How to Ward Off (Legal) Scalper Bot Attacks

Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email

The PlayStation 5 was launched in early November 2020, but many still cannot get their hands on one. This scarcity is in large part due to “scalper bots” (also known as “grinch bots” or “retail bots”): bots making rapid-fire, automated purchases of hot-ticket items as soon as they become available and selling them for a grossly inflated price.

Nowadays, an estimated 60% to 70% of all traffic to checkout pages is made up of scalper bots. It’s time to take a closer look at the issue, its serious effects on ecommerce, and payments solutions to limit the risk of scalper bot attacks.

The State of Scalper Bots

Why has this become such a debilitating, widespread issue? For starters, scalper bots are legal for retail goods. Ticket scalpers, once a sweeping issue for sports and music fans, became illegal with the BOTS Act, though they just saw their first fines in January 2021.

In fact, because scalper bots are technically legal, fully fledged businesses have formed that are offering scalper bot services. These services have become widespread and accessible for anyone willing to pay. And they’re making tens of millions doing it.


With the rise of ecommerce, both legal and illegal scalper bot activity has surged, targeting any products with high demand: gaming hardware, toilet paper and even optimal grocery store slots reserved for the elderly. Now, with COVID-19 vaccination appointments bookable online (even on Eventbrite in Florida), fraudulent ticket scalpers are better poised than ever to create real harm — and make even more of a profit.

The Impact on Retail Merchants

Product scarcity can be a boon to generate long-term buzz around a new offering, and scalper bots target products in high demand. You would think this is a good thing — but in fact a sale to a bot is much less valuable to a retailer than a real, human customer.

For starters, it can be devasting to customer sentiment, for three main reasons:

  1. Having a product sold out for a long period of time frustrates customers, who are then more likely to seek out a competitor.
  2. High website traffic volume from scalper bots can slow page functionality and delivery times, creating a more frustrating customer experience in a competitive online market.
  3. Many scalper bots leverage stolen credit card information to make these purchases; any instances of fraud can seriously hurt a brand’s reputation.

A scalper bot attack can also leave a trail of destruction for business operations. To start, having fewer real customers means less reliable customer data, which is essential for brands to understand and cater to their customer base and make key business decisions. Additionally, unusually high website traffic can overwhelm the website infrastructure and require costly upgrades. Scalper bot attacks also increase the risk of returns and chargebacks, which are expensive and can earn businesses a “high risk” designation, making banking much more difficult.

Payments Solutions to Ward Off Scalper Bot Attacks

Scalper bots can be hard to stop. However, businesses can often identify scalper bots because of their signature methodology: a series of several purchases at once that come from the same or similar IP addresses, completed faster than a human could normally type their information.

To mitigate these attacks, merchants should set up purchase limits on products and leverage tools that block the same IP address from making more than a couple of purchases in a single timeframe. These tools can also block or ban certain IP addresses to prevent specific scalpers from accessing the payment gateway.

Additionally, merchants should invest in customer identity verification software, such as session validation, CAPTCHA, two-factor authentication, Visa 3D Secure (3DS), address verification service (AVS), and card verification value (CVV). These plugins are the first line of defense in ensuring a customer is human and credit card details are legitimate.

Ultimately, rather than focus on one method of payments security, ecommerce merchants should work with a payment processing partner that can offer and implement a comprehensive suite of security checkpoints, including transaction scrubbing, human checks, API protection, backend updates and fortifications. With a reliable payment processing partner, businesses can also increase their monthly processing limit so that they are able to continue smooth operations even with unexpectedly high volume of sales.

These malicious bots have become a heavy burden on the retail ecommerce industry and global supply chain, and attacks are only increasing. Merchants should be sure to protect their businesses before it’s too late.

Donald Kasdon is the Founder of payment processing service T1 Payments. After working at the NY Mercantile Stock Exchange as well as in real estate and retail, he experienced first-hand the inefficiencies of the payments ecosystem. That’s why in 2012 Kasdon founded T1 Payments, which focuses on enabling ecommerce for all types of merchants, especially high-risk. Today, T1 Payments’ secure gateway and integrated shopping cart solutions are trusted by thousands of global organizations. 

Feature Your Byline

Submit an Executive ViewPoints.


Access The Media Kit


Access Our Editorial Calendar

If you are downloading this on behalf of a client, please provide the company name and website information below: