The rise of the bot: Data security a growing threat for financial services

  • By Stuart Wilson

Banking and financial services is the highest risk sector in Australia for cyber security breaches from bot attacks. 

Imperva’s Stuart Wilson discusses the risks facing the industry and what action needs to be taken to protect customer and business data as digital becomes the primary channel for the sector.  

As the world continues to grapple with the COVID-19 pandemic, we are increasingly turning to technology to ensure our economy and community continues to function. 

Zoom meetings and digital cloud storage have become synonymous with work from home (WFH) and digital adoption has skyrocketed amongst consumers, with the highest rate of adoption in the global banking sector1

While increased digitalisation and workplace flexibility has been a silver lining of COVID-19, this rapid shift has amplified technological risks and challenges. 

In recognition of the increasing cyber security risks to the sector, APRA has recently noted its focus on intensifying cyber stress testing and improving operational resilience from cyber threats in 2021. 

Data from the Imperva 2020 Bad Bot Report highlights banking and financial services is the highest risk sector in Australia for cyber security threats. 

The research shows Australia is the third most targeted country for attacks by Bad Bots and the financial services industry is the worst hit with 47.7 per cent of website traffic being generated by these bots. 

Unfortunately, this is not a new challenge for the industry, with financial services being the most targeted sector for two consecutive years. 

With the growing sophistication of cyber threats, we need to consider how to protect all paths to data and intelligently separate legitimate website traffic to ensure customer privacy and informed business decisions. 

What’s the risk?

Bots are software applications widely used on the internet to run automated tasks, such as online help chats and Googlebot, which crawls the internet to index it for search. 

Bad Bots use this function for dishonest purposes and interact with applications in the same way a legitimate user would, making them hard to detect and prevent. 

They scrape data from sites without permission to reuse it and gain a competitive edge, enabling high-speed abuse, misuse, and attacks on websites, mobile apps, and application programming interfaces (APIs). 

Bad Bots allow operators, attackers, unsavoury competitors, and fraudsters to undertake an array of malicious activities, including criminal activities, such as theft. 

Traffic from illegal bots rose to its highest levels in 2019, accounting for 24.1 per cent of all internet traffic, an increase of 18.1 per cent from the previous year. 

Nearly 75 per cent of these bots were sophisticated or moderately sophisticated in design and included web scraping, competitive data mining, personal and financial data harvesting, brute-force login, digital ad fraud, spam, and transaction fraud2

While every industry’s Bad Bot problem is unique, banks and other financial institutions are hardest hit by content scraping, account takeovers and credential stuffing, credit card fraud, and denial of service (DDoS) attacks. 

If left unattended, Bad Bots can steal proprietary financial and business information, hack customer accounts to commit fraudulent activity, and commit identity theft and customer impersonation.

Illegal bots are a serious business threat. 

However, many businesses use legitimate bot applications to help grow their business, ensuring their products and services can be found by current and prospective customers and helping people match their digital search queries with the most relevant websites. Bots can serve a beneficial function, but it is critical to understand where digital traffic originates to have a comprehensive understanding of your business and its customers.

Can ‘Bad Bots’ be stopped?

With Bad Bots accounting for nearly 50 per cent of web traffic on Australian banking and financial websites, it is clear this is a serious threat to the industry. 

Unfortunately, only a small percentage of Australian financial institutions are proactively managing illegitimate bot activity, leaving not only the wider sector but many Australians at risk.  

While there is no one-size-fits-all solution to bot management, there are some simple steps businesses can take to start managing the threat.  

1. Block

Businesses should block or CAPTCHA outdated user agents and browsers, such as old versions of Firefox or Google Chrome. Blocking known hosting providers and proxy services, such as DigitalOcean, GigeNET, OVH Hosting, and Choopa LLC, may also discourage attackers. 

It is also important to protect exposed APIs and mobile apps, in addition to your website, and share blocking information between systems. 

We need to ensure we protect all paths to data, not just the front door. 

2. Investigate 

While traffic spikes may appear to be a business win, the cause of the spike must be investigated to ensure its legitimacy. 

Staying vigilant to public data breaches is also vital as newly stolen credentials are still likely to be active and Bad Bots may use these credentials on your site with increased frequency. 

3. Evaluate and monitor

Carefully monitoring and evaluating traffic sources is an easy way to detect signs of bot activity. If a traffic source has high bounce rates or there are lower conversion rates from some sources these can be signs of illegitimate users.  

Failed login attempts are another key indicator so alerts and thresholds should be established to monitor this. 

While the simple steps outlined above will help businesses to monitor for bots, having a robust data security system that holistically protects websites, apps, and APIs is essential in today’s digital age. 

The threat from bots has reached new highs, particularly for the Australian banking and financial sector. 

With the digital banking adoption rate hitting record highs throughout the pandemic, it is imperative banks and financial institutions take action to protect their customers from sophisticated cyber criminals. 

Data security is no longer a nice to have, in today’s digital operating environment it is a must. 

  1 McKinsey Digital, The COVID-19 recovery will be digital, May 2020

  2 Imperva, Bad Bot Report, 2020


Stuart Wilson, is the APAC vice president for financial services at Imperva