Brands and retailers can protect themselves from fraud bots by using machine-learning technology that can detect behavior typical of a bot.

Gayathri Somanath, vice president of product at Signifyd

Businesses aren’t the only ones investing in artificial intelligence (AI). Online fraud rings and retail scalping organizations are increasingly turning to automation and AI for the same reasons businesses do: To gain efficiency and speed.

Deploying smart machines allows businesses to become more accurate, more efficient and more profitable. In the end, bad actors who work to take advantage of online brands and retailers are entrepreneurs. They embrace innovation and new ways of expanding their portfolios—and their success.

That trend helps explain why bot attacks on ecommerce enterprises are on the rise. As much as 70% of traffic to ecommerce checkout pages is generated by malicious bots, according to Javelin Strategy & Research. Signifyd also has seen a substantial increase in bot attacks in the last year on its Commerce Protection Platform.

Bot-powered attacks are particularly difficult to detect because of the speed with which criminals can execute them. By the time a retail risk team discovers that something is amiss, the fraudster or scalper is long gone—and so is the product that each had targeted.

So, how do these operators take advantage of consumers and defraud retailers? To get a better idea of how artificial intelligence is transforming how bad actors come after online retailers, let’s dive into two distinct and popular flavors of modern bot attacks: scalping and rapid-fire fraud.

Bots cornered the PS-5 market 

We’ll start with bot-aided scalpers. Are you among the thousands of parents who had to tell their children there would be no PlayStation 5 for Christmas this year? It probably didn’t ease the kids’ disappointment to blame it on the bots, but you wouldn’t have been lying.


Reports abound of scalping rings in the United States and the United Kingdom scooping up thousands of Sony Sony PlayStation 5 (PS-5) units on the day they were released. The scalpers simultaneously bragged and advertised by posting photos of their caches on social media and marketplace sites, where the consoles were selling for up to 10 times their list price.

While scalping and rapid-fire fraud attacks use similar technology and have a similar intent, there are key differences. Scalping of products is not expressly illegal, whereas rapid-fire fraud, by definition, is a crime.

Rapid-fire fraud targets the entire online payment journey that a legitimate customer would typically make—from account creation to credit card authorization at the beginning of the payment process to final credit card verification at checkout.

Rapid-fire fraud starts on the dark web

The seeds of rapid-fire fraud are planted on the dark web, where fraud rings can buy thousands and thousands of stolen usernames and passwords, among other personal identifiers, for a surprisingly small sum of money. The fraudsters use these credentials to launch a variety of online attacks including:

  • Creating many “fake accounts” or user profiles at once: Fraudsters will carefully program bots to use a mix of the stolen information and their own information when creating accounts on ecommerce sites so that they look like they belong to a real customer.
  • Launching credential stuffing attacks to take over accounts in bulk:  Many consumers use the same user names and passwords on multiple sites. Bots can take the stolen credentials and, in seconds, attempt to sign in at thousands of sites. They then make purchases using the accounts they can successfully take over.
  • Card testing: No longer is testing merely making small, below-the-radar purchases with a stolen card to build up a history. Today fraud rings are also rapidly testing stolen credit card details by adding new credit cards to an account in “good standing.” A merchant will generally verify the card by authorizing a $0 charge to see if the payment processors and banks involved approve the card. If the card goes through, the fraudster knows they can use this card to make an actual purchase of some valuable—and re-sellable—item.
  • Fraud fusillade: With verified fraudulent credit cards in hand, fraud rings will turn to bots to place a flurry of fraudulent orders at scores of ecommerce sites across the web. The dizzying speed of the transactions ensures that fraudsters get away with their theft before risk managers have a chance to detect and understand the extent of what’s happening.

As ingenious as fraud bot attacks are, the percentage of fraud by bots is relatively low. It takes an impressive degree of sophistication to build systems to attack retailers in an automated way. But the number of such attacks is increasing dramatically. Signifyd has tracked a 146% increase in rapid-fire attacks in the past year.

How retailers can fight bots

So, if bot attacks are so devastating and difficult to detect, what’s a retailer to do? Perhaps, not surprisingly, the best way to fight a bot attack is with an automated protection solution. Think of it as AI vs. AI.

Fraudsters know that the early stages of the payment process—account creation, account login and updating accounts with additional payment forms—are more vulnerable than the actual checkout. Retailers don’t want to turn away customers before they’ve even had a chance to be customers, so they avoid friction and erect fewer barriers in the early payment stages.


Brands and retailers can protect these early stages from fraud with machine learning that can detect behavior typical of a bot. Once seen, the merchant can introduce a step-up challenge—say, a simple captcha. That step will weed out bot-behavior without slowing down the purchase by referring the order to a human fraud review team.

Spotting a malicious bot engaging in scalping is a more challenging problem. The practice lives in a gray area. It’s not illegal, but it does violate some retailers’ policies, as it is certainly detrimental to a retailer’s business.

Sure, a sale is a sale. Whether it’s a bot buying or a human, the retailer makes the sale. But think of the bigger picture. Consider those kids with no PS-5s and their parents who are upset with the retailers they turned to. Or maybe the kids got PS-5s after their parents paid twice the price (or much more) to a seller on a marketplace. Now the parents are fuming that the retailer couldn’t control its inventory and helped create a black market for a sought-after Christmas gift.

Scalpers steal a merchant’s control of the customer experience

And you know who else is likely mad about the scalping? Sony. Now its brand has been tarnished because its product is being sold for a ridiculously high price. Not only that, but Sony and the retailer lost control of the customer experience and the chance to build a relationship with that PS-5 buyer.


As for detecting the scalping scheme, traditional fraud detection methods will fail. Identity-based signals on the order—derived from attributes like phone, user account name, email address, etc.— will all indicate that it is the cardholder making the purchase. After all, the bots have set up accounts designed to make it look like the cardholder is making the purchase.

Retailers’ detection tools need to look at a different set of attributes to spot bot activity. Specifically, an anti-scalping solution needs to focus on:

  • Device activity, especially high activity coming from the same device.
  • Behavioral trends or patterns that indicate non-human activity like click speeds, typing speeds and a lack of browsing and navigating behavior.
  • High-velocity purchases across a sample size much larger than a single merchant. Are you seeing several purchases going to the same delivery address or coming from the same IP address across multiple merchants? Do you see several accounts created with the same password? Has the same credit card been tested on multiple sites?

Retailers must detect such anomalies at lightning speed to foil the scalpers. The only way to confidently spot the worrisome patterns is to look across a broad network of merchants. Fraudsters typically launch these scalping attacks across multiple sites simultaneously to snatch as many of the highly coveted products as possible.

All that calls for machine learning and a powerful data platform. Ideally, brands and retailers will want to combine a robust fraud solution that can differentiate legitimate from fraudulent transactions across the buying journey with a flexible tool that can understand and monitor complex business policies.


With the proper flexibility, a retailer can dictate under what circumstances it should take extra steps to confirm that a human is buying. And depending on the situation, the retailer can prescribe what additional steps are required—a captcha or call to customer service, for instance. That sort of technology can ensure that an army of bots is not about to clean out the one product that everybody wants but nobody will get.

The good news is that the technology to help with scalping and rapid-fire fraud is available—and effective. The not as good news is that the scalpers and fraudsters are undoubtedly plotting their next workaround as you read this.

Rest assured, however, that the scalpers and fraudsters are not the only ones hard at work on the next new thing.

Signifyd provides ecommerce security and fraud prevention services.