The Top 5 Industries Grappling with Bad Bots

2018 was the year bots went mainstream, as we learn more and more each day about Russia’s influence over the 2016 U.S. presidential election and watch as two of the most popular social media brands undergo existential crises. But while political leaders and tech giants grapple with impact of bad bots on democracy, much of their wider impact on the economy is grossly misunderstood and underestimated.

Bots Everywhere

The reality is that every industry has a bot problem, though some are targeted more than others because of the content they produce or the data they store. According to research conducted by Distil Networks for the “2018 Bad Bot Report,” which is based on an analysis of hundreds of billions of bad bot requests at the application layer, these are the top five industries that are most impacted:


The online gambling industry has a higher proportion of bad bot traffic than any other industry, accounting for 51 percent of all traffic. Gambling websites frequently offer new account promotions (ex. 50 free spins upon sign-up) to grow their user base, and cybercriminals use bots to automatically register thousands of new accounts per hour, play the free spins and transfer the winnings to their own account or sell the login credentials on the dark web. Aggregators also use them to relentlessly scrape online gambling companies for the ever-changing betting lines they offer, causing denial of service and customer retention problems.


Nefarious actors target airline websites with bots to conduct nefarious activities such as:

  • Fraudulently reserving blocks of seats on flights, causing the price of the remaining unsold seats to increase dramatically, throwing off sales.
  • Card cracking (testing stolen credit card numbers from previous breaches) to fraudulently book flights.
  • Credential stuffing (testing stolen login credentials from previous breaches) to break into customer accounts and steal their miles or loyalty reward points.

Bad bots accounted for 44 percent of all traffic on airline websites in 2017, making the airline industry the second-most impacted, after gambling.


Ecommerce companies grapple with price scraping, content scraping, account takeovers, credit card fraud and gift card abuse on a daily basis. And with competitors, hackers and fraudsters using them to conduct these nefarious activities on a massive scale, it can be nearly impossible to keep them at bay.

Not only does 21 percent of all traffic on ecommerce sites consists of bad bots, the ecommerce industry has the No. 1 highest proportion of “sophisticated” bots (23 percent), which mimic human behavior to evade detection.

Health Care

Cybercriminals looking to steal and profit from patient’s account credentials, personally identifiable information (PII) and financial records stored online use bots to automate the process of web scraping, credential cracking, account takeover and online fraud. Their impact on healthcare websites is one of the worst across all industries, in both volume and sophistication:

  • The healthcare industry has one of the highest proportions of bad bots (24 percent) compared to real humans and good bots (such as search engine crawlers).
  • Health care also has one of the highest proportions of sophisticated bad bots (22 percent) compared to simple and moderate bots (much easier to detect and block).


Scalper bots are notoriously responsible for scooping up tickets for popular concerts and sporting events and reselling them at grossly inflated prices. This epidemic has prompted anti-scalping legislation such as the U.S. Better Online Ticket Sales Act, the U.K. Digital Economy Act and the Canadian Ticket Sales Act.

Ticket resellers have also recently started deploying spinner bot attacks, in which they will hold a ticket in the checkout cart, then quickly post the ticket for sale on their own site. Only if they make the sale do they actually make the purchase, earning revenue with no risk to themselves. Once the cart timeout expires, they simply repeat the process until they make a sale.

The ticketing industry has one of the highest proportions (21 percent) of sophisticated bots compared to any other industry.


Looking at traffic from various industries, a deeper insight into the problem is evident. Bad bots can take many different shapes and forms depending the nature of the targeted business, its website content and the goal of the adversary. Businesses of all kinds must be acutely aware of how bots are interacting with their websites to protect their brand, customers and revenue from harm.

Reid Tatoris

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard
Avatar photo

Reid Tatoris

Reid Tatoris is VP product outreach and marketing at Distil Networks, a cybersecurity company specializing in bot mitigation. Reid was previously the co-founder of Are You A Human, a Detroit-based company that analyzes how real humans interact with the Internet, which was acquired by Distil. Prior to starting Are You a Human, Reid was a technology consultant working in strategic roles and leading development teams. Reid holds both an Engineering Degree and an MBA from the University of Michigan and is a mentor for Techstars Mobility.

reid-tatoris has 1 posts and counting.See all posts by reid-tatoris