Christmas Holiday Retail Sales
In early November, eMarketer forecast that the 2018 U.S. online retail holiday sales would be $106 billion, a healthy increase of 16.6% over 2017.
The Black Friday & Cyber Monday sales results confirmed that optimistic forecast with a combined total of nearly $14b in the U.S., and the preliminary results for the entire Christmas holiday season were actually higher, according to MasterCard. For the period from 1 Nov to 19 Dec, U.S. ecommerce sales grew 18.3% compared to 2017, up from the 16.9% growth rate in 2017, and the highest increase since 2005.
A few days later, MasterCard updated the figures through 24 Dec; U.S. online retail sales increased and are now reported to be up 19.1% over 2017.
We measured global traffic on the Akamai Intelligent Edge Platform against a baseline to see how traffic compared on Christmas Day and Boxing Day.
Baseline (18 Dec to 24 Dec)
To establish a baseline, we evaluated online retail traffic from around the world that touched nearly 100 retail websites and mobile retail apps, providing Akamai with more than 5 billion daily data points that we assess in aggregate. We took the average of the seven-day period from Tue 18 Dec to Mon 24 Dec for the daily baseline.
The chart above shows the daily total retail global session traffic decreasing as the Christmas holiday approached. This is not surprising, as even with omnichannel purchasing increasing (ordering online and picking up in-store) most shoppers would have ordered by the 20th Dec for 1 to 2 day shipping (generally free) to ensure delivery by 24th Dec (especially in the U.S.).
Christmas Day (25 Dec)
On Christmas Day, global traffic decreased 11% against the baseline daily average; in the U.S., traffic decreased 52% against the baseline daily average. Again, this is a pretty predictable result as most consumers were enjoying Christmas morning opening presents and spending time with family and friends throughout the day. In addition, because most retail stores were closed, shoppers would not have been at the stores with their mobile device either.
The top 10 countries where global traffic originated on Christmas Day are below. The western countries aren't a surprise, as is the fact that traffic decreased in many, reflecting the overall traffic decrease (here the U.S. decreased 18% against its own 7-day baseline average, compared to the 52% decrease against the overall baseline average) as Christmas Day approached.
The U.K. and Canada increase is consistent with those countries ramping up for Boxing Day (26 Dec), but it is interesting to note Poland's increase of 28%. Despite its low ranking relative to other countries, perhaps there is a large part of the population that observes Boxing Day; see the next table for more information.
Boxing Day (26 Dec)
Boxing Day is a holiday that originated in the U.K. with first mentions being in the 1830s, but is recognized as having started much earlier, and its intent is not universally agreed upon. Some define it as a day that started for tradesmen to receive 'Christmas boxes' of money or presents the first weekday after Christmas to thank them for their good service throughout the year.
In the U.K., many consider it larger than Black Friday, which has been increasingly celebrated in European countries. This year, Boxing Day drew fewer 'footfall' shoppers (i.e. shoppers physically visiting retailers, or 'foot traffic' in the U.S.) but online sales increased.
Overall, the U.K. was forecast to see an increase of 16%, close to what eMarketer predicted and Mastercard reported for the U.S.
In the U.S., the day after Christmas marks a new surge in retail promotions and sales to flush out Christmas inventory - who can resist wrapping paper at a 75% discount? As a result, on Boxing Day all global traffic increased 32% against the baseline and 47% compared to Christmas Day. For just the U.S., traffic on 26 Dec was up 52% vs 25 Dec.
Globally, the top 10 originating countries for traffic on Boxing Day were as follows; with their traffic on 26 Dec compared to the baseline. Poland continued to show a large increase, along with the U.K. and Canada.
Because Boxing Day is primarily a U.K. holiday, we have highlighted countries that would culturally be expected to observe Boxing Day with sales:
By drilling down into these countries, we see a dramatic increase in traffic due to Boxing Day observances, especially in Canada and the U.K. due to retail promotions.
Akamai predicted in September 2018 that mobile shopping would continue its growth this holiday shopping season. That prediction held true through the recent major holidays around the world (Diwali, Singles' Day 1, Black Friday and Cyber Monday). For Christmas Day and Boxing Day, there has not been any deviation from that trend. It also underscores why online retailers need to increase the mobile CX budget and attention but can't reduce their focus and investment on optimizing desktop visitors' experience.
On both days, mobile devices were used the clear majority of time versus desktop (the remainder is tablet use). We see no change to this trend going into 2019, as this article points out.
Android's portion of online shopping was a healthy 24% on Christmas Day, while iOS was nearly double at 45%. This continues to surprise us since, globally, Android market share is approximately four times that of iOS. Both operating systems increased their usage on Christmas Day (iOS more than Android), perhaps as consumers used their mobile devices to research sales and compare prices while relaxing after dinner (see conversion rates in next section).
On Boxing Day, the distribution was nearly identical but the increases against the baseline were smaller, significantly for Android at only 0.11%.
Examining mobile OS first, we see that iOS had a very slim lead in conversion rates over Android on Christmas Day, but both operating systems had higher conversion rates during the baseline as more shopping was being executed before the holidays. Both OS conversion rates were down significantly on Christmas Day, which may be a factor of more research and less actual purchasing being conducted.
On Boxing Day, the conversion rates were down again compared to the baseline, but a lot less of a decrease than on Christmas Day. The iOS conversion rate was higher than Christmas Day, but still down against the baseline. This may be due to desktop conversion staying flat on Boxing Day vs. the baseline (see next section).
Looking at conversion rate by device type, on Christmas Day, desktop had a significant advantage over mobile. However, desktop was down compared to the baseline average, and mobile was down even more. This is consistent with the other data, showing Christmas Day activity was lower than the baseline.
On Boxing Day, desktop conversion was flat, while mobile increased by a small amount, perhaps more users were starting to purchase due to deals, etc.
Web Application Attack Detail
Despite the decrease in global traffic leading up to and including the holidays (Christmas Day and Boxing Day), threat actors didn't take the holidays off, with web application attacks very active. The number of attacks on Christmas Day were comparable to Cyber Monday, with the exception of cross-site scripting, which was five times more than Cyber Monday and two times more than Black Friday. This is likely due to the fact retailers want to track their Christmas sales more than any other day of the year, and web application developers end up including a lot more third party scripts/content on their sites, and attackers take advantage of that. Also, perhaps someone found a vulnerable version of a particular ecommerce software and was testing that against a lot of domains in an automated fashion.
On Boxing Day, the numbers were pretty consistent with Christmas Day, with the exception of cross-site scripting which saw a decrease of nearly 66%. This could possibly be due to the lower numbers of countries actively participating in Boxing Day (sales promotions attracting online shoppers). As with Christmas Day, Boxing Day was more comparable to Cyber Monday in terms of the majority of web application attacks.
While online shopping activity was down on Christmas Day, as we saw with web application attacks, threat actors were still out in droves as the high number of retail bots attests. Compared to Cyber Monday, the retail bot attacks were significantly higher, a 100% increase. On 26 Dec, credential abuse/stuffing attacks dropped by approximately 50% which is curious, due to the increase in traffic, especially for Boxing Day. Again, it may be due to a smaller number of countries participating and promoting Boxing Day sales (online activity).
Consistent with other holidays that we've monitored this season, the U.S. was the most targeted country for attacks, along with India and the U.K. The U.S. was also the leading source country for attacks, with India and China rounding out the top three. Keep in mind that the more advanced attackers hide their true country of origin.
Boxing Day (the 26th of December) was similar to Christmas Day, with small variances in the percentages, which is not surprising to us.
As we have seen throughout the recent global peak traffic holiday period, online retailers need to be prepared to offer optimal customer experiences to mobile visitors (including mobile app and web browser interaction) as their overall usage is greater than desktop users and their use has gone beyond research and includes purchasing.
Until now, significant time and budget have been invested optimizing web applications and content for desktop visitors. This focus should not diminish but, as we saw, the percentage of mobile visitors exceeded desktop visitors during ALL of the major holiday events, with no sign of reversing in 2019. This trend underscores the importance of prioritizing an optimal mobile customer experience, but not at the expense of desktop optimization.
The high volume of retail-specific attack bots and web application attacks clearly demonstrates the need to provide a secure environment for online shoppers for all aspects of the transaction: browsing, research, purchase and storage of personal data at ALL times. Existing and new (e.g. GDPR) regulations have raised the bar in terms of financial penalties for data breaches, along with reputation hits and possible loss of revenue should consumer information be stolen.
Threat actors don't take holidays. While they know to focus on holiday traffic due to the increased number of online users, they are attacking every day with all the attacks we've outlined -- as this major online retailer can attest, after being hit with a credential stuffing attack from late September to late November last year.
Akamai can help you in all of the areas that we've reviewed here, from improving web performance to securing web applications. While we've highlighted holiday events, peak traffic spikes can occur at any time, whether it's due to a highly visible event like a royal wedding or a natural disaster. Take the first step and prepare for peak traffic by testing your website and mobile application performance at any load and request your CloudTest demo.