Attacks on financial institutions’ websites by bad bots are on the rise, with their penetration tactics growing more sophisticated and challenging to detect.
Data security services provider Imperva tracked a spike in advanced bad bot traffic to financial services’ websites during the fourth quarter of 2021 — including a 156% leap in October.
“This breed of bot uses the latest evasion techniques, including cycling through random IPs, entering through anonymous proxies, changing identities and mimicking human behavior to evade detection,” Lynn Marks, senior product manager at Imperva, told Bank Automation News.

The company’s annual internet traffic report broke out the financial services impact specifically, including that 22% of all traffic on financial services’ websites in 2021 was from bad bots, and of that traffic, 54% of the bots were classified as “evasive.” The report draws from the company’s global network and includes “hundreds of billions” of blocked bad bot requests across thousands of websites.
Bad bots are often looking to take over user accounts on financial services sites, the report notes. That can lead to banking and other personal information being stolen.
“These are serious risks for organizations in this industry as successful attacks contribute to non-compliance with data privacy and transaction regulations, as well as increase costs associated with fraud investigations,” Marks said.
Automated attacks
The growing sophistication of bad bots is a concern for every industry, but especially financial services, which stores and manages some of the most sensitive and valuable data, Marks said.
The advancement of bad bots is happening as banks and other financial institutions expand their digital offerings and products, and API ecosystems to support them, Marks told BAN.
“Unfortunately, this array of new endpoints is a ripe target for automated attacks,” she said.
Online fraudsters used bad bots to carry out attacks last year, Imperva noted. Bots were used to execute tasks like password stuffing or cycling through stolen credentials — an attack known as credit stuffing. The company expects to see a rise in the sophistication level of automated threats over the next one to two years as bot operators continue to perfect their methods.
“Financial institutions need to focus on the defenses they’re putting in front of their web applications, APIs and even the data that is stored in managed cloud databases,” Marks said.
It’s not only banks being targeted by such attacks, noted Ben Metz, chief digital and technology officer at core and digital banking provider Jack Henry. The company earlier this year stopped a credential-stuffing attack, a scheme in which bots attempt to log into a site using stolen user IDs and passwords, Metz said recently at the company’s investor conference.
Working with NuDetect, a Mastercard company, Jack Henry was able to “stop one of the largest credential-stuffing attacks in the United States against a single financial institution that was one of our banks,” Metz revealed.
Financial institutions should be looking to add friction to make their sites more secure against bot attacks. Effective bot management defenses make it more likely a bot operator will move on to another target.
“Bot operators are looking for the highest [return on investment],” Marks told BAN.
Bank Automation Summit Fall 2022, taking place Sept. 19-20 in Seattle, is a crucial event on automation and automation technology in banking. Learn more and register for Bank Automation Summit Fall 2022.






