Bot Attacks Are Costing Businesses As Much As Traditional Cyberattacks

Security professionals would be considered foolish if they didn’t have a plan to mitigate a ransomware attack, especially for businesses generating hundreds of millions, if not billions, in turnover.

And yet, a threat type that isn’t given nearly the same level of concern by the top brass – malicious automation carried out by bad bots – is costing these companies just as much, if not more, every year.

This is according to “Death By a Billion Bots: The Accumulating Business Cost of Malicious Automation”, the result of an in-depth survey commissioned by Netacea.

In this blog post, we’ll summarize the stats you need to know if you’re going to start fighting back against automated threats – after all, the first step is understanding (and getting the bosses to understand, too).

Quantifying bot attacks by lost revenues

For the third year in a row, Netacea commissioned Coleman Parkes to interview professionals from 440 enterprise businesses, spanning both the US and UK. These businesses covered retail, telecommunications, online entertainment, travel and financial services, and averaged $1.9 billion in turnover.

Why? Simply put, we wanted to know how much bots are really costing businesses. Some bot attacks clearly target the revenues of businesses directly, such as price scraping that aims to undercut and outsell competitors. Others seek to leech money and data from the users and customers of businesses, such as credential stuffing and account takeover.

But there are always additional impacts to weigh up, like wasted server infrastructure, customer satisfaction and the cost of mitigating the attacks – with nuanced differences in how bots strike a business depending on its size, specialisms and technologies.

For example, in previous years we noted a much higher prevalence of API-based bot attacks in the financial services sector, owing to the enforcement of the Open Banking standard. This year, almost all sectors are seeing increased levels of bot attacks on APIs, as more business types have matured their use of APIs to interconnect with third-party services – creating a huge new attack surface for automated threats.

Key findings – Report, webinar and infographic

You can read the complete findings in the Netacea report “Death By a Billion Bots: The Accumulating Business Cost of Malicious Automation”.

Gain industry and academic perspectives on the data in a webinar with Netacea, BT & Cranfield University – Watch on demand here.

Glance over the summary findings in this infographic – Each statistic is discussed in more detail below (click to skip down).

Bots from Russia and China dominate in attack volume

53% of bot attacks came from Russia or China. This may be influenced by our survey’s focus on US & UK based businesses, which are the most likely targets for attackers within China or Russia given their governments’ agendas and the low likelihood of extradition for cybercriminals.

It’s also possible that attacker groups from other geographies are using infrastructure based in one of these countries, as is likely the case for an outlier location, Vietnam. The Vietnamese government has actively tried to cut down on malicious actions from botnets that have taken hold of infrastructure within the country, but unprotected devices make it a stronghold for bad actors.

Bots cost businesses as much as 50 ransomware attacks each year

The average cost of bots per business averages at $85.6m per year, or 4.3% of online revenue. 81% of businesses surveyed are aware of this impact, which is an increase on the 47% of the previous survey, but still not enough.

This is brought into sharp focus when the investments made to defend against ransomware, data breaches and GDPR fines are considered. $85.6m is the same as the eighth largest GDPR fine in history, 19 times greater than the average cost of a data breach, and 57 times more costly than the average ransomware attack.

Bot attacks go undetected for an average of four months

There is a clear link between the inflating cost of bot attacks to businesses and the amount of time it takes for such incidents to be discovered and mitigated. An average of four months passed before bot attacks are detected, with scraping taking the longest to be noticed – perhaps due to the fact scrapers are savvy about circumventing rate limiting defense measures and cycling through proxy networks, which allows them to fly under the radar for long periods of time.

Research by IBM also indicates that the quicker an attack is discovered, the less of a financial hit the target business takes, so reducing bot detection time is a clear path to protecting revenues.

Attacks on mobile apps have overtaken website attacks

For the first time since we began surveying businesses at this scale, bot attacks on mobile applications have overtaken attacks on websites as the most likely attack vector. Bots are designed to emulate all kinds of devices to achieve their goals, and mobile endpoints are often less well protected than traditional web interfaces. Businesses must achieve parity between protection for websites and mobile apps, or bots will take advantage of this gap.

The percentage of businesses seeing bot attacks on their APIs has nearly doubled in two years, to the point where 40% of those surveyed had spotted bots targeting API endpoints. Many bot management solutions are unequipped to detect and stop API attacks, particularly those reliant on client-side signals and fingerprint analysis, as APIs expect machine-to-machine requests natively. Server-side bot management like Netacea protects APIs as well as websites and mobile apps equally.

Bot attack volumes continue to increase

99% of businesses surveyed that saw bot attacks this year noted an increase in attacks over last year. Telecommunication and online entertainment businesses reported the heaviest increases, with 66% describing the increase as “significant or moderate”.

Programming and customizing bots to attack specific targets has become easier with the spike in popularity of generative AI tools like ChatGPT – Criminals also “follow the money” and are set to increase their attack automation to maximize profits and ROI on their exploits.

Scalping attacks drain customer satisfaction

As well as directly impacting revenues, bots have an even more insidious side, draining customer satisfaction and the reputation of the businesses they target. No Taylor Swift fan will forgive or forget the role of scalper bots in trying to buy tickets to the singer’s Eras tour, and much of the blame has fallen on ticketing platforms unable to filter out the bad bots.

It follows, then, that scalping is the bot attack type most often cited as a drain on customer satisfaction, with 93% agreeing with this sentiment. Credential stuffing is a close second, responsible for users losing access to accounts or having their personal information, payment details or loyalty points stolen as a result.

Is your business losing revenue due to bot attacks?

With bots having such a notable impact on major enterprises, it’s likely that your business is also suffering losses. Four months is too long to wait to respond to bot attacks – you need a more reactive approach to malicious automation.

Netacea analyses incoming requests across web, mobile and API to detect suspicious behavior automatically. Our Intent Analytics® AI engine uses machine learning algorithms to instantly react when a bad bot is detected and shut down the whole attack with extremely high accuracy and speed.

We saved a telecommunications provider over £1 million in support calls by putting a stop to credential stuffing attacks perpetrated by bots. With Netacea Bot Management in place, hundreds of thousands of malicious login attempts were blocked per hour at peak times.