More than a third of all internet traffic, 37 per cent, now consists of malicious bots, according to Panda Security. The figure underlines how far automated threats have moved beyond simple spam into sophisticated operations including account takeover, payment fraud, and AI-generated deepfakes.
Bots in their benign form power search engine crawling, customer service chatbots and business process automation. They work through a cycle of input, processing, connection and decision: responding to triggers, following programmed rules or AI-driven analysis, connecting to servers and websites, then acting on the results. The same architecture serves attackers. Account takeover bots run brute-force credential attacks at scale. Scalping bots buy up event tickets and limited-edition stock for resale. Botnets coordinate thousands of compromised devices to launch distributed denial-of-service attacks.
AI has widened the gap further. Deepfake bots can generate convincing fake video and audio, while AI-enhanced social engineering bots craft phishing messages that adapt to their targets in real time. Detection is not straightforward: signs of bot infection include unexplained spikes in network usage, unfamiliar software appearing on devices, browser redirects and unusual error messages.
Panda Security recommends anti-malware with real-time detection, strong unique passwords with two-factor authentication, keeping software up to date across all devices, and limiting the personal information shared online. The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Trade Commission (FTC) both publish regularly updated guidance on bot-related threats.
Thirty-seven per cent of internet traffic being malicious bots is a number that should reframe how businesses think about their online exposure. This is not a niche cybersecurity concern — it affects every organisation with a web presence, from payment fraud to inventory manipulation to reputational damage.
