Appointment scheduling is the latest revenue generator targeted by bad bots.
According to a recent report by Imperva, targeting products and services in high demand doesn’t end with concert tickets, sneakers, gaming consoles, and other collectors’ items.
There is profit to be made when people are willing to pay extra just to skip the line – and bots will be there to capitalize. Government services appointments are the latest target of bad bot operators. With social distancing and stay at home orders causing severe interruptions and shutdowns of government services in the first months of the pandemic, and partially due to a lack of manpower in some places – a bottleneck has been created, leading to long wait times spanning several months to even a year in some cases.
Services from visa or passport applications and renewals to driving tests are just a few examples. With appointments now being scheduled online, it makes them a perfect target for bad bots. Just as it was with the new generation of gaming consoles, bad bots are now being deployed on these government appointment booking endpoints. They schedule all available appointments for the purpose of then selling them to the highest bidder. In France for example, visa appointments have been sold at prices up to $400.
This follows on the Passport Scam Debacle in the U.S., where scammers sold U.S. passport appointment slots for thousands of dollars to desperate travelers. The State Department said that outsiders “booked all available appointments within minutes of the appointments being posted which prevented many of you from making appointments and made it difficult to determine if your appointment was legitimate or fraudulent.”
In the early days of COVID-19 vaccination appointment scarcity, there was also a rise in “helpful bots” checking for vaccine availability or vaccine appointment availability. However, this type of activity has diminished over time as centralized systems for checking availability have improved, and peak demand has decreased.
The TASBIA™ Bottom Line
In the rush to provide scheduling solutions many government agencies deployed solutions without adequate protection and controls against bots.
We know that this is often the case when appointment scheduling is not viewed as a critical component of a website, and may be built by in-house staff rather than working with experienced vendors.
There are multiple methods of preventing bot fraud, including filtering proxies and VPNs, enforce geolocation, checking for IFRAMES, email address validation, device fingerprinting, and more. For example, a passport office in the US (or any other country) should not be accepting appointments for IP addresses located outside the local area or with an invalid email address.
Government agencies that adopt a “do it yourself” solution may end up paying more, and getting less, than working with existing providers that have already solved security, accessibility, and scalability issues. And, with the high public visibility of these systems, it’s not just about cost but the huge effort to communicate to the public about problems and overwhelmed help lines.
For more information, see the 2022 Imperva Bad Bot Report.