Malicious bots are likely visiting your website. The question is, can you identify them in order to single them out and mitigate their attempts to steal data and hijack user IDs?

Here’s the truth. We live in the era of unavoidable bots. As Kleiner Perkins researcher Mary Meeker highlighted in her May 2017 internet trends report (via Recode), bot traffic on the web surpassed traffic generated by humans in 2016. Everyone operating a website is dealing with bots. Some of them, like a Google crawler, are welcomed, and some are insidious bots that want to execute account takeover attacks, steal customer credit cards and illegally empty gift card balances. The real trick is knowing the difference between good bots, bad bots and humans. Determining what is a good bot is pretty easy; they usually announce themselves and their intentions. That means understanding the difference between a dangerous bot and a normal human user is where the challenge lies.

Fortunately, bots behave differently than humans. That’s even true when a bot has taken over a browser and is piggybacking on a human user. What’s more, you don’t need to be a rockstar data scientist to recognize signals and anomalies that are likely caused by a wave of malicious bots.

Here are five simple indicators that your site may be besieged by evil bots:

1. An Increase In The Percentage Of Failed Login Attempts

Bots are frequently used for ATO attacks, where a botnet will attempt to take control of your users’ accounts by testing user-password combinations leaked from other sites. In this type of attack, botnets may attempt to validate millions of accounts per day. This activity tends to generate a boatload of failed login attempts, which is a classic sign of a bot attack. Analytics tools like Google Analytics and your access logs can easily generate reports that show an increase in the number of failed login attempts over time or visualize spikes in activity.

2. A Big Increase In (Failed) Validation Of Gift Card Numbers

Another common target for fraudsters is stealing the value from legitimate gift cards. Gift card accounts are relatively easy targets. When attackers check the balance of a gift card and attempt to hijack it, companies do not request an account name, a billing address or any other personal identification information. This makes gift card accounts a perfect target for brute-force attacks that run through combinations quickly to look for valid pairs of card numbers and pin codes. Fraudsters use bots to execute these attacks. When an invalid pair is attempted, that generates a failed validation notification. If gift card validation failures suddenly trend up or spike, then you have a decent signal that the bots are trying to steal your customers’ gift card balances and resell the cards and pins on the dark web.