As a product chief information security officer (CISO), I am often plotting with our digital marketing leaders against a common enemy: bot traffic.
Not long ago, bots were something that only the security team worried about. But the growth of e-commerce and digital experiences has resulted in bots' stealing revenue and scrambling the data analytics that marketers rely on. Today, we're fighting the same fight.
Marketers shouldn't have to be bot experts. But bots' impact on customer acquisition, retention, loyalty, and revenue means marketers can't sit on the sidelines either.
Bots aren't just a consumer app problem. As a software-as-a-service (SaaS) company ourselves, we've experienced firsthand how bots can affect free trials and form fills.
I'd like to give B2B marketers three practical tips for working with Security on a bot detection strategy aimed at SaaS companies. They revolve around a discipline called customer identity, wherein anonymous users become identified customers—the perfect place to sniff out a bot. Marketers might call it their login box.
1. Understand how bots affect marketing
Bots are pieces of software programmed to automatically execute a specific task. In relation to the marketing funnel, attackers use bots (often arrayed into networks known as "botnets") to create fake accounts or take over existing ones.
Bots are responsible for around 23% of all sign-up attempts—up from 15% in 2021, according to Okta's 2022 State of Secure Identity report. There were another 10 billion attempts to take over existing accounts using a method called "credential stuffing," wherein bots automatically inject stolen credentials into login forms.
The motivations for bot attacks are typically financial. In other words, bots go where the money is. Marketing tactics such as sign-up promotions, limited-edition product launches, loyalty programs that accumulate points in an account, and even free trials of SaaS products can all attract unwanted bot traffic.
Malicious bots can be deployed for DDoS attacks, credit card fraud, credential stuffing, and Web/data scraping. They can also scan and crawl through social media, forums, and websites to find personal information about users in a process called intelligence harvesting. Bots can be used to send spam messages, and they can use ads or hyperlinks on websites to track users.
Despite all that, marketers still need to run their marketing campaigns. But if they don't filter out bot traffic, it can artificially inflate subscriber numbers and skew other customer data. The last thing you want as a marketing leader is to waste budget on customers that don't exist—or frustrate legitimate ones that expect a more personalized experience.
Bots aren't scary in and of themselves. There are legitimate use cases for bots—content aggregation, trawling for SEO purposes, etc.—and the security community has developed tools to detect and block suspicious bot activity in the sign-up and sign-in flows.
What's more concerning is how easy and cheap it is to use a botnet. You can run a botnet for an hour for a dollar. And there are billions of stolen credentials from previous data breaches freely available on the Internet to "stuff" into login forms.
2. Replace passwords with safer alternatives
As long as our digital experiences require passwords, we will continue to feed the beast. Stolen credentials lead to nearly 50% of all attacks, according to Verizon's 2022 Data Breach Investigations Report.
A record 50,000 breached password attempts per day were prevented on our platform in the first quarter of 2022—up from 26,600 per day last year. Most of those happen because customers are reusing an already-breached password for multiple accounts. In many cases, they may not even know it's been stolen (unless they've looked themselves up on haveibeenpwned.com).
Marketers can champion going "passwordless" when they're launching a new app or improving the experience on current channels. There are even some no-code tools that allow marketers to replace passwords themselves without technical expertise. Customers can sign up or log in with a social provider, a one-time "magic link" or code, or a passkey.
Passkeys are widely regarded as the most viable "password killer" to date. They work by allowing customers to sign in with a unique digital key stored on their device. Customers unlock the key the same way they unlock a phone—with biometrics, like a face or fingerprint. And because the key works only for a single website or app, attackers are not able to "phish" it by creating a fake login page to steal user credentials.
3. Talk about other ways to make security user-friendly
I've had several conversations with marketing colleagues about how we protect our customers without adding "extra steps." They have a point. Friction is the enemy of conversion: A recent study found that almost 28% of online traffic is attributable to bad bots that mimic human behavior.
Historically, security vs. customer experience has been presented as a zero-sum game. But as we've seen with passkeys, that is a false choice. Today, emerging technologies make it possible to maximize both forces at the same time.
One of my favorites is risk-based or "adaptive" authentication, which steps up security for suspected bots without slowing down human customers. It works by triggering a verification challenge only when something looks amiss—for example, automatically displaying a CAPTCHA if there's a sudden jump in failed logins. For marketers, adaptive tools reduce barriers for customers while helping to filter out bots.
* * *
Digital marketing may attract bots, but marketers don't have to fight them alone. A strong partnership between Marketing and Security can keep bots out of the funnel without making tradeoffs against the customer experience. That's a win-win for everyone.
More Resources on Bot Traffic and Customer Identity
The Two Most Powerful Fraud-Fighting Weapons Marketers Can Use
Is the Fight Against Bot Ad Fraud Succeeding?
Third-Party Cookie and Data Deprecation: What's a Marketer to Do?