Dealing with Bots: Know Your Customer

Dealing with Bots: Know Your Customer (KYC) - Stop Spam Bots | Insights
When managing a web-facing business, it’s often critical to know who your customer is. In fact, it is well accepted that the value of assessing traffic on your website and marketing pages, evaluating usage activity and patterns for your apps, and protecting your digital assets is paramount.

Toward this end, it is equally important to know whether visitors – and even more critically, users – of your website or mobile application are a human or a bot.

Assuming users are human when in fact they are robots can be damaging if not devastating to your business. Regardless of size, big or small, your company’s website and mobile apps are vulnerable to various attacks that may be detrimental to your organization’s ongoing business and reputation.

It’s better to be proactive by adapting to the latest verification methods available, before your website or mobile apps are compromised.

What is a bot?

In order to identify a bot, you need to understand what they are. Bots perform tasks programmers design them to complete based on computer algorithms.

According to Imperva, more than half of many website’s visitors are bots. The potential use cases of bots are overwhelming, and their abilities lie in deceiving us to believe they are actually human users.

Who is vulnerable?

Businesses would be well advised not to get bogged down in thinking “my website is too small for hackers or bots to bother with,” or “no one would try to hack our security, we are too sophisticated with our processes.”  These approaches are usually a precursor to a data breach.

On the small scale, Imprerva reports “it should be noted that the relative amount of bad bot visits (and bot visits in general) is higher to less trafficked websites. For instance, on the least trafficked domains—those frequented by ten human visitors a day or less—bad bots accounted for 47.7 percent of visits while total bot traffic amounted to 93.3 percent.”

On the larger scale, Mozilla reports that 93 percent of the top 1 million websites failed basic security measures to protect their websites identity[1].

Mobile apps are vulnerable to these risks as well. After conducting a comprehensive analysis of iOS and Android apps, NowSecure found that a staggering 85 percent of those mobile apps fail one or more of the OWASP Mobile Top 10 criteria. This may sound alarming, but familiarizing yourself with this information will allow you to avoid potential threats that are always looming.

Regardless of where your website or mobile apps appear, bots are everywhere and are operating seven days a week and 24 hours a day. Distil Networks reports that “83.2 percent of bad bots report their user agent as web browsers Chrome, Firefox, Safari or Internet Explorer. 10.4 percent claim to come from mobile browsers such as Safari Mobile, Android or Opera.”

Trying to hide from bots while maintaining a public web presence is unfortunately no longer an option in the digital age.


Do not underestimate bots — their capabilities are endless.

Bots and their developers often do not know a thing about you, or what your business does. They only know what they are programmed to do.  It’s nothing personal. If you have a website or a mobile app, you are a target.  

Automated bot attacks target thousands of websites at a time, leaving your business to easily become one of many victims.

Although many bots are annoying or malicious, some are actually beneficial to your web presence. When a “customer” is visiting your website or mobile app, you need to differentiate between the good, the bad, and the ugly in order to prevent any malicious attacks against your website.

  • Good Bots – activities involve web crawling, website monitoring, content retrieving, data aggregation, online transactions and more.

  • Bad Bots – focus on bringing fake traffic to your website with nasty intent. This involves stealing valuable data, content / price scraping, posting spam comments and phishing links, distorting web analytics and damaging SEO, contributing to denial of service attacks and more.

Bad bots are becoming even more intelligent. Better known as sophisticated bad bots, they act and function as a human would.

For example, as if it were a legitimate human user, a sophisticated bad bot evades detection by simulating human behavior like mimicking mobile swipes and mouse movements as humans do.

Typically, you might think of a bot sending tons of spam emails, setting up fake accounts, or submitting tons of self-serving or unintelligible comments. But in the worst-case scenario, bots have the capability to bring your website down by overwhelming its bandwidth.

An example of this would be for a bad bot to request a page load 50,000 times in a second. Voluum reports that almost 56 percent of bot traffic is used for malicious purposes that a user may encounter while on the internet.  

Distil Networks reported a 9.5 percent increase in bad bot traffic in 2017. Even worse, bad bot traffic is assumed to increase.

Although online gambling, airlines, financial, and healthcare industries stand to be the most affected by bad bots, a key takeaway is that no industry is immune to these risks that continue to be prevalent as bad bot traffic is at an all-time high. Protecting your website or mobile app requires constant vigilance to avoid these unwanted risks. 


There are many ways to prevent bots disrupting your business workflow. Being proactive rather than reactive will save you from hiccups down the road.

A proactive approach would begin with investigating ways to enhance the web-facing security of your website or mobile apps.

Applications like reCAPTCHA and Konfirmi provide simple tools that can be added to online forms to help separating bots from your human customers. Whether it be your website or mobile app, these simple tools can help eliminate bots from ever becoming users in your app.

In addition, more sophisticated verification methods allow you to ID your customers efficiently while protecting your organization’s digital assets. There are multiple verification types, and some are more suitable than others to reduce potential hacks or frauds in specific uses cases.

Using one of these sophisticated verification apps is the best way to confirm if your customer is who they say they are. For example, Cognito “determines the relevance and quality of customer-submitted data in real time” to verify customers.  In addition, Mitek Systems offers an “omni-channel capture” system with artificial intelligence and machine learning to provide digital identity verification.

Similarly, Jumio “uses computer vision technology, machine learning and live verification experts to verify credentials (e.g., passports, drivers licenses, etc.) issued by over 200 countries.”  Likewise, Trulioo’s “technology encapsulates the strengths of traditional ID verification and implements the latest capabilities in online tech today.” 

Other companies offer a wider variety of solutions.  Although also a provider of simple tools, Konfirmi also allows users to implement a variety of more complex verification methods in the same site or app, to provide highly secure layered verifications.  As another example, IDology “provides a multi-layered, end-to-end authentication solution that helps companies streamline customer acquisition, prevent fraud, and meet compliance regulations”.

For those who do not wish to buy software solutions, implementing hands on approach by closely monitoring your website or mobile app to determine if there is any suspicious bot activity can go a long way.  This includes monitoring for uneven traffic to your website, increased bounce rates with low time spent on a page, and unknown domains referring traffic to your website. If it looks or seems unfamiliar, it is worth investigating.


In order to operate and run an effective business, you need to know your customer.  This basic business need is made much more difficult as bad bot attacks continue to rise and are prevalent in all industry verticals. 

Therefore, especially in the online world, knowing your customer means separating the human purchaser from a bot that has the potential to damage your online presence. 

Size doesn’t matter here – a proactive and constant vigilant approach is necessary for all users looking to protect their digital assets.