Imperva highlights scalping problem as AI supercharging Grinch bots drive up cost of Christmas for online shoppers

Much like the villain in Dr Suess’s classic tail, The Grinch, research from Imperva shows that 71% of UK consumers believe bad bots are ruining Christmas by snapping up all the most wanted presents.

Two-fifths have been thwarted when trying to buy a gift in the past, only to find that it was completely sold out. As a result: 

• 19% have had to buy a more expensive alternative 

• 13% purchased a gift that wasn't as meaningful 

• 10% had to buy from a secondary marketplace at an inflated price 

• 10% disappointed a loved one by buying an alternative gift  

Imperva, which surveyed 2,000 Brits, is warning that ‘scalping’, a practice whereby cybercriminals use bots to buy items from online retailers and sell them for a profit on resale sites, is only set to get worse this Christmas.

With AI now supercharging bots, the most in-demand presents can be targeted more accurately and faster than ever before. Analysis shows that once an item is listed on a resale site, the cost can increase by as much as 105%2 during the holiday period.  

“It’s a Christmas tale as old as time. A child has their heart set on a particular toy; it sells out; parents frantically visit every shop to find the last one,” says Tim Ayling, VP EMEA at Imperva.

“But with so much shopping done online now, the scale of this problem has ballooned, with automated bots able to scalp the most in-demand presents for a healthy profit. AI is making the situation even worse, making bots faster, more targeted and more effective, leaving an increasing number of disappointed children or parents out of pocket.”  

As well as driving up the cost of Christmas for consumers, AI superpowered bots also have a negative impact on retailers’ reputations and profits, with customers looking elsewhere if their desired gift is sold out.  

In response, Imperva has five top tips for retailers looking to protect their customers this holiday season: 

1. Identify risks and evaluate traffic: Find site vulnerabilities like login endpoints, account creation pages, payment forms, and product pages - common bot targets for scalping. Track failed login attempts and traffic spikes, which may indicate bot activity. Use traffic analysis tools to distinguish bots from legitimate users and respond quickly to suspicious behaviour.  

2. Block outdated user agents: Many bots use outdated browser versions, lacking the latest security updates. In contrast, human users are typically forced to auto-update their browsers to newer versions. Block user-agent strings from browsers outdated by over three years and use CAPTCHA for those outdated by two years. This ensures only updated, legitimate browsers access sites, reducing bot attacks. 

3. Limit proxies: Bots often use proxy services to mask their origins with bulk IPs, making detection harder. Restrict access from bulk IP providers like Host Europe GmbH, Digital Ocean, and OVH SAS to reduce bot traffic, especially during peak periods like the holiday season. 

4. Implement rate limiting: Rate limiting controls traffic flow by capping user requests within a set timeframe, protecting resources and ensuring site responsiveness. This helps prevent bot attacks like brute-force logins or carding attempts. 

5. Look out for signs of automation and headless browsers: Modern bots often use headless browsers like Puppeteer and Selenium to mimic human behaviour. Detect them by monitoring for rapid clicks, fast navigation, or abnormal patterns. Focus on these signs to block bots and ensure a smooth experience for genuine users. 

“Retailers have a duty of care to protect customers from scalping and inflated prices, particularly around Christmas,” says Ayling. “By identifying high risk areas and analysing buying behaviour, retailers can limit the amount of bot traffic on their site. This will be vital moving forwards as AI bots will only get better at scalping as they mature, and companies that don’t have measures in place now will lose customers to rivals.”  

2024 RTIH INNOVATION AWARDS

Online retail was a key focus area at the sixth edition of the RTIH Innovation Awards.

The awards, sponsored by Vista Technology Support, Scala, CADS, 3D Cloud, Brightpearl by Sage’s Lightning 50, Business France, and Retail Technology Show 2025, celebrate global tech innovation in a fast moving omnichannel world.

Our 2024 hall of fame entrants were revealed during an event which took place at RIBA’s 66 Portland Place HQ in Central London on 21st November, and consisted of a drinks reception, three course meal, and awards ceremony presided over by comedian Lucy Porter.

In his welcome speech, Scott Thompson, Founder and Editor, RTIH, said: “The event is now into its sixth year and what a journey it has been. The awards started life as an online only affair during the Covid outbreak, before launching as a small scale in real life event and growing year on year to the point where we’re now selling out this fine, historic venue.”

He added: “Congratulations to all of our finalists. Many submissions did not make it through to the final stage, and getting to this point is no mean feat. Checkout-free stores, automated supply chains, immersive experiences, on-demand delivery, next generation loyalty offerings, inclusive retail, green technology. We’ve got all the cool stuff covered this evening.”

“But just importantly we’ve got lots of great examples of companies taking innovative tech and making it usable in everyday operations - resulting in more efficiency and profitability in all areas.”

Congratulations to our 2024 winners, and a big thank you to our sponsors, judging panel, the legend that is Lucy Porter, and all those who attended last month’s gathering.