If you were shopping online last Christmas, you may have had a hard time snagging a Hatchimal, one of the year’s hot toys. Getting Nintendo’s NES Classic gaming console was not easy, either, unless you paid a steep markup.

Lots of people were trying to buy those items, but that wasn’t the only thing driving demand. Shoppers were also competing against an army of bots.

Bots, short for software robots, are applications that run automated tasks over the internet. They have legitimate uses. But for years, scalpers have been employing them to gobble up event tickets. Not long ago, New York's attorney general revealed that one such broker had purchased 1,012 tickets to a U2 show at Madison Square Garden in a single minute.

Today, the same shady techniques are used to buy and sell such items as toys, gaming equipment, and the high-end collectible sneakers in Adidas' Yeezy line.

“They’re very sophisticated tools,” says Omri Iluz, co-founder and CEO of PerimeterX, a Silicon Valley-based startup that designs anti-bot technology.

How Bots Work

Bot creators can study the web addresses, or URLs, for a given retail site and then use data-scraping techniques to guess the ID for an unreleased product and locate the product page, Iluz explains. Since merchants typically launch these pages hours before the product goes on sale, the bot gets a jump on consumers before the page goes live.

It gets another jump by subscribing to Twitter APIs to learn about a manufacturer's sale milliseconds before everyone else.

More on Holiday Shopping

"There is simply no competition between a bot and even the most organized human," Iluz says, adding that bots poll sites hundreds of times per second, tirelessly waiting for sales to start.

And then, they complete the purchase, picking sizes and entering payment details in a fraction of a second, often using servers located less than a millisecond from the merchant's. This allows a bot to finish the deal before the product page even loads for most shoppers.  

According to New York's attorney general, some bot operators can use 10,000 IP addresses and 500 credit card numbers to bypass retailer purchase limits. In some cases, their software is also trained to read and respond to the bot-fighting CAPTCHA phrases on the checkout page. In other instances, foreign workers are hired on the cheap to type the required info into the security box.

Consumer Reports' 2017 Holiday Gift Guide for updates on deals, expert product reviews, insider tips on shopping, and much more. And be sure to check our Daily Gift Guide.

How to Fight Them

Congress tried to curtail this sort of scalping by passing the Better Online Ticket Sales Act of 2016, but the law applies only to event tickets. 

Meanwhile manufacturers and retailers are playing catch-up as the problem grows, says Lance Cottrell, chief scientist at the cybersecurity firm Ntrepid. "This is a serious PR problem," he adds. "It makes the toys or tickets unavailable to anyone without the financial means to pay the scalper or secondary market prices."

And consumers are growing frustrated. Joseph Smith of Chesapeake, Va., went online to buy Nintendo’s new SNES Classic Edition right after the console went on sale this past August. Like other consumers, he tried Walmart, Target, and GameStop without luck.

“Walmart was like a 40-second blur of availability,” Smith said via email. “As I added the preorder to my cart and went to log in, the site was bogged down. I hit refresh and it was gone—just that quick.” He eventually snagged a preorder from Walmart. But some of the $80 consoles were being offered on eBay for $200 and up.

And that's just the beginning of this year's woes. Also in the bot operators' crosshairs: The Nintendo Switch gaming system, which has been in short supply this fall, and the iPhone X. 

Some manufacturers are trying to address the issue. For instance, Adidas has launched an app, called Confirmed, that lets shoppers reserve sneakers online and pick them up in person.

In general, however, the bot problem seems to be growing—leaving consumers left to cope as well as they can.

Whatever you're shopping for online, Laurie Schacht, chief toy officer of The Toy Insider, has some advice. For one thing, find out the suggested retail price to avoid being gouged by a scalper.

Also, try to shop early. Demand for hot toys builds as Christmas approaches, attracting more bots. Avoid procrastinating, Schacht says, and “you are much more likely to pay a fair price and avoid lots of headaches.”

Editor's Note: This article also appeared in the December 2017 issue of Consumer Reports magazine.