Complex Made Simple

Exclusive: Here’s how to avoid letting bots ruin your business

Identifying the customer at the very outset of the journey reduces friction, builds trust, and importantly, keeps the bots at bay

Authenticating online has become an arduous process with unnecessary friction that turns customers away Inventory fraud is the most common bot-based attack Online organizations need to avoid asking users to verify their identity repeatedly

With customer experience being a key differentiator in today’s competitive world of e-commerce, businesses are constantly striving to make the user journey simple, smooth and safe for customers. But simplifying the process can leave a business open to bot fraud.

Identifying the customer at the very outset of the journey reduces friction, builds trust, and importantly, keeps the bots at bay.

In an exclusive interview with Rob Campbell, Product and Industry Marketing, Callsign, we elaborate on this topic.  

How have customer experience patterns changed in UAE e-commerce?

In today’s competitive world of e-commerce, customer experience is a key differentiator, and businesses are constantly striving to make the online user journey simple, smooth, and critically – safe.

There’s been a massive shift from brick-and-mortar stores to online shopping. In the UAE alone, e-commerce transactions have doubled compared to 2019, and by February 2021, e-commerce spending had increased by 30% year on year too. For retailers, e-commerce presents opportunities to reach more customers, increase sales, and boost revenues. 

And because it’s much harder to prove a consumer’s identity online and easier for fraudsters to pretend they are someone they’re not, fraud has grown as a consequence.

In 2020, research shows that 83% of UAE businesses had seen a change in cybercrime, with 50% saying phishing scams had increased, and 38% general online scams had increased.

Many businesses also had to quickly pivot online and so have only digitized analog processes, rather than re-thinking their customers’ experience in digital terms. Take the password as an example. It was invented 60 years ago and not designed for ubiquitous use online. It is an inherently weak form of authentication. 

Customer experience is therefore poor, and authenticating online has become an arduous process with unnecessary friction that turns customers away. It’s a Catch-22 for businesses: Increase security and risk customer churn and growth as evidenced by research from Decibel which found that 70% of customers abandon purchases because of a bad user experience.

Read: Citrix® research uncovers new approach to security

Read: Adversaries spend over 250 hours undetected in target networks on average 

2- What are the different types of fraud caused by bots in the UAE?

There are many types of bot fraud, and we see the UAE impacted by the same global attacks.

Inventory fraud is the most common bot-based attack. Bad actors use multiple identities and sophisticated bots to buy up the entire inventory of limited-edition or scarce items and sell them at a markup.

However, there are more variations. Suppose, for example, a product isn’t quite scarce enough to elicit a significant markup. In that case, the fraudster can use their bots to exploit vulnerabilities in e-commerce systems to create an illusion of scarcity by selecting items and leaving them in the basket.

Another major threat is the heightened risk of Account Takeover (ATO). 2020 saw an increase in new accounts registered by first-time customers, which will only continue to grow. 

The frequency and severity of data breaches have given bad actors ample opportunity to undertake ATO attacks. 

Fraudsters will often harvest corporate data breaches and, where possible, store username and password combinations on ‘pay to access’ databases in the Dark Web. A bad actor can buy, then use a bot to ‘stuff’ these credentials into every login screen they can find. 

Given that most users will reuse usernames and passwords on multiple sites, this is a cheap and efficient way for bad actors to hack an account.  

3- How can bots ruin your business and what to do to combat them?

The financial impact of bot attacks is obvious, but it’s not the only area where malicious bot activity can hurt businesses.

Reputational damage is a massive side effect. Customer experience is often a primary concern for many businesses, and it’s expected that acceptable levels of fraud are often taken on board as the profit price.

But that price is just too high. People are often buying with tight deadlines; if you can’t deliver the goods, literally, they’ll go to a competitor. And if their purchase is ruined by fraud then you can guarantee that an angry customer will complain on social media where they will have the ear of the whole world.

Further downstream, there is a potential financial impact. Businesses often spend significant amounts of money following up with customers and sales leads. A flood of fake accounts getting through the system can lead to serious expenditure on staying in touch with potential customers who don’t even exist. So even if an organization routinely scrubs its database of fake contacts, it’s still an activity that carries an operation cost.

4- How to fight the identity crisis?

We need to stop digitizing old processes and start designing for the digital world we live in. We can fix digital identity and deliver great user experiences by using technologies such as passive behavioral biometrics which collects multiple data signals with minimal friction while ensuring bad actors are prevented from stealing customers’ identities.

Maintaining optimal user experience through the passive collection of information means thinking about digital identity in purely digital, not digitalized, terms. It requires the portability of identity across both devices and channels, including web, mobile, and open banking, because that’s how consumers behave online.

Using machine learning models and artificial intelligence, organizations can use real-time data to confirm the user’s identity. If a customer is using their own device, interacting with that device in their usual way, and is in a location that makes sense (such as their home or place of work) we can be pretty certain that they are who they claim to be and access can be granted with minimal risk. If, however, something unusual is detected such as a login attempt from another country or an unusual program running in the background of the user’s device, security can be added to prevent a breach. 

Online transactions can be secured using these passive data signals. They don’t damage the customer experience and they are far more performant than legacy security processes like authentication via password and SMS OTP. 

Online organizations need to avoid asking users to verify their identity repeatedly, and rely on physical authentication checks, and move to a passive approach that puts identity at the heart of every transaction, facilitating a more holistic and intelligent view of the customer.