post-lockdown society online shopping has seen an unprecedented surge in popularity, making the dangers posed by bots more prevalent than ever. In the dynamic world of e-Commerce, bots account for up to 50% of all website traffic. Although some bots are benign, others can wreak havoc on your online business. These malicious bots are operated by a variety of users, ranging from individual hackers, to formidable international criminal organizations. Therefore, it is more crucial than ever to effectively identify and mitigate the threats posed by bots as safely and efficiently as possible. 

This article will shed light on the top ten most menacing bots that every e-Commerce site must guard itself against.

E-commerce sites present a rich target for bad bots.

Attacks fall into two types: generalized bots that are just looking for vulnerabilities they can exploit, and custom programmed bots that specifically target your website with custom code. These generalized bots are usually easy to spot. They target the same sites over and over again, and have a digital signature that helps identify them as known bad actors. This generalized bot activity is by far the most prevalent on E-commerce sites. Once a bot has successfully breached the initial defences, the site is much more likely to become a candidate for a custom bot. The website has proven to have a poor initial security layer, which means it can be compromised.

Custom bots represent a small portion of the overall bot traffic, - but they do cause the most damage as they target your site’s particular business model for commercial gain. Since they are custom written or adapted for your site, they don't have a unique signature, and often elude basic WAF or IP reputation / fingerprinting anti-bot services. They can also pass CAPTCHA either programmatically, or using a human CAPTCHA farm. Even if you some basic bot protection, these bots will bypass it.

Early warnings of Bot activity


Cybercriminals use automated bot armies that crawl the internet looking for ecom sites with poor perimeter security. The bot armies probe and find vulnerabilities on your ecom platform. E-commerce sites are rich in potential opportunity - payment gateways, personal data, inventory, pricing, content, and customer accounts that may have gift cards, points, credits or be tied to a store credit card or other forms of credit.

These initial probing attacks are completely automated. The attackers are just loading in the domain names, and hitting the button, just as a car thief may walk down the street looking for an open car window, or a door that isn’t locked. If your website passes basic security tests, the bots will move onto the next target that offers easier pickings. This is where the importance of Zero Trust at the Network Edge comes in place.

Cybercriminals often aren’t even targeting your site specifically. For example, they may have lists of millions of credit card details, and just want to hi-jack a payment gateway to check if the cards are valid. If you allow automated bots to access your payment gateway page, further damage is much more likely to happen.

How do the Cybercriminal bots work?

The initial bots will perform a scan across your website and infrastructure looking for vulnerabilities. These crawler bots don’t seem to be harmful as they work in a very similar way to Googlebot and simply crawl each page looking for content. However, for the cybercriminals, this early reconnaissance work is far from innocent, as it can lead to a much more sustained and targeted attack, as shown below. Stop this reconnaissance activity, and you go along way to stopping a much more malicious targeted attack. Remember, we're not looking for a perfect cybersecurity defence - we just need to be a little better than some of our competitors!

The top ten bot threats.


1. Credential Stuffing

Credential stuffing is when bot attackers use lists of user credentials (i.e. logins and passwords) to hack into a system. The hackers, armed with a whole bank of compromised usernames and passwords from the Dark Web, relentlessly attempt to infiltrate customer accounts. Once the attackers infiltrate your account, they exploit personally identifiable information (PII), loyalty points, and other valuable assets for illicit resale on the Dark Web.

2. Loyalty Points Abuse

If you’ve ever noticed a sudden depletion in your hard-earned loyalty points with a brand online, you might have been a victim of this bot. Bot attackers can infiltrate your account through a credential stuffing attack (as described above), and then they can siphon off your accumulated rewards. This type of attack is a threat to both the e-Commerce platform and its users, and incurs costs for the business, as well as shattering the trust of loyal returning customers. The actual loyalty reimbursement cost is likely to be tiny, but the costs of managing what could easily be a PR disaster is often major.

3. Card Cracking.

Card cracking attacks involve automated injection of CV2 codes (the three-digit security code on the back of a bank card). Attackers are able to breach your credit card using extensive lists of stolen card details, which are readily available on the Dark Web. The bots are programmed with specifically designed software to test three-digit combinations until they guess their target’s CV2 code, and then are able to use the card for fraudulent purposes, or resale. These card cracking attacks are particularly costly and time-consuming for online retailers, as they must then scrutinize all transactions during the threats and attacks. 

4. Gift Card Cracking

Bots not only attempt to crack bank cards, but gift cards as well. They attempt to crack gift card codes for e-Commerce sites, to sell on at a fraction of their value in the online marketplace, or to use for fraudulent purposes. This again poses serious threat to an e-Commerce business, as it incurs costs and drives away loyal customers. 

5. Fake Account Creation

E-Commerce platforms oftne fall victim to fake account creation attacks. How many times do we see a sudden surge in fake account creation? How many times do we do something about them? Often they go un-noticed or are underestimated as risks. These accounts, however, are often used to mask more malicious activities which posed serious dangers to the ecom platform. The ensuing attacks included account take-over which is actual breach of the user login along with all the associated privacy and legal problems from a breached security incident.

6. Product Scalping

Product scalping is when automated bots purchase entire releases of an online business’s limited stock, causing availability issues and frustrating genuine customers, who then have to find and purchase the same products at inflated prices. For e-Commerce sites which offer limited edition items, product scalping attacks pose a particularly serious threat. Scalping is particularly rife in ticketing.

7. Inventory Abuse

Inventory abuse happens when relentless bots hoard large quantities of stock, rendering items on an e-Commerce site unavailable for genuine customers. E-Commerce sites which offer real-time stock availability are particularly attractive targets for this type of attack. This abuse significantly disrupts the operation of a business, and it is time consuming and costly for the business to repair the damage.

8. Price Scraping

Price scraping bots constantly crawl e-Commerce sites and are operated by internal teams, third-party providers, and even competitors. These bots can crawl into your e-Commerce site, and extract sensitive pricing data, leading to heightened competition and market challenges. These attacks also create traffic spikes that threaten site availability to customers and distort a site’s analytics. 

9. Skewed Analytics

Since scraping bots constitute a significant portion of e-Commerce website traffic, it’s crucial to maintain clean analytics reports, free from pesky bot traffic. Without clean analytics reports, skewed analytics, influenced by the scraping bots, can mislead vital business decisions. 

10. Application DDoS

Distributed Denial of Service (DDoS) attacks harness vast botnets to overwhelm servers, leading to severe slowdowns or site downtime. Application DDoS attacks target areas of application functionality that struggle under heavy loads, such as those requiring high processor usage, third-party integration, or complex database operations.  Application DDoS attacks can lead to a significant loss of potential customers and revenue - even a brief three second delay can cause 57% of visitors to abandon their shopping carts. 


VerifiedVisitors is a unique AI platform that provides hybrid-cloud bot protection to give you the peace of mind of Zero Trust at the Edge of Network. Our AI platform constantly checks for malicious bot activity and has automated dynamic rules that stop the bad bot actors however they try and change their stripes.

Managing the Surge of Menacing Bots

To effectively reduce the impact of malicious bots, e-Commerce businesses must adopt comprehensive bot management strategies. This approach is essential for safeguarding both businesses and valued customers from the perils of menacing bots in the digital landscape.

VerifiedVisitors Command & Control

Once VerifiedVisitors is active, our dashboard allows you to easily see all the legitimate activity of the bot visitors. After activating your VerifiedWatchList we can go ahead and block any unwanted and fake bots with confidence. We then do all the heavy lifting to ensure your bot visitors are constantly verified and your firewall is up-to-date.