Mother’s Day is a major online shopping event that attracts both shoppers as well as threat actors. Earlier in the year, we reported on the United Kingdom’s version, called Mothering Sunday.
An eMarketer spending forecast predicted that in the United States, retail gift spending would increase, after a dip in 2018. The average spending per person would increase to about $196, versus 2018’s $180. In addition to more consumers doing their shopping online, this increased spending activity means that threat actors would also be on the prowl.
As we did during peak holiday traffic events last year, we tabulated and analyzed aggregate statistics from global online retail traffic that touched nearly 100 retail websites and mobile retail apps, providing Akamai with more than 5 billion daily data points. We also extracted data for Canada, the United Kingdom and major regions, along with the United States for comparison.
Comparing 2019 baseline (April 1 to April 30) session traffic for the United States, Canada, United Kingdom and major regions against the same period for Mother’s Day 2018, traffic was up overall, except for Canada.
On the actual Sunday holiday, 2019 traffic was up with the exception of Canada and APJ (reasonable for APJ considering the time zone/date line difference). This was surprising, for in the U.K., traffic was down on Mothering Sunday, meaning that like the Canadians, they were far more diligent about going offline and visiting their Mom than the U.S.!
Session traffic during the week leading up to and including Mother’s Day 2019 shows a fairly consistent trend of traffic declining steadily during that period. It’s interesting to note that the Canadian drop is not quite as severe; it would seem that overall, Canadian traffic is down from last year as evidenced by the baseline comparison.
Unsurprisingly, the use of mobile devices continued its mega trend of generating more traffic than desktop and tablets; tablet use remained consistently low throughout the period. However, as we’ll see shortly, while mobile usage dwarfs tablets, tablets still play a key role when it comes time to purchase.
From Mother’s Day 2018 to Mother’s Day 2019, desktop as a percentage of the total dropped 10.94%, while mobile increased by 12.68%. Tablet usage decreased by 23.89%, which continues to reinforce how much shoppers are using their smartphones as the preferred way to shop online, especially while out and about, away from home.
What’s driving the mobile usage? According to an eMarketer survey, shoppers prefer to consult their phones while they’re in the store, versus speaking to a store employee. A substantial 69% said they would rather review a product on their phone than speak with an in-store associate. And 53% preferred to look for discounts and offers on their phone, again, instead of speaking to an employee.
The top two survey responses underscore the importance of delivering properly formatted content (images and videos) to a user’s mobile phone. Delivering a favorable CX by providing optimized content is paramount. Frequently, customer reviews contain the customer’s provided pictures (image files and videos) that are uploaded without any optimization; a picture from a recent smartphone, for example, could be more than 12MB alone. And while ‘professional’ product reviews might contain optimized content, other performance roadblocks might be present such as how the reviews and other content are integrated, e.g. via APIs.
Android users increased their portion of online shoppers by 22% from Mother’s Day 2018 to 2019, reflective of the larger number of Android users, globally. However, while the number of iOS users remained essentially flat year-over-year, they still outnumbered Android users nearly 2:1.
Mobile OS conversion rates remained consistent with what we saw last shopping season, with iOS users continuing to show a higher propensity to purchase than Android users. However, both sets of OS users increased their conversion rates, Android more than iOS, perhaps due to their greater number of users and an increase in mobile user experience (UX) focus and better incentives for mobile users via retailer’s branded apps:
However, while the mobile conversion rates increased, it is important to compare them to desktop and especially tablet conversion rates.
Here we see that, in addition to desktop conversion rates being, on average, double mobile conversion rates, tablets are on par with desktops. According to OuterBox, “Almost 40% of all eCommerce purchases during the 2018 holiday season were made on a smartphone.” Taken the other way, this means that the majority of purchases, 60% were not made on a smartphone; this is likely made up of desktops and tablets.
Desktops and tablets, with their larger screens, are more conducive to shoppers researching and searching for the merchandise they wish to purchase. According to research by Contentsquare, “Users are increasingly using mobile as their preferred channel for online shopping; however, they have a poor user experience because sites aren’t optimized for mobile, which stops them spending more.” This lack of mobile optimization can be a cause for the higher desktop and tablet conversion rates; shoppers use these platforms after doing their research on mobile devices.
As mentioned earlier, image optimization is a key area that retailers need to continue to focus on, as they strive to provide a superb UX for shoppers in order to gain a competitive advantage and increase sales. The strong usage of desktops and tablets, especially for purchase, means that these devices must be included in the optimization effort and not cast aside in favor of mobile priorities. High-quality mobile experiences are increasingly important as shoppers are showing a greater propensity to purchase online and visit a store to pick up their merchandise, an approach referred to as Buy Online, Pick Up in Store (BOPIS), listed as the #1 2019 trend for retailers.
Examining conversion rates (all devices) for key countries, in addition to the United States, the U.S. conversion rate picks up at the end of the week, perhaps for some last-minute shopping? For Canada, the conversion rate drops off approaching Mother’s Day as they began to decrease their online sessions.
According to the Akamai ‘2019 State of the Internet / Security: Retail Attacks and API Traffic‘ (SOTI) between May1 and Dec 31 2018, there were 10 billion credential stuffing attempts in the retail industry detected on the Akamai edge network. Overall, Akamai detected 28 billion credential abuse attempts in all of our customers’ industries over the same period; retail was the top industry targeted (see the chart below). Clearly, retail is the most attractive target to threat actors on the hunt for customer data, credit cards, etc.
Web Application Attack Detail
With the lull after President’s Day shopping, Mother’s Day is the next major U.S. holiday of the year but compared to Mothering Sunday in the U.K., the number of attacks are lower in most of the categories, with the exception of Command Injection and Cross-Site Scripting. Perhaps the focus of the threat actors shifted to Bot attacks.
The Akamai report ‘State of the Internet / Security: DDoS and Application Attacks‘ highlights bot-generated automated credential stuffing attempts that we track. According to our research, bots can represent up to 60% of overall web traffic, but less than half of them are actually declared as bots – making tracking and blocking difficult. Compounding this is the fact that not all bots are malicious, which the SOTI report elaborates on.
Total bot attacks were steady, but credential abuse/stuffing attacks more than doubled, perhaps reflective of it being one of the more popular attack vectors at present.
As with all the peak holiday traffic events we monitored and reported on in 2018, in 2019, the U.S. was the top country targeted for attacks; this is logical due to the high number of online users.
For this holiday, the U.S. was the highest source country, also consistent with Mothering Sunday. However, as always, it’s very easy for threat actors to obfuscate their true origin so it’s challenging to ensure 100% accuracy.
The Performance and Security peak holiday traffic trends that we analyzed and reported on in 2018 have continued into 2019, demonstrating that retailers cannot and should not relax either their security vigilance or efforts to provide an optimal user experience (UX).
Users have clearly demonstrated that while they are increasing their use of mobile smartphones for their online shopping, they are not abandoning their desktop or tablet for the all-important purchase phase of the sales cycle. As a result, retailers should not prioritize one device over another when funding their content optimization projects; this is supported by a recent eMarketer survey of U.S. shoppers regarding the average number of images and videos they expect to see when shopping online.
Threat actors are stepping up their use of bots for credential stuffing/abuse attacks. The increase of activity around this attack vector is tied to the large number of data breaches making user credentials available on the dark web. Retailers should be looking for ways to obtain a holistic view into security protections for their apps across any cloud deployment, including multi-cloud infrastructures.
Online retailers must focus on providing a secure online environment for their customers along every stage of the transaction, including research, purchase, capture and storage of identity information, to help comply with regulations and address data privacy concerns. Bots in particular poses a significant challenge to distinguish between ‘good’ and malicious intent. Retailers should seek a partner such as Akamai to provide security solutions and expertise.
Performance matters too; retailers need to be prepared for ANY peak traffic event that could potentially stress and negatively impact the responsiveness of their site to customer’s use. And, regardless of peak traffic, customers are expecting, and demanding, a superior UX.
Prepare for peak traffic by testing your website and mobile application performance at any load and request your CloudTest demo.
*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Chris Wraight. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/nfGhs6Sk5CQ/mothers-day-online-shoppers-were-active-and-so-were-threat-actors.html