If you’ve tried to buy collectibles or new technology from an Internet retailer in the last year, you’ve seen the bots in action. Run by scalpers, they can scoop up a store’s entire inventory of new tech or collectibles in seconds. Bots have been an issue in any field with short supply but high demand for years, according to Peter Klimek, director of technology at the cyber-security company Imperva. “The most prominent examples are the sneaker bots, which were going after exclusive Nike sneakers,” Klimek said in a Zoom interview with Lifewire. “With the pandemic, early on, the bots went after workout equipment, PPE supplies, and hand sanitizer.” Since then, scalpers have moved on to video cards, game consoles, new tablets, and anything affected by recent supply-chain restrictions. If it’s rare or collectible, like Microsoft’s Xbox-themed mini-fridge, it’s likely to be targeted by shopping bots.

Whys and Wherefores

It’s helpful to distinguish, as Imperva does, between ‘good bots’ and ‘bad bots.’ Good bots are a big part of the modern internet, such as the web crawlers that search engines use to index data. A bad bot, conversely, is used to automate actions that violate a site’s security. For example, a scalper’s bot can skip straight past a store’s checkout process, change minute bits of information, and do so hundreds of times in a row to get around 1-per-customer restrictions. Shockingly, this is technically legal. It’s easy to find websites that openly sell any of a hundred ‘Grinch bots’ (used to grab hot toys during the holidays, thus stealing Christmas), complete with blogs and customer testimonials. “There have been attempts to pass legislation specifically about targeting automated activity,” Klimek said. “There were efforts to try to pass legislation to limit this activity [i.e., the Stopping Grinch Bots Act of 2018], but that’s basically not a priority right now. This continues to be a gray area in the market.”

Working Around It

At first glance, bots seem like a sweet deal for retailers who are still moving inventory. However, it’s often a catch-22. Bot traffic can stress or overwhelm retailers’ servers, resulting in high bandwidth costs and even actual damage. Customers frustrated by bots are also prone to filing complaints, service requests, and the occasional ‘review bomb.’ With some goods, being bought up in bulk by bots can be financially detrimental. This includes items like video game consoles and media players that are sold using a ‘razor and blades’ model, where each unit is sold with a low or negative profit margin. The assumption is that the retailer and manufacturer will make up the difference on attached subscriptions or software. On this sales model, a unit that’s been grabbed strictly for resale, without any attached goods, is effectively a short-term loss and a potentially lengthy delay to the unit’s profit cycle. Sony may like how fast the PlayStation 5 is selling, but how many of those units are sitting unopened on resellers’ shelves? This may sound like it’s mostly the retailers’ problem, but consumers also need to watch out. The high volume of bad bots surrounding online shopping in 2021 has led to an increased rate of actual attacks, as unscrupulous scalpers look for opportunities to take over users’ store accounts and steal data. For this holiday season, both retailers and customers should look to step up their security. For stores, it’s possible to implement anti-botting measures and adopt in-person sales practices. For consumers, it’s worth being careful where you shop online and using two-factor authentication when you do. “We’ve seen certain companies change their approach to make sure they’re getting goods into the hands of consumers, and not just bot authors,” Klimek said. “This includes Best Buy’s subscription service, which includes first-priority access to some hot-ticket items, and how Valve sold the Steam Deck system, by making it only available to previous customers on Steam.” As long as the bots stay legal and the servers stay flooded, consumers and retailers alike will have to find more workarounds like these. For right now, it doesn’t look like the bots are going anywhere.