TL;DR: Web scraping is now a major retail abuse pattern, with Arkose Labs citing QVC’s reported $2 million in lost sales, server crashes, and downtime, while its 2025 threat actor analysis ranks retail as the fourth most targeted industry by bad bots. The underlying problem is not just data theft but the way automated abuse distorts operations, analytics, and customer trust.
NHIMG editorial — based on content published by Arkose Labs: Website Scraping Website Scraping: The Hidden Threat Bleeding Retailers Dry
Questions worth separating out
Q: How should retailers reduce the risk of website scraping without hurting customer experience?
A: Use layered bot controls that combine behavioural analytics, device and session context, and adaptive challenges.
Q: Why do static anti-bot controls fail against modern scraping campaigns?
A: Static controls assume the attacker stays visible in one place long enough to be blocked.
Q: What should security teams do when scraping starts affecting analytics and conversion data?
A: Treat the problem as both a security and business integrity issue.
Practitioner guidance
- Instrument behavioural bot detection across channels Correlate request velocity, session consistency, device signals, and navigation patterns across web, API, and mobile surfaces so scraping cannot hide behind one control boundary.
- Escalate friction only on high-risk traffic Use adaptive challenges for suspicious sessions while allowing low-risk shoppers through quickly, so anti-bot enforcement protects revenue without suppressing legitimate conversion.
- Monitor analytics for bot contamination Review traffic, session duration, and conversion anomalies for signs that automated visits are distorting merchandising and demand planning decisions.
What's in the full article
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- The QVC scraping case study and the commercial impact attributed to it
- The specific signs of scraping activity that retailers can use for investigation
- The layered anti-scraping controls the vendor recommends for web, API, and mobile surfaces
- The decision engine and challenge workflow used in the vendor's detection model
👉 Read Arkose Labs' analysis of website scraping and retail bot abuse →
Web scraping in retail: what IAM and bot controls are missing?
Explore further
Website scraping is now an identity-adjacent abuse problem, not a web-only nuisance. The article shows that bot campaigns create revenue loss, uptime issues, and distorted analytics in one motion. That matters because the control failure is not limited to content protection, it sits at the boundary where customer identity, session trust, and request legitimacy overlap. Practitioners should treat scraping as part of the broader machine-driven abuse surface, not a standalone web concern.
A few things that frame the scale:
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.
A question worth separating out:
Q: What frameworks are relevant for governing web scraping and bot abuse?
A: Zero Trust and cybersecurity framework principles are relevant because they emphasise continuous verification, telemetry, and response based on observed behaviour. Teams should also align anti-bot controls with identity and access signals where logins or account creation are involved, so automated abuse is handled as a trust problem, not just a traffic problem.
👉 Read our full editorial: Web scraping is exposing retailers to bot-driven revenue loss