During the Thanksgiving, Black Friday and Cyber Monday holiday shopping period in 2019, U.S. online retail sales hit $28.49 billion, up 17.7% from $24.21 the year before, per Adobe Analytics. During November 2019, Israeli startup PerimeterX found that 94% of total login attempts on e-commerce sites were malicious and blocked them. This, in addition to many other global efforts, enabled companies to realize blockbuster online revenue surpassing $5 billion for the five-day period.

ATO Chart
In November 2019, 94% of total login attempts on e-commerce sites were malicious. Note: This graph is shown on a logarithmic scale.

A glimpse of Black Friday and Cyber Monday levels of activity also occurred in March 2020, when spikes in e-commerce web traffic occurred in conjunction with stay-at-home orders across food and grocery, e-learning and hospitality, and fashion and home goods segments. But after the initial spike in traffic, there was a continuous, more gradual increase in traffic across segments. This is generally easier for e-commerce sites to handle because sustainable growth is much easier to prepare for than sudden spikes of double or triple the volume of users. Traditionally, on Black Friday weekend, these spikes occur at the end of Thursday, and then a few spikes happen during the day on Friday and during the day on Cyber Monday. This could change this year, with the potential for evenly elevated traffic throughout the holiday months.

Here are four ways e-commerce website owners should stay prepared:

1. Stop bot-driven fraud

  • Identify and categorize useful bot traffic and malicious bot traffic.
  • Block malicious bots and bot-enabled attacks, such as account takeover (ATO), carding fraud, scalping and web scraping attacks.
  • Protect against scalping bots during flash-sales and limited offers with a high degree of policy flexibility.

2. Keep customer experience fluid

  • Avoid user verification challenges that impact the user experience, and make sure you collect behavioral signals and utilize other "invisible" methods (bot detection and protection) to ensure seamless experience for legitimate users.
  • Only when users are identified as malicious (or suspicious) should you use more intrusive tests to verify legitimate users.
  • When presenting these challenges, protect against CAPTCHA solvers, and make sure you utilize a solution that is friendly for your users.

3. Keep your customers protected

  • Verify that the security controls for first-party code work with the Continuous Integration/Continuous Deployment (CI/CD) process.
  • Deploy an application security solution powered by AI and behavioral analysis, that analyzes client-side activity signals at runtime to protect against digital skimming attacks and reduce e-commerce fraud.

4. Protect conversion rates and revenue

  • Detect coupon browser extension pop ups and injected ads interacting with your site through a shopper’s browser
  • Block the ads and pop ups that disrupt a shopper’s experience, hurt conversion rates and eat away at online revenue

And so not to leave the millions of customers unprepared, here are some tips on how consumers can stay protected:

Tips for consumers

  • Use different usernames and passwords on all your apps. There are websites being compromised on a daily basis. Data from breaches two years ago are still the source of ATO attacks today.
  • Try to use credit cards where you can get a different number for each transaction. Monitor your card activity often, because if you can spot fraudulent charges early, you can minimize the consequences.
  • Be vocal about fraudulent charges. If you complain to merchants, they are more likely to see patterns in their user activity and take better care of your data. According to The Wall Street Journal, “Retail executives said they are unable to forecast demand heading into the critical holiday shopping season,” due to a number of factors, including the uncertainty surrounding COVID-19. But one thing is certain: attackers will follow the money.

Written by Ido Safruti, Co-founder and CTO of PerimeterX, and Liel Strauch