HUMAN Security Holiday Report Explains How Grinch Bots Steal the Holidays

HUMAN Security released its 2023 Bad Bot Holiday Report, which details what cybercriminals were up to last holiday season.

The bad bots started early, planned carefully, and then unleashed a torrent of bad bots to bilk retailers and consumers alike. HUMAN’s report offers websites and online retailers a look at their ploys so that security teams can keep their sites and their customers safe in the upcoming holiday season.

Below are the things to watch out for, according to HUMAN.

Cybercriminals Start Early

Cybercriminals begin planning their crimes in the months leading up to Cyber Monday. Last September to November, HUMAN measured 99% more bad bot traffic to retail sites than the yearly average.

Human traffic, on the other hand, stayed relatively flat, reaching its peak during Cyber Week.

What Was All That Bot Traffic Up To?

While most consumers spent last summer and fall barbecuing and getting their kids ready for school, the cybercriminals were laying the groundwork for their crimes. According to HUMAN, they were busy: 

  • Harvesting sensitive data from breaches, leaky databases, phishing campaigns, and dark web lists  
  • Executing automated credential stuffing, carding, and brute force attacks to validate credentials, credit card numbers, and other PII 
  • Submitting fake leads and contaminating web engagement metrics.

“Cybercriminals use bad bots to prepare in the summer and fall, so they will be ready when the holiday season rolls around,” HUMAN warns. “These bad bots then launch large-scale attacks during major online traffic periods and sales events.”

Types of Attacks

HUMAN noted that three types of attacks dominated the holiday season:

Account Takeovers

These attacks get unauthorized use of a user’s credentials to make purchases, drain their bank accounts, and a host of other ills. Account takeover attacks were up 123% in the second half of last year. In fact, 48.2% of all log-ins were malicious.

Carding Attacks

Carding, or using bots to test stolen credit cards, bank cards, and gift card numbers is the biggest threat to e-commerce retailers during the holiday season. Once the fraudster validates the numbers they buy all sorts of things to resell online.

In early November 2022, the percentage of malicious checkout attempts out of total checkout attempts rose 350%. The percentage of carding attacks out of total checkouts increased 900% in the days following Cyber Monday. This was likely due to bots continuing their attacks on e-commerce sites even after human traffic subsided. 

For ecommerce alone, HUMAN measured a significant peak in the summer months, when almost 30% of checkout attempts were malicious. This was followed by another small peak in October and a jump during the holiday season.


Scraping, which is when bots scrape a website’s data to capture competitive intel. Scraping also takes a toll on a website’s SEO ranking (most sites invest in SEO during the holiday season so this is especially frustrating).

“Brand and marketers are profiting from online advertising during the holiday season with holiday sales growing last year from 2021 by more than 5.3% to $936.3 billion according to the National Retail Federation and consumers are spending nearly $1,500 on gifts, travel, and entertainment according to PWC research,” said Liel Strauch, HUMAN’s Senior Director of Enterprise Research. “It’s no wonder cybercriminals and fraudsters are already planning and embarking on their schemes. Our research demonstrates why bots are one of the most prolific tools for cybercrime because their increased sophistication gives fraudsters an uncanny ability to mimic human behavior online. They’re utilizing carding attacks, account takeovers, and scraping attacks to target both consumers and e-commerce sites, which can impact a consumer’s bank account and an e-commerce site’s profits.”

Learn More

The report goes into more detail, which you can read here