The 2020 Black Friday scrum will be online—and some of it automated
Andy Still, CTO at Netacea, looks at the issues online retailers may face this Black Friday.
2020’s Black Friday events are, like everything else in 2020, going to be different. Social distancing means that the usual viral media videos of unpleasant scrums as people fight for bargains won’t be available. We’re in for a more genteel start of the holiday season than in recent years.
But the bargain hunters will still be around. In fact, with straitened financial circumstances common, and retailers looking to make up for the rest of the year, we can expect the same scrum happening. Just not instore, but online.
Whether retailers launch their big push on Black Friday, Cyber Monday, or another day entirely, they will need to ensure that they stay online and available to make the most out of those visiting their sites—downtime will be a disaster. But it’s not just the traffic from real people they will need to look out for, but automated bot traffic too.
In 2019, 38.6% of Black Friday traffic to retail sites consisted of bad bots. More than a third of visitors are not only not looking to buy anything, but they are looking to commit fraud and subvert businesses in other ways.
How bots will take advantage of Black Friday
Retailers will likely be familiar with the methods used by automated bots to take over their customers’ accounts and commit fraud using stolen credit card details. But on busy days like Black Friday, there are other attacks that become more profitable than at other times.
Scraping
Scraping of prices by competitors, comparison websites and bad actors is common at any time, but on Black Friday what was a daily occurrence can happen multiple times an hour. What was once an annoyance but acceptable can quickly become a load capable of taking a site offline.
Inventory hoarding
When someone clicks on an item it ends up in their basket, ready for checkout and unavailable to anyone else. This is sensible as it means that no one can buy the same item twice. Unfortunately, it also means that any items in baskets can’t be bought. If this is done en masse by an army of bots, either by competitors looking to steal sales or just by mischief makers, then this can kill sales.
Brute force attacks
What better day to hide your attack on a site than on the busiest day of the year? Just like pickpockets and other criminals who will use the crowd to hide their activities, many bot users will wait until sites are extremely busy to launch their account takeover or similar method of brute force attack.
If sites are going to be busier this year than any previous year, then we can guarantee bot creators and users will be just as busy, looking to take advantage of the best time to hide their activities.
The need for speed
Black Friday has been notorious in the past for online retailers suffering issues. H&M was a victim of its own success last year, and NatWest had problems completing transactions, leaving both retailers and consumers frustrated. But it’s not all about uptime—speed is important too, and too many bots can mean a sluggish experience that can kill sales. Costco experienced this last year with so many advance orders leading to problems, and a banner had to be added on its website homepage informing customers that the website was “experiencing slow response times.”
Retailers may test their infrastructure for capacity and buy in extra capacity to deal with the problem, but many will only reckon with the real customers they expect, and not the bots that descend upon them. Bots can be more unpredictable, as only a few attackers can create a lot of traffic. If a site is inundated with bots, it can mean real customers end up with slow loading sites, errors, and an overall frustrating experience. And they won’t just look elsewhere on Black Friday. They’ll look elsewhere whenever they shop online.
The annual retail scrum that accompanies Black Friday may not happen this year, but a far less welcome influx will happen on websites unless retailers take steps to make sure bad bots don’t wreak havoc.
