This blog post is part of Forrester’s Holiday 2019 retail series.

Automated traffic is now almost 40% of internet traffic, and bad bots account for over half of automated traffic.[i] Our digital business retail researcher Madeline Cyr recently interviewed me to help retailers understand the threat that bot traffic poses during the holiday season.

Q. What is the difference between good bots and bad bots?

A bot is a piece of automated software that runs a task on your website. An example of a good bot is a Google crawler that scans your website to make it searchable. You want to allow good bots like these because they help users find your site.

Bad bots automate nefarious activities on your website. A common example is a bot pretending to be a legitimate visitor to your site by clicking through on advertisements; this results in wasteful advertising spend with zero return. Bad bots are readily available to cybercriminals and are customizable, continually changing based on motivations or to avoid discovery.

Q. What are some ways that bad bots could ruin a retailer’s Black Friday?

There are several ways bad bots might try to take advantage of retailers on Black Friday and throughout the holiday season:

  • Inventory hoarding and checkout abuse bots take advantage of retailers running offers with limited availability. They take advantage of Black Friday specials such as limited release of specialty products or deals such as free gifts for the first 10,000 orders. These bots buy the entire supply and then resell at a higher price or hold the supply in their carts so no one else can access it. There has even been legislation to stop “grinch bots” that are notorious for hoarding and reselling the season’s most popular toys.[ii]
  • DDoS (distributed denial of service) attacks pose a huge risk to retailer websites on high traffic days like Cyber Monday and Black Friday. Bots will orchestrate targeted DDoS attacks, which flood websites with traffic and cause performance degradation or website crashes.
  • Gift card fraud is another attack avenue that bots use against retailers during the holidays. Bots will attempt rolling combinations of gift card numbers and stolen PINs to steal legitimate gift card balances and purchase products.
  • Credential stuffing attacks occur throughout the year but are also a risk during the holiday season. Criminals will purchase stolen username/password credentials and use bots to attempt to access other sites with those same credentials. Since many consumers use the same password for multiple sites, this is a successful attack that allows attackers to take over customer accounts.

Q. How do bad bots ruin legitimate customer experiences?

For each of the examples above, there is a bad customer experience attached:

  • Hoarding and checkout abuse bots decrease brand reputation and experience when customers are disappointed about missing the deal or are forced to go to sketchy third-party websites to buy this season’s hot toy or limited release item.
  • When you have heavy bot traffic on your website, you either need to pay higher-than-normal infrastructure fees or make your customers face poor performance. If performance is poor or a DDoS attack causes a site to crash, consumers become so frustrated that they forgo a purchase.
  • A customer who has fallen victim to gift card scam or a credential stuffing attack will likely lose all trust in a retailer if it’s not resolved in a fast and systematic way.

Q. What can you do to secure your site from bad bots?

Bot management tools are the best way to protect yourself from bad bots. Web application firewalls (WAFs) are not enough to protect you from bots; they offer limited protection against credential stuffing and cannot address hoarding, checkout abuse, fraud, or high traffic volumes. Bot management tools will also help you differentiate good bot traffic from bad and even temporarily throttle good bot traffic if it’s degrading performance (that’s important on days like Black Friday, when you want to prioritize traffic from the hordes of eager, legitimate customers). To learn more, please see our report “Stop Bad Bots From Killing Customer Experience.”

By limiting bots, you not only mitigate the risk of inventory hoarding, gift card fraud, and DDoS but also get cleaner data on your marketing campaigns to help you understand what humans are really doing on your website.

[i] Source: “[Infographic] The Ugly Truth About Bots in 2019,” Distil Networks (

[ii] Source: “H.R.7160 – Stopping Grinch Bots Act of 2018”, (