I was scouring some of the Black Friday ads this week, and the trend seems to be less “Black Friday” than “Black November and probably most of December, too.” Best Buy is touting, “Black Friday all season long.” Target offers weekly “Black Friday Now” deals. Walmart? “Black Friday Deals for Days!”
None of this is surprising. Given the challenges of going out shopping in the midst of a pandemic, moving more deals online and spreading them out over the month is a no-brainer for retailers. It’s also a no-brainer for bot operators, who now have weeks to find the most desirable merchandise and unleash the bots to snatch it up and resell it before eager human customers can place their orders. During the “Hackers vs. Execs” panel at the recent Forrester Security & Risk Forum, our guest hacker demonstrated how bot operators might ship merchandise to abandoned houses (likely those that had been on the market for a while) and then swoop in and receive the merchandise at delivery time. Security and e-commerce leaders must assume that attackers will employ similar techniques this holiday season.
To combat bot attacks during “Black Friday Deals for Days,” security pros must be in lockstep with e-commerce leaders. If the lines of communication aren’t already open, now’s the time: Set up a video call, and ask each other the following questions:
- Are we all aware of likely high-traffic times? Does the security team know when high-demand offers and flash sales are scheduled? If they do, not only can they watch closely for bad bot attacks, they can also throttle the good bots in favor of human traffic. If you have partner resale or aggregation deals that require a partner bot not be throttled (even during high-traffic periods), make sure the security team knows about those, too.
- What deals might be particularly attractive to bots? Yes, we’re asking you to do a risk assessment. What are you offering that’s going to be particularly interesting this year? Gaming consoles are always in vogue, but could outdoor heaters be unusually attractive as we approach a winter with more social distancing? Midway through 2020, bots were buying up toilet paper and hand sanitizer. We’ve (hopefully) gotten past that, but what’s next? E-commerce leaders: Alert the security team to any items that bots would especially target and when they will be on sale.
- Are we only worried about hoarding? What other types of bot-based fraud should you watch for this holiday season? Are competitors or unauthorized aggregators scraping your pricing and product data? Will gift card fraud be a concern in your business? Will adding inventory to shopping carts but not hitting “buy” mess up your supply chain? Could credential stuffing and account takeover frustrate potential customers?
- What are our defense options? Assuming that the security team has employed a bot management solution (right?), you have several options to fend off bad bots. Blocking, delaying, providing fake data, sending bots to honeypots, challenges — spend some time discussing which defenses are going to be most effective for different scenarios and what your goals are. Remember to account for legitimate user friction: How many customers will abandon shopping carts due to annoying challenges?
As the pandemic forces retailers to rethink their traditional Black Friday strategies, e-commerce and security pros also need to rethink their bot mitigation strategies. Check out Forrester’s bot management research for more information, and please book an inquiry with me if you’d like to speak further.