Chris Wraight, director of industry marketing, Akamai.
In early October, eMarketer forecast that the 2018 U.S. online retail holiday sales would be $106 billion, a healthy increase of 16.6% over 2017. Mobile sales were forecast to increase 32.6% from 2017 to 2018.
The Black Friday & Cyber Monday sales results confirmed that optimistic forecast with a combined total of nearly $14b in the U.S., and the final results for the entire Christmas holiday season were actually higher, according to Internet Retailer. The total amount spent online this holiday season was $122b, with Internet Retailer estimating a 17.4% increase over the 2017 holiday season amount of $103.88b.
Global Traffic
We measured global traffic on the Akamai Intelligent Edge Platform against a baseline to see how traffic compared on Christmas Day and Boxing Day.
Baseline (Dec. 18 to Dec. 24)
To establish a baseline, we evaluated online retail traffic from around the world that touched nearly 100 retail websites and mobile retail apps, providing Akamai with more than 5 billion daily data points that we assess in aggregate. We took the average of the seven-day period from Tue Dec. 18 to Mon Dec. 24 for the daily baseline.
The chart above shows the daily total retail global session traffic decreasing as the Christmas holiday approached. This is not surprising, as even with omnichannel purchasing increasing (ordering online and picking up in-store) most shoppers would have ordered by Dec. 20 for one-to-two day shipping (generally free) to ensure delivery by Dec. 24 (especially in the U.S.).
Christmas Day (Dec. 25)
On Christmas Day, global traffic decreased 11% against the baseline daily average; in the U.S., traffic decreased 52% against the baseline daily average. Again, this is a pretty predictable result as most consumers were enjoying Christmas morning opening presents and spending time with family and friends throughout the day. In addition, because most retail stores were closed, shoppers would not have been at the stores with their mobile device either.
The top 10 countries where global traffic originated on Christmas Day are below. The western countries aren’t a surprise, as is the fact that traffic decreased in many, reflecting the overall traffic decrease (here the U.S. decreased 18% against its own 7-day baseline average, compared to the 52% decrease against the overall baseline average) as Christmas Day approached
The U.K. and Canada increase is consistent with those countries ramping up for Boxing Day (Dec. 26), but it is interesting to note Poland’s increase of 28%. Despite its low ranking relative to other countries, perhaps there is a large part of the population that observes Boxing Day; see the next table for more information.
| Country | Christmas Day versus Baseline Difference |
| United States | -18.04% |
| United Kingdom | 15.41% |
| Netherlands | -32.81% |
| Spain | -1.86% |
| Canada | 31.99% |
| France | -2.51% |
| Russia | 10.95% |
| China | 10.35% |
| Germany | -2.76% |
| Poland | 27.69% |
Boxing Day (Dec. 26)
Boxing Day is a holiday that originated in the U.K. with first mentions being in the 1830s, but is recognized as having started much earlier, and its intent is not universally agreed upon. Some define it as a day that started for tradesmen to receive ‘Christmas boxes’ of money or presents the first weekday after Christmas to thank them for their good service throughout the year.
In the U.K., many consider it larger than Black Friday, which has been increasingly celebrated in European countries. This year, Boxing Day drew fewer ‘footfall’ shoppers (i.e. shoppers physically visiting retailers, or ‘foot traffic’ in the U.S.) but online sales increased.
Overall, the U.K. was forecast to see an increase of 16%, close to what eMarketer predicted and Mastercard reported for the U.S.
In the U.S., the day after Christmas marks a new surge in retail promotions and sales to flush out Christmas inventory—who can resist wrapping paper at a 75% discount? As a result, on Boxing Day all global traffic increased 32% against the baseline and 47% compared to Christmas Day. For just the U.S., traffic on Dec. 26 was up 52% vs Dec. 25.
Globally, the top 10 originating countries for traffic on Boxing Day were as follows; with their traffic on Dec. 26 compared to the baseline. Poland continued to show a large increase, along with the U.K. and Canada.
| Country | Boxing Day versus Baseline Difference |
| United States | 24.83% |
| United Kingdom | 106.77% |
| Spain | 33.00% |
| Netherlands | -15.55% |
| Canada | 136.79% |
| France | 23.49% |
| Poland | 95.99% |
| Germany | 34.77% |
| China | 32.18% |
| Russia | 13.73% |
Because Boxing Day is primarily a U.K. holiday, we have highlighted countries that would culturally be expected to observe Boxing Day with sales:
| Country | Country vs Baseline Difference |
| United Kingdom | 106.77% |
| Canada | 136.79% |
| Australia | 70.78% |
| Bermuda | 53.72% |
| Ireland | 97.58% |
| Isle of Man | 98.45% |
| British Virgin Islands | 38.13% |
By drilling down into these countries, we see a dramatic increase in traffic due to Boxing Day observances, especially in Canada and the U.K. due to retail promotions.
Devices
Akamai predicted in September 2018 that mobile shopping would continue its growth this holiday shopping season. That prediction held true through the recent major holidays around the world (Diwali, Singles’ Day 1, Black Friday and Cyber Monday). For Christmas Day and Boxing Day, there has not been any deviation from that trend. It also underscores why online retailers need to increase the mobile CX budget and attention but can’t reduce their focus and investment on optimizing desktop visitors’ experience.
Christmas Day
| Date | Desktop | Mobile |
| Dec. 25 | 30.59% | 61.99% |
| Against
Baseline Average |
-16.91% | 9.71% |
Boxing Day
| Date | Desktop | Mobile |
| Dec. 26 | 34.48% | 57.71% |
| Against
Baseline Average |
-6.33% | 2.14% |
On both days, mobile devices were used the clear majority of time versus desktop (the remainder is tablet use). We see no change to this trend going into 2019, as this article points out.
Mobile OS
Android’s portion of online shopping was a healthy 24% on Christmas Day, while iOS was nearly double at 45%. This continues to surprise us since, globally, Android market share is approximately four times that of iOS. Both operating systems increased their usage on Christmas Day (iOS more than Android), perhaps as consumers used their mobile devices to research sales and compare prices while relaxing after dinner (see conversion rates in next section).
Christmas Day
| Date | Android | iOS |
| Dec. 25 | 24.39% | 44.99% |
| Baseline Average |
22.68% | 40.47% |
| Against
Baseline Average |
7.53% | 11.15% |
Boxing Day
On Boxing Day, the distribution was nearly identical but the increases against the baseline were smaller, significantly for Android at only 0.11%.
| Date | Android | iOS |
| Dec. 26 | 22.70% | 42.78% |
| Baseline Average | 22.68% | 40.47% |
| Against
Baseline Average |
0.11% | 5.69% |
Conversion Rates
Mobile OS
Examining mobile OS first, we see that iOS had a very slim lead in conversion rates over Android on Christmas Day, but both operating systems had higher conversion rates during the baseline as more shopping was being executed before the holidays. Both OS conversion rates were down significantly on Christmas Day, which may be a factor of more research and less actual purchasing being conducted.
Christmas Day
| Date | Android | iOS |
| Dec. 25 | 1.22% | 1.48% |
| Baseline Average |
1.51% | 1.78% |
| Against
Baseline Average |
-19.28% | -16.56% |
Boxing Day
On Boxing Day, the conversion rates were down again compared to the baseline, but a lot less of a decrease than on Christmas Day. The iOS conversion rate was higher than Christmas Day, but still down against the baseline. This may be due to desktop conversion staying flat on Boxing Day vs. the baseline (see next section).
| Date | Android | iOS |
| Dec. 26 | 1.43% | 1.69% |
| Baseline Average |
1.51% | 1.78% |
| Against
Baseline Average |
-5.39% | -5.19% |
Devices
Looking at conversion rate by device type, on Christmas Day, desktop had a significant advantage over mobile. However, desktop was down compared to the baseline average, and mobile was down even more. This is consistent with the other data, showing Christmas Day activity was lower than the baseline.
Christmas Day
| Date | Desktop | Mobile |
| Dec. 25 | 2.24% | 1.10% |
| Baseline Average |
2.65% | 1.45% |
| Against
Baseline Average |
-15.69% | -24.63% |
Boxing Day
On Boxing Day, desktop conversion was flat, while mobile increased by a small amount, perhaps more users were starting to purchase due to deals, etc.
| Date | Desktop | Mobile |
| Dec. 26 | 2.65% | 1.57% |
| Baseline Average |
2.65% | 1.45% |
| Against Baseline Average |
0.08% | 8.31% |
Security
Web Application Attack Detail
Despite the decrease in global traffic leading up to and including the holidays (Christmas Day and Boxing Day), threat actors didn’t take the holidays off, with web application attacks very active. The number of attacks on Christmas Day were comparable to Cyber Monday, with the exception of cross-site scripting, which was five times more than Cyber Monday and two times more than Black Friday. (In a cross-site scripting attack the criminal injects malicious code into a vulnerable web application.)
This is likely due to the fact retailers want to track their Christmas sales more than any other day of the year, and web application developers end up including a lot more third party scripts/content on their sites, and attackers take advantage of that. Also, perhaps someone found a vulnerable version of a particular e-commerce software and was testing that against a lot of domains in an automated fashion.
| Attack Type | Christmas Day Number |
Black Friday | Cyber Monday |
| SQL Injection | 3m | 7m | 3.3m |
| Command Injection | 16k | 59k | 7.6k |
| Cross-site scripting | 103k | 49k | 20k |
| PHP injection | 65k | 154k | 28k |
| Remote file inclusion | 27k | 149k | 6.7k |
Boxing Day
On Boxing Day, the numbers were pretty consistent with Christmas Day, with the exception of cross-site scripting which saw a decrease of nearly 66%. This could possibly be due to the lower numbers of countries actively participating in Boxing Day (sales promotions attracting online shoppers). As with Christmas Day, Boxing Day was more comparable to Cyber Monday in terms of the majority of web application attacks.
| Attack Type | Boxing Day Number |
Black Friday |
Cyber Monday |
| SQL Injection | 4m | 7m | 3.3m |
| Command Injection | 12k | 59k | 7.6k |
| Cross-site scripting | 36k | 49k | 20k |
| PHP injection | 65k | 154k | 28k |
| Remote file inclusion | 35k | 149k | 6.7k |
Bot Attacks
While online shopping activity was down on Christmas Day, as we saw with web application attacks, threat actors were still out in droves as the high number of retail bots attests. Compared to Cyber Monday, the retail bot attacks were significantly higher, a 100% increase. On Dec. 26, credential abuse/stuffing attacks (in which criminals use stolen user names and passwords to access consumer accounts) dropped by approximately 50%. That is curious, due to the increase in traffic, especially for Boxing Day. Again, it may be due to a smaller number of countries participating and promoting Boxing Day sales (online activity).
| Attack Type | Dec. 25 | Dec. 26 | Black Friday | Cyber Monday |
| Retail Bots | 4b | 4b | 3b | 2b |
| Credential Abuse/Stuffing | 41.6m | 17.1m | 38m | 26m |
Consistent with other holidays that we’ve monitored this season, the U.S. was the most targeted country for attacks, along with India and the U.K. The U.S. was also the leading source country for attacks, with India and China rounding out the top three. Keep in mind that the more advanced attackers hide their true country of origin.
| Target Country | Percentage of Attacks |
| United States | 69.3% |
| India | 7.6% |
| United Kingdom | 5% |
| Source Country | Percentage of Attacks |
| United States | 64.6% |
| India | 7.3% |
| China | 6.7% |
Boxing Day
Boxing Day (Dec. 26) was similar to Christmas Day, with small variances in the percentages, which is not surprising to us.
| Target Country | Percentage of Attacks |
| United States | 71.2% |
| India | 6.8% |
| United Kingdom | 4.9% |
| Source Country | Percentage of Attacks |
| United States | 66.3% |
| India | 6.5% |
| China | 6.1% |
Summary
As we have seen throughout the recent global peak traffic holiday period, online retailers need to be prepared to offer optimal customer experiences to mobile visitors (including mobile app and web browser interaction) as their overall usage is greater than desktop users and their use has gone beyond research and includes purchasing.
Until now, significant time and budget have been invested optimizing web applications and content for desktop visitors. This focus should not diminish but, as we saw, the percentage of mobile visitors exceeded desktop visitors during ALL of the major holiday events, with no sign of reversing in 2019. This trend underscores the importance of prioritizing an optimal mobile customer experience, but not at the expense of desktop optimization.
The high volume of retail-specific attack bots and web application attacks clearly demonstrates the need to provide a secure environment for online shoppers for all aspects of the transaction: browsing, research, purchase and storage of personal data at ALL times. Existing and new (e.g. GDPR) regulations have raised the bar in terms of financial penalties for data breaches, along with reputation hits and possible loss of revenue should consumer information be stolen.
Threat actors don’t take holidays. While they know to focus on holiday traffic due to the increased number of online users, they are attacking every day with all the attacks we’ve outlined—as this major online retailer can attest, after being hit with a credential stuffing attack from late September to late November last year.
While this is only a highlight of holiday events, peak traffic spikes can occur at any time, whether it’s due to a highly visible event like a royal wedding or a natural disaster. Take the first step and prepare for peak traffic by testing your website and mobile application performance at any load. In the next article, we’ll explore what these findings will mean for retailers in 2019.
Akamai provides content delivery network services to 354 of the Top 1000 online retailers in North America.
Favorite