Cybersecurity company Human has released its 2023 Enterprise Bot Fraud Benchmark Report: An Inside Look at Bot Attack and Fraud Trends Impacting Enterprise Organizations Online, revealing a continued increase in sophisticated bot attacks and the impact on companies.
Cybercriminals and fraudsters think every day about what they could do if they looked like a million humans, according to Human’s latest report released Monday.
Human wanted to focuses on enterprise bot attacks, including account takeover, brute forcing, carding, credential stuffing, inventory hoarding, scalping, and web scraping. Data was analyzed from 1.5 trillion digital interactions across hundreds of applications organizations in 2022.
The data reflects a subset of the 20 trillion online interactions that HUMAN observes each week.
The data was pulled from the interactions that enterprise marketers see and protect on behalf of their customers. Researchers used an out-of-band process, so there was no impact on the performance of monitored traffic or applications.
Despite legitimate human traffic dropping 28% year-over-year (YoY), bad bot traffic rose 102%. In other words, the percentage of bad bots out of overall traffic has increased even more rapidly.
The reduction in traffic was likely due to the lifting of COVID-19 pandemic restrictions, which made people less internet-dependent, according to Human. Web traffic was at a high in winter 2021, but online interactions dropped as the weather warmed and restrictions eased.
Traffic patterns in 2022 were similar to those in the second half of 2021.
Although bad bot traffic was relatively stable throughout 2022, attacks picked up during the holiday shopping season. Account takeover and carding attacks launched against ecommerce retailers during holiday sales peaked in late October and continued through November. The top attack day -- October 25 -- experienced 199% more malicious traffic than the yearly average.
Thursday was the number one weekday for bot attacks in 2022 -- and for some reason, Thursdays saw 22% more malicious traffic than Sundays, the most bot-free day.
Web applications experienced a YoY increase in three common types of bot attacks. Carding attacks rose 134%, while account takeover attacks rose 108%, and scraping rose 107%.
The Media and Streaming industry had the worst bad bots accounting for 57% of traffic to online businesses. Travel and Hospitality saw 49%, and the Ticketing and Entertainment industry saw 46%.
Some 26% of malicious requests came from mobile, as compared with 61% of legitimate requests.
More than 69% of worldwide malicious traffic came from U.S. proxy servers.
That number dropped to 47% when looking only at traffic to non-U.S. applications, and grows to 75% for traffic to U.S. applications only.