[U]nlike the web, which often provides at least a few signals that an interaction is secure (for instance, the lock icon in your browser, the security certificate, or even simply the URL), there’s no obvious way to tell a good bot from a bad bot.
What’s more, bots haven’t been around long enough for users to be savvy enough to distinguish between those from legitimate sources and potential bad actors. Think of email phishing scams: While it’s not uncommon for a scammer to send an email purporting to be from, say, your financial institution, most email software has gotten pretty good at flagging these types of messages so they’re accompanied by a warning or go straight to your junk folder.
But there’s no analogous mechanism for bots. Hypothetically, you could begin interacting with, say, a shopping bot and have no idea that it’s a fake meant to steal your credit card info or other personal information.