• Home
  • Resources
  • Blog
  • If Every Day is Cyber Monday, Will There Be a Holiday Shopping Season At All?

Cyber Security Strategy

If Every Day is Cyber Monday, Will There Be a Holiday Shopping Season At All?


Use 2019 as an indicator, but bear 2020 patterns of activity in mind

2020 has been an unpredictable year for a number of reasons, including the effects of the COVID-19 pandemic. As we approach the 2020 holiday shopping season, we can expect the unexpected to continue. Although we can anticipate that families will indeed shop more online around the holiday season this year and that retailers will have promotions, the patterns we observed in e-commerce this year have shown that what lies before us is more uncharted territory. Rather than attempting to predict the exact future of consumer behavior and e-commerce, let’s look at the trends and indicators of the past year to determine where businesses ought to focus their strategies for the holidays.

Putting Last Year’s Holiday Shopping Season Into Perspective

During the Thanksgiving, Black Friday and Cyber Monday holiday shopping period in 2019, U.S. online retail sales hit $28.49 billion, up 17.7% from $24.21 the year before, per Adobe Analytics. During November 2019, PerimeterX found that 94% of total login attempts on e-commerce sites were malicious and blocked them, dramatically reducing the load and risk to our customers’ infrastructure. This enabled our customers to realize blockbuster online revenue surpassing $5 billion for the five-day period. With visits from smartphones growing 19% year-over-year and accounting for 54% of traffic to retail websites, it was critical for our customers to have a superior bot mitigation solution protecting both web and mobile applications.

ATO Chart

In November 2019, PerimeterX found that 94% of total login attempts on e-commerce sites were malicious and blocked them. Note: This graph is shown on a logarithmic scale.

Fraud-related direct-losses stemming from account takeover (ATO) and carding range in the billions of dollars. However, the total financial impact from the threat of these attacks is not easy to estimate. One impact of automated attacks on e-commerce websites that site owners routinely miscalculate is site downtime resulting from such attacks. Lost online sales during the five-day period are impossible to recuperate. Even if just 1% of the total revenue protected by PerimeterX during the last holiday season were to be lost due to degraded site performance, it would exceed $50 million in lost revenue!

Traditionally, scraping and carding attacks have spiked before the holiday season and remained steady during the busiest buying weekend. Scraping hundreds of thousands, if not millions of deals from various competitors and dynamically updating online deals is a herculean task for website owners. The scraping attacks during the 2019 Black Friday weekend accounted for 20% of the total traffic on the product pages. Stolen cards had to be verified prior to this weekend and the attack data reflects that trend, with no significant change in the volume or the sophistication of carding attacks. During the holiday weekend, attackers typically reap the fruit of their efforts, using the stolen cards they have collected leading up to the holiday.

Limited stock items were some of the most sought-after products during the holiday season last year. The PerimeterX research team has consistently observed bot attacks directed at items such as limited Funko POP! figures, exclusive Barbie dolls, PlayStation consoles and Xbox consoles. Bot attacks aimed at these items used similar tactics that sneakerheads use when attempting to snag limited edition shoes. During the holiday season, retailers regularly release limited availability products that drive a high amount of scalping bot (aka grinch bot) checkout activity. We’ve seen increased activity of these bots in the month of November leading to Black Friday, where on some days 67% of requests in the checkout flow were malicious. Between Thanksgiving, Black Friday and Cyber Monday of last year, up to 96% of all requests on checkout around specific sales events were detected as malicious and blocked. Timely detection and prevention of these attacks helped protect revenue and brand loyalty.

This pattern indicates that consumers ought to start shopping earlier and faster this year—not only to beat out the bad bots and secure limited stock, but also since increased pressure on e-commerce businesses will inevitably delay shipping times.

We’ve also seen some other patterns emerging in recent years, such as stores beginning Black Friday sales a number of days in advance of Thanksgiving. This trend predates COVID. As a result, we should expect to see gradual increases in traffic as consumers continue to beat the rush. There is a difference between knowing that one needs to prepare spare capacity for triple the traffic and being able to gradually adapt and add capacity with automation. This will differ across merchants and depend on promotions, limited items and a variety of other factors.

What’s Happened Since Last Year

The initial spike in traffic in March 2020 during the period of COVID-19 stay at home orders rivaled levels of Black Friday and Cyber Monday for some e-commerce retailers. And we saw spikes in web traffic and attacks cascading across food and grocery, e-learning and hospitality, fashion and home goods, freelance, media and marijuana segments. But after the initial spike in web traffic during COVID-19, there was a continuous, more gradual increase in traffic across segments. In many cases for e-commerce sites, this is much easier to handle because rather than anticipating spikes of double or triple the volume of users, sustainable growth is much easier to prepare capacity for. Traditionally, on Black Friday weekend, these spikes occur at the end of Thursday, and then a few spikes happen during the day on Friday and during the day on cyber monday. This could change this year, with the potential for evenly elevated traffic throughout the holiday months.

How to Stay Prepared

A winning holiday strategy for any company with an online presence will be largely defined by its ability to defend its websites and mobile apps from bot-driven fraud, client-side attacks like Magecart and revenue-impacting browser extensions. However, before a company runs to invest in new bot management and application security tools, it is also important to note that many security solutions can stifle the shopper experience, increase cart abandonment and drive away customers with high-friction security measures.

That said, nothing will drive customers away or tarnish brand reputation faster than a massive data breach or carding attack. Striking the balance between application security and a friction-free digital shopping experience on Cyber Monday is the goal for every e-commerce business. Of course, this is easier said than done. When it comes to holiday readiness, here are a few guidelines that every digital business should consider.

Learn more about how to stay protected in the holiday shopping preparation guide from Internet Retailer.

Stop Bot-Driven Fraud

Keep Customer Experience Fluid

  • Avoid visible challenges that impact the user experience altogether, and make sure you collect behavioral signals and utilize other "invisible" methods (bot detection and protection) to ensure seamless experience for legitimate users.
  • Only when users are identified as malicious (or suspicious) should you use more intrusive tests to ensure legitimate humans can "clear themselves" and proceed with their shopping experience.
  • When presenting these challenges—this is when you should verify that you are accounting for CAPTCHA solvers, and making sure you utilize a solution that is friendly for your users.

Keep your customers protected

  • Verify that the security controls for first-party code work with the Continuous Integration/Continuous Deployment (CI/CD) process.
  • Consider implementing a solution for client-side attacks that provides full visibility and control of first-, second-, third-, fourth-, and fifth-party code running in production.
  • Deploy an application security solution powered by AI and behavioral analysis, that analyzes client-side activity signals at runtime to protect against digital skimming attacks and reduce e-commerce fraud.

Protect conversion rates and revenue

  • Detect coupon browser extension pop ups and injected ads interacting with your site through a shopper’s browser
  • Analyze the impact to your site and to your digital KPIs
  • Block the ads and pop ups that disrupt a shopper’s experience, hurt conversion rates and eat away at online revenue

Concluding remarks

According to The Wall Street Journal, “Retail executives said they are unable to forecast demand heading into the critical holiday shopping season,” due to a number of factors, including the uncertainty surrounding COVID-19. But one thing is certain: attackers will follow the money.

Want to learn more about holiday season preparedness? Read more here.

Forrester Report

PerimeterX Named a Leader in the Forrester Wave™: Bot Management, Q2 2022

Download Report
© PerimeterX, Inc. All rights reserved.