WHITE PAPER

From Bots to Boardroom: How Bad Bots Negatively Impact Your Balance Sheet

Bad Bots Are More Than a Security Issue

Malicious bots inflict material financial costs on enterprises: Bots take over customer accounts through credential stuffing and slow web and app performance through scraping. Bots also frustrate loyal customers and prevent purchases through scalping and inventory hoarding, steal gift card and loyalty points through enumeration, and rack up chargebacks and fines by validating stolen credit card data. Ineffective bot mitigation strategies, such as CAPTCHA and excessive reliance on multi-factor authentication, create security friction. This leads to revenue loss through lower conversion rates and abandoned shopping carts.

The costs that criminals impose through bots are so varied that it can be challenging for security professionals to explain the broad economic and operational impact of malicious bot traffic to an organization’s business leaders. This white paper presents an overview of the quantitative and qualitative impacts of automated bot attacks as well as the business benefits of successful bot management. We intend this document to serve as a launching point for conversations among infosec and fraud teams and the C-Suite about the top-line and bottom-line impacts of malicious bot attacks and the significant financial advantages of effective bot defense technologies.

"Malicious bot attacks are more than a threat to security infrastructure—they represent a business challenge that must be addressed to preserve your organization’s business operations and fiscal health."

Articulating the Economic Threat of Bot Attacks to the C-Suite

A series of new research reports have captured the financial and business consequences that result from automated attacks by bots, making it easier for security professionals to point to the fiscal impact of cybercrime and discuss the return on investment (ROI) of dedicated anti-bot solutions with business leaders. This information can help security teams elevate critical discussions regarding the economic effect of bot attacks on an organization’s financial strength.

Bots are responsible for up to 40% of global online traffic and are a leading cause of cyberattacks, according to a report from Aite-Novarica Group. According to research cited by the Global Privacy Assembly, an association of over 130 data protection and privacy regulators and enforcers, 193 billion credential stuffing attacks driven by bots occurred globally during 2020, which equates to over 16 billion attacks per month and over 500 million attacks per day. These attacks can have serious economic consequences: Global online fraud losses are projected to exceed $48 billion a year by 2023, according to a report by Juniper Research.

Business Economics of Bot Management

Successful bot management strategies lead to improved cost management, enhanced operational efficiency, reduced business and financial risks, and controlled IT spending, all helping to deliver a direct positive impact on your organization’s financial success. In addition, accurate bot detection that doesn’t rely on controls that insert user friction provides improved revenue and customer retention.

Economic impact of bot attacks

Malicious bots are responsible for a wide range of automated attacks that have direct, negative economic impact on organizations, both on topline revenue and the cost of doing business. These attacks include:

Common bot attacks and costs by industry

Boardroom table

Quantitative and qualitative cost impacts due to bots

Bot management has become a boardroom conversation; following are both quantitative and qualitative metrics to help you demonstrate that the right bot strategy is now a bottom-line economic issue.

Financial, operational, and reputational costs represent the primary impacts of automated bot attacks.  

Quantitative financial revenue and reputation costs

Automated bot attacks can also contribute directly to financial losses and lost economic opportunities by:

  • Losing customer trust after account takeover. Customers are justifiably unhappy if an organization’s inadequate bot defenses result in account takeover (ATO) and costly fraudulent activity, leading to declines in customer satisfaction, damaged reputation, and termination of relationships. Over a quarter of U.S. consumers surveyed say they would switch banks if they were dissatisfied with how the bank responds to their fraud case. 
     
  • Increasing losses due to fraud and chargebacks. Bot-driven ATO attacks and fraudulent account creation impact the bottom line when criminals use stolen credentials to make purchases or set up fake accounts. Chargebacks harm the merchant’s reputation with credit card processors and lead to chargeback penalties.
     
  • Increasing labor costs. Bot attacks like credential stuffing, which lead to ATO, require investigation by fraud analysts, taking time away from their more critical, in-depth investigations. Even when credential stuffing bots fail to take over an account, they often lock out accounts by trying many passwords in quick succession, forcing customers to call support, adding to support costs with each call.
     
  • Distorting investor valuations. When a publicly traded company’s valuation is dependent on the number of followers, users, or engagements, the presence of non-human bot accounts can dramatically skew accurate assessments. For example, recent attempts to reach an accurate valuation for Twitter, based on the number of accounts operated by humans versus bots, dominated the news in 2022. 
     
  • Mistaking bots for humans, and vice versa, with unreliable bot mitigation solutions.  Poor bot mitigation efforts will produce these errors, but they must be limited and prevented. False positives (when a bot management tool accuses a real human of being a bot) and false negatives (when the tool marks a bot as human) both impact both top and bottom lines. One will cause you to lose customers and the other will cause you economic losses due to fraud. In fact, a false positive that prevents a strategic customer from making a money transfer may be more damaging to a bank than a false negative that results in fraud or chargebacks. Both situations will also require the time and labor of a fraud analyst to investigate.
     
  • Failing to protect consumer data. Legislation and standards such as the General Data Protection Regulation (GDPR) in the EU, the California Consumer Protection Act (CCPA), and the Payment Card Industry Data Security Standard (PCI-DSS) are designed to ensure consumer data privacy and impose large monetary penalties in the event of data breaches. These include ATO and content scraping attacks that expose private data to bots. Data breaches that result from failure to comply with these regulations can be very costly: under the GDPR, the EU's data protection authorities can impose fines of up to up to €20 million or 4% of worldwide turnover for the preceding financial year. 

Quantitative operational expenses

Bot attacks don’t just impact revenue. They also make businesses more expensive to operate by:

  • Impeding application performance and uptime, with potential for increased infrastructure costs. Bot scraping attacks, because of their volume, can compromise app and platform performance and, if left unchecked, can require over-investment in infrastructure capacity and incur extra cloud usage charges to maintain required performance levels.
     
  • Reducing app availability and business resiliency. Web applications that are overwhelmed with bot activity aren’t available for real-time customer inquiries and e-commerce activity, causing loss of revenue, reputational damage, customer churn, and disrupted user experiences.
     
  • Damaging relationships with third-party ecosystem partners. Platforms and apps that are overburdened with unwanted bot traffic can lead partners within the API economy to miss SLAs, breaching contract commitments.
     
  • Skewing business decisions. Bot activity can distort otherwise valuable website statistics, log data, and customer interaction metrics that businesses rely on to guide business decisions, such as pricing and paid and organic SEO optimization.
     
  • Manipulating inventory management. Automated bots can purchase online goods or services in bulk the moment they go on sale, enabling criminals to gain mass control of valuable inventory, which is usually resold on secondary markets at a significant mark-up, leading to artificial scarcity, denial of inventory, and consumer frustration.
     
  • Increasing customer support cost. Automated bots can increase pressure on customer support teams when attacks succeed, generating more calls and communications to deal with account takeovers, gift card or loyalty point fraud, and other customer complaints about compromised accounts. Using CAPTCHA tools and multi-factor authentication (MFA) to protect against fraud can also have the unintended consequence of increasing user friction and customer support calls, as these processes can be challenging to complete correctly and can lead to account lockout for legitimate customers. This may increase operational costs in customer support centers, lost customers, and damage to brand reputation through Net Promoter Scores (NPS) and bad reviews and ratings on social media platforms.
     
  • Rising cost of person-hours spent mitigating bot attacks. Confronting malicious bot attacks through web application firewalls (WAFs) and manually blocking IP addresses is time-intensive and requires an escalating number of trained staff to execute. Basic WAFs don’t learn in real-time; they rely on pre-set rules to detect bad bots, and to keep WAFs up to date typically requires incrementally patching and rule-setting. The only way to scale defenses using these manual processes is to increase the number of dedicated IT and security staff.

Qualitative impacts

Qualitative impacts may be more difficult to measure than quantitative metrics, but this does not mean they are less important to organizations. Automated bot attacks can also contribute directly to these subjective value drivers through:

  • Impacting the employee experience. Infosec expertise is in short supply, and many organizations are grappling with cybersecurity workforce shortages even as automated bot attacks are growing in number and sophistication. Despite their best efforts, many SOC and fraud teams are unable to keep up with the ability of cybercriminals to immediately pivot and retool bot attacks multiple times a week. Without smarter and more technically refined bot defense solutions, it’s challenging to keep talented security professionals on staff, especially when they feel burned out and overwhelmed. 
Boardroom 2

Bot management case study

The primary takeaway is that bot management is an important business topic. Protecting your apps and infrastructure from bot attacks provides tangible financial benefits resulting from:

  • Cost savings due to decreased infrastructure and labor costs.
     
  • Revenue loss prevention from improved site availability and fewer lost customers.
     
  • Revenue uplift from frictionless user experiences and improved conversion rates.
     
  • Improved employee satisfaction and cross organizational collaboration.

To illustrate the financial value and impact of successful bot management, consider the following case study. A major online retailer with 31 million user accounts and an average monthly revenue per user account of $54 was attacked by malicious bots. These attacks resulted in an estimated cost of $1 million per year from resolutions of credential stuffing and ATO incidents; expenses from settlements and call center support; as well as from lost revenue during site outages from bot scraping incidents and bot traffic exploiting web infrastructure and hosting resources.

F5 and the online retailer worked together to quantify the impact of deploying F5 Distributed Cloud Bot Defense as a bot management solution using business case metrics such as cost savings, revenue uplift, and revenue loss prevention. Using an interactive business case modeling tool, F5 and the online retailer determined that deploying F5 Distributed Cloud Bot Defense would lead to savings of around $930,000 in year one, with a cumulative cost savings of nearly $4.9 million over five years.

In addition, the modeling tool projected nearly $50,000 in revenue loss prevention per year from fewer site outages due to bot traffic, with between $200,000 and $1 million in revenue loss prevented yearly from lost user accounts and customer churn attributable to poor user experience. Improved conversion rates, resulting from frictionless user experiences and customers staying on the site longer, were projected to provide an additional $1.6 million revenue uplift.

The total economic benefit derived by the online retailer from Distributed Cloud Bot Defense totaled nearly $3.6 million after the first year, with a cumulative total economic benefit after five years of almost $19.5 million.

These projections align with the financial benefits discussed in a commissioned study conducted by Forrester Consulting on behalf of F5 (discussed in greater detail below). The Total Economic Impact™ of F5 Distributed Cloud Bot Defense study found that a composite organization representative of the five decision-makers that Forrester interviewed would experience total benefits of $9.72 million over three years, with an ROI of 195%, with the implementation of Distributed Cloud Bot Defense.

How to have the business conversation with key stakeholders

Explaining how bot attacks can impact operations and metrics as they relate to specific roles and functions in an organization is an important way of presenting the value of successful bot management.

CISO

The CISO cares about information security, cost control, and ensuring that IT enables the business mission; bots impact each of these concerns.

Bots compromise each aspect of the information security triad of confidentiality, integrity, and availability. A credential stuffing bot that takes over an account exposes data that should be kept confidential. Likewise, these bots enable attackers to alter data and perform transactions, violating integrity. Scraping bots skew data as do fake account creation bots, all violating the integrity of key business metrics. Finally, scraping and scalping bots can put such an increased load on a site’s infrastructure as to make it unavailable.

Bots impact costs in many ways:

  • Credential stuffing bots raise support costs due to account lockouts and raise financial liability as criminals empty account balances.
     
  • Carding bots raise chargeback fees and may trigger fines.
     
  • Scraping and scalping bots increase traffic load and infrastructure costs.
     
  • Fighting bots with ineffective tools like a WAF incur high SecOps costs.

Bots also concern CISOs in that they stand in the way of IT enabling the business. Ineffective bot management, such as CAPTCHA and excessive reliance on multi-factor authentication, create friction that harms the customer experience and reduces revenue. Bots skew business metrics to such an extent that it becomes difficult to evaluate the business strategy. How do you implement a business strategy when you do not even know whom you are interacting with?

Security Operations (SecOps)

The SecOps team is charged with efficiently managing cybersecurity risks to the business, and bots stand in the way of that mission. Like the CISO, SecOps will be concerned with confidentiality, integrity, and availability, which are all impacted by bots. In addition to these shared concerns, when it comes to efficiently addressing security risks, bots pose the challenge of creating a lot of noise that drowns out the signal, hiding threats in a sea of malicious traffic.

When bots account for most of the traffic to a site, it is more difficult to analyze logs for signs of vulnerability scanning and injection attacks. And security tools such as SIEMs and intrusion detection and prevention systems will be overwhelmed, increasing costs and causing far too many false positives to investigate. When too little is normal, tracking down the anomalies becomes impractical.

Successful bot management removes the noise and enables SecOps to focus effectively on remaining threats.

Fraud Operations

Like SecOps, bots impact fraud operations teams by dramatically increasing the noise. With so many bots taking over accounts, locking out accounts, creating fake accounts, and triggering anomaly alerts, the workload becomes impractical.

When fraud and security teams work together to manage bots, each team wins. Security teams can focus on a much smaller set of security incidents, and the level of fraud is reduced so fraud teams can focus on more complex fraud cases that require their expert judgment to resolve, reducing the caseload and improving success metrics. From the fraud perspective, bots are a prelude, a means by which fraudsters gain access, and stopping bots upstream reduces downstream workload.

Network Operations (NetOps)

NetOps teams are responsible for running the infrastructure that serves the business, maintaining uptime and performance while controlling costs.

In some cases, scraping bots on e-commerce apps account for over 90% of traffic, meaning that most of the infrastructure is serving bots, wasting the bulk of the budget for infrastructure, a metric that can be made very clear in a cloud services bill.

These bots have no concern for a site’s performance or uptime and can ramp up traffic at any time without warning, causing unpredictability and higher costs to ensure the necessary scalability.

DevSecOps

In a DevOps culture, DevSecOps takes responsibility for incorporating security into the continuous integration/continuous development (CI/CD) pipeline, ensuring rapid feedback to developers on security bugs, and continuously improving the integration of security into the technology value stream.

DevSecOps moves security to the left, making sure any gaps are planned for earlier in the workstream. Bots are relevant here because new features need to be evaluated for how bots might exploit the feature, what harm could be caused, and what measures should be taken upon deployment to prevent the harm.

DevSecOps teams are particularly concerned with telemetry. According to the DevOps Handbook1, telemetry is essential for predicting, diagnosing, and resolving problems in complex systems. For DevOps to succeed, telemetry should cover multiple layers including business metrics, feature usage, network performance, and infrastructure load so that a problem in one layer can be traced across the stack for the rapid identification of root causes.

Bots distort telemetry in a big way. Many customers of F5 Distributed Cloud Bot Defense discovered that most of their user accounts were fake and that bots accounted for over 95% of login traffic. In some cases, the bulk of an organization's infrastructure did nothing more than serve scraping bots. DevSecOps needs to remove this distortion from the telemetry if they are to serve their security mission.

Line of Business Owners

It all comes down to who owns the numbers. Is the VP of e-commerce responsible for the cost of fraud, infrastructure, and chargebacks? Are those charges cutting deep into the profits of the online business? Are conversion rates and revenue impacted by security friction such as CAPTCHA? If yes, then, this VP will care very much about how bot management can improve both top-line revenue and bottom-line profits.

The same applies to the leaders of any product or service lines sold online through web or mobile apps. Seeking to maximize profit necessarily involves addressing the largest source of traffic to your apps.

Marketing

Marketers have their own set of reasons for caring about bots. Bots that slow the site, take down the site, and take over customer accounts all tarnish the brand. Bots skew website analytics that marketers depend upon for decision making. And click fraud, driven by bots, drains advertising budgets without producing any revenue. 

Taking it to the Board and Executive Leadership

All of these business conversations need to be packaged up so the C-suite and board understand how malicious bots impact all aspects of the business. The cumulative total of cost and lost revenue may very well amount to a material impact on the bottom line that is worthy of their attention.

"If we sustain cyberattacks or other privacy or data security incidents resulting in security breaches disrupting our operations or resulting in the unintended dissemination of protected personal information or proprietary or confidential information, we could suffer a loss of revenue and increased costs, exposure to significant liability, reputational harm and other serious negative consequences.“

Business benefits of successful bot mitigation

Bot attacks can have direct revenue impacts, waste the time and resources of security teams tasked with blocking malicious automation, and compromise the customer experience. To mitigate these consequences, F5 Distributed Cloud Bot Defense provides real-time monitoring and intelligence to protect organizations from bot attacks, without introducing user friction.

A commissioned study conducted by Forrester Consulting on behalf of F5 examined the potential ROI enterprises may gain by deploying Distributed Cloud Bot Defense. Key findings and benefits quantified in the Forrester study include:

Reduced costs of fraud from bot attacks by 30%. By moving anti-fraud processes from downstream fraud professionals to the front end, where automated bot attacks were occurring, the composite organization was able to reduce its costs of bot-related fraud by 30%. The interviewees reported reducing fraudulent account creation by 92%, improving bot blocking by 80% when no prior solution was present, and improving bot blocking by 30% when a prior bot-protection tool was in place.

Reduced costs from credential-stuffing attacks by 96%. Distributed Cloud Bot Defense saved on additional non-fraud-related costs associated with credential stuffing as well. By reducing attacks by 96% from more than 50 annually to around two annually, the composite saves more than $1.2 million each year. Interviewees noted that per-attack costs for credential stuffing could be as high as $500,000, which would equate to approximately $25 million annually.

Reduced account lockouts and their cost to support by 88%. By preventing account lockouts, the interviewees were able to improve their customer experience, reducing the time and effort customers needed to create new accounts, reset their passwords, or contact customer support. By reducing calls to customer support, the organizations were able to save on costs such as customer support labor and technology costs.

Eliminated manual bot-protection processes and reduced rule-setting work by 40%. By implementing automation from the F5 product into their bot-protection practices, security teams at the interviewees’ firms were able to save 10,000 hours annually, which were previously spent blocking IP addresses and investigating security incidents—the equivalent of five full-time employees. Additionally, these security teams saved 40% of their time previously spent on rule setting.

Unquantified benefits from the study include:

Improved collaboration of security and fraud teams. Customers noted but could not quantify a positive impact on the level of collaboration between their security and fraud teams after deploying the product.

Reduced costs from decommissioned third-party bot-protection tools. Interviewees whose organizations had a prior bot-protection tool were able to decommission it after investing in F5 Distributed Cloud Bot Defense, saving those costs.

Resilience in times of increased online activity. Interviewees noted that the protection that F5 provides against automated attacks allowed their online presences to scale up with more resiliency during the massive increase in online activity during the COVID-19 pandemic.

Flexibility to expand to new use cases and markets. Interviewees also shared that they planned to expand the use of Distributed Cloud Bot Defense to new use cases, such as protection against screen-scraping, and to new geographic markets in the future.

Boardroom 3

“Now that we know what we know about the adversary, I don’t know that any level of staffing is going to be effective without tooling that resembles [Distributed Cloud Bot Defense].”

“With F5 Distributed Cloud Bot Defense, we’re blocking 97% of all malicious inbound traffic before it even gets to the application layer, which greatly reduces our customers’ risks.”

Conclusion

Bot management now means cost management. If done right, you can enhance operational efficiency, reduce business and financial risks, control IT spend, free up time for security teams and fraud analysts, and strategically manage partner bots with accurate detection and deflection, all while providing an improved customer experience.

Automated attacks represent an economic challenge that businesses and organizations must address for the sake of their bottom line and the safety of their business operations. To achieve their revenue goals, companies must protect their customers and clients from fraud and account takeover and relieve their security teams of manual and ineffective anti-bot workflows.

 

F5 Distributed Cloud Bot Defense prevents the fraud and abuse that can bypass existing bot control solutions and provides real-time monitoring and intelligence to protect organizations from automated attacks, without causing user friction or disrupting the customer experience. These protections help reduce costs due to fraud and economic impacts from malicious bot traffic while lowering customer support expenditures.

To learn more about the business impact of bot traffic to your organization, use our bot impact calculator to find out how much malicious bots are costing you in fraud, inventory manipulation, infrastructure expenses, employee burnout, and lost customers. 

Boardroom 4

Sources:

1. Gene Kim, Patrick Debois, John Willis, Jez Humble, and John Allspaw. The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations. Portland, OR, IT Revolution Press, LLC, 2021.

More Information

REPORT

Forrester Total Economic Impact of Bot Defense

Read the report ›

EBOOK

Attacker Economics: Understanding the Economics Behind Cyberattacks

Read the eBook ›

SOLUTION OVERVIEW

F5 Distributed Cloud Bot Defense

Read the overview ›
 

ROI CALCULATOR

Free Bot Business Impact Consultation

Try the Bot Impact Calculator ›
 

Published November 17, 2022
  • Share to Facebook
  • Share to Twitter
  • Share to Linkedin
  • Share to email
  • Share via AddThis

Connect with F5

F5 Labs

The latest in application threat intelligence.

DevCentral

The F5 community for discussion forums and expert articles.

F5 Newsroom

News, F5 blogs, and more.