Bots dominate internet activity, account for nearly half of all traffic

49.6% of all internet traffic came from bots in 2023, a 2% increase over the previous year, and the highest level Imperva has reported since it began monitoring automated traffic in 2013.

For the fifth consecutive year, the proportion of web traffic associated with bad bots grew to 32% in 2023, up from 30.2% in 2022, while traffic from human users decreased to 50.4%. Automated traffic is costing organizations billions (USD) annually due to attacks on websites, APIs, and applications.

“Bots are one of the most pervasive and growing threats facing every industry,” says Nanhi Singh, GM, Application Security at Imperva, a Thales company. “From simple web scraping to malicious account takeover, spam, and denial of service, bots negatively impact an organization’s bottom line by degrading online services and requiring more investment in infrastructure and customer support. Organizations must proactively address the threat of bad bots as attackers sharpen their focus on API-related abuses that can lead to account compromise or data exfiltration.”

Global average of bad bot traffic reached 32%: Ireland (71%), Germany (67.5%), and Mexico (42.8%), saw the highest levels of bad bot traffic in 2023. The US also saw a slightly higher ratio of bad bot traffic at 35.4% compared to 2022 (32.1%).

Growing use of GenAI connected to the rise in simple bots

Rapid adoption of GenAI and large language models (LLMs) resulted in the volume of simple bots increasing to 39.6% in 2023, up from 33.4% in 2022. The technology uses web scraping bots and automated crawlers to feed training models, while enabling nontechnical users to write automated scripts for their own use.

Account takeover (ATO) attacks increased 10% in 2023, compared to the same period in the prior year. Notably, 44% of all ATO attacks targeted API endpoints, compared to 35% in 2022. Of all login attempts across the internet, 11% were associated with account takeover. The industries that saw the highest volume of ATO attacks in 2023 were financial services (36.8%), travel (11.5%), and business services (8%).

Automated threats caused a significant 30% of API attacks in 2023. Among them, 17% were bad bots exploiting business logic vulnerabilities—a flaw within the API’s design and implementation that allows attackers to manipulate legitimate functionality and gain access to sensitive data or user accounts. Cybercriminals use automated bots to find and exploit APIs, which act as a direct pathway to sensitive data, making them a prime target for business logic abuse.

Every industry has a bot problem

For a second consecutive year, gaming (57.2%) saw the largest proportion of bad bot traffic. Meanwhile, retail (24.4%), travel (20.7%), and financial services (15.7%) experienced the highest volume of bot attacks. The proportion of advanced bad bots, those that closely mimic human behavior and evade defenses, was highest on law & government (75.8%), entertainment (70.8%), and financial services (67.1%) websites.

Bad bot traffic originating from residential ISPs (internet service providers) grows to 25.8%: Early bad bot evasion techniques relied on masquerading as a user agent (browser) commonly used by legitimate human users. Bad bots masquerading as mobile user agents accounted for 44.8% of all bad bot traffic in the past year, up from 28.1% just five years ago.

Sophisticated actors combine mobile user agents with the use of residential or mobile ISPs. Residential proxies allow bot operators to evade detection by making it appear as if the origin of the traffic is a legitimate, ISP-assigned residential IP address.

“Automated bots will soon surpass the proportion of internet traffic coming from humans, changing the way that organizations approach building and protecting their websites and applications,” continued Singh. “As more AI-enabled tools are introduced, bots will become omnipresent. Organizations must invest in bot management and API security tools to manage the threat from malicious, automated traffic.”