Finance is a major target for bad bots, suffering 12.7% of attacks overall. More concerningly, financial services are by far the most targeted by account take-over (ATO) attacks (37.8%). According to Imperva’s research, such attacks have soared by 155% year-on-year.

FS is a microcosm for the broader picture. Across the whole internet, bots account for nearly half (47%) of all internet traffic. The proportion of Bad Bots (30.2%) is the highest ever recorded by the report.

“Bots have evolved rapidly since 2013. But with the advent of generative artificial intelligence, the technology will evolve at an even greater, more concerning pace over the next 10 years,” said Karl Triebes, Senior Vice President and GM, Application Security, Imperva.

“Cybercriminals will increase their focus on attacking API endpoints and application business logic with sophisticated automation. As a result, the business disruption and financial impact associated with bad bots will become even more significant in the coming years.”

Key Findings 2023 Imperva Bad Bot Report

  • Bad bots are increasingly sophisticated and harder to detect. In 2022, the proportion of bad bots classified as “advanced” accounted for more than half (51.2%) of all bad bot traffic. In comparison, the level of bad bot sophistication in 2021 was 25.9%. This is a concerning trend for businesses as advanced bad bots use the latest evasion techniques and closely mimic human behavior to evade detection by cycling through random IPs, entering through anonymous proxies, and changing identities.
  • Account takeover (ATO) attacks increased 155% in 2022. Further, 15% of all log-in attempts in the past 12 months, across all industries, were classified as account takeover. Cybercriminals use bad bots to facilitate credential stuffing and brute force attacks, as automation can cycle through credentials quickly until successful. These attacks have the potential to lock customers out of their account, provide fraudsters with sensitive information, contribute to business’ revenue loss, and increase the risk of non-compliance.
  • Bad bots target APIs to abuse business logic and compromise accountsIn 2022, 17% of all attacks on APIs came from bad bots abusing business logic. A business logic attack exploits flaws in the design and implementation of an API or application for the intent of manipulating legitimate functionality to steal sensitive data or illegally gain access to accounts. Further, 35% of account takeover attacks in 2022 specifically targeted an API. When APIs are called programmatically, attackers can easily automate the process of attempting to takeover an account without triggering any alarms.

Travel, retail and FS sectors account for almost 60% of attacks

Travel (24.7%), Retail (21%), and Financial Services (12.7%) continue to experience the highest volume of bot attacks

“Every organisation, regardless of size or industry, should be concerned about the rising volume of bad bots across the internet,” added Triebes.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“Year-over-year, the proportion of bot traffic is growing. The disruptions caused by malicious automation results in tangible business risks – from brand reputation issues to reduced online sales and security risks for web applications, mobile apps, and APIs. Businesses need to act now and invest in bot management and online prevention that can identify and stop sophisticated automation that targets APIs and application business logic.”