Web scraping in retail: what IAM and bot controls are missing

TL;DR: Web scraping is now a major retail abuse pattern, with Arkose Labs citing QVC’s reported $2 million in lost sales, server crashes, and downtime, while its 2025 threat actor analysis ranks retail as the fourth most targeted industry by bad bots. The underlying problem is not just data theft but the way automated abuse distorts operations, analytics, and customer trust.

NHIMG editorial — based on content published by Arkose Labs: Website Scraping Website Scraping: The Hidden Threat Bleeding Retailers Dry

Questions worth separating out

Q: How should retailers reduce the risk of website scraping without hurting customer experience?

A: Use layered bot controls that combine behavioural analytics, device and session context, and adaptive challenges.

Q: Why do static anti-bot controls fail against modern scraping campaigns?

A: Static controls assume the attacker stays visible in one place long enough to be blocked.

Q: What should security teams do when scraping starts affecting analytics and conversion data?

A: Treat the problem as both a security and business integrity issue.

Practitioner guidance

• Instrument behavioural bot detection across channels Correlate request velocity, session consistency, device signals, and navigation patterns across web, API, and mobile surfaces so scraping cannot hide behind one control boundary.
• Escalate friction only on high-risk traffic Use adaptive challenges for suspicious sessions while allowing low-risk shoppers through quickly, so anti-bot enforcement protects revenue without suppressing legitimate conversion.
• Monitor analytics for bot contamination Review traffic, session duration, and conversion anomalies for signs that automated visits are distorting merchandising and demand planning decisions.

What's in the full article

Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:

• The QVC scraping case study and the commercial impact attributed to it
• The specific signs of scraping activity that retailers can use for investigation
• The layered anti-scraping controls the vendor recommends for web, API, and mobile surfaces
• The decision engine and challenge workflow used in the vendor's detection model

👉 Read Arkose Labs' analysis of website scraping and retail bot abuse →

Web scraping in retail: what IAM and bot controls are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →