By Roy Urrico
Last year was a challenging year for cybersecurity departments in all industries, including financial services. Online fraud increased 85% year over year; and 21% of all online traffic was an attack, with nearly every industry seeing a sharp increase in every type of occurrence. Those are among the sobering findings in Arkose Labs’ 2022 State of Fraud and Account Security report.
The study from the San Francisco-based fraud deterrence and account security firm also revealed malicious bots, human attacks and the rise of "Master Fraudsters" have created a disruptive and vulnerable environment, making online fraud deterrence even more critical for businesses. Arkose Labs, which covers industries such as financial services, fintech, gaming, retail, technology and social media, said it represents more than one billion social media users, 60% of online video gamers and 40% of all retail volume.
The study also uncovered a harsh reality. “The digital world now encompasses so much of our everyday lives, and data is the valuable commodity that fuels it,” reads the Arkose Labs report. “In fact, the concept known as the metaverse could become an $800 billion market by 2024, according to Bloomberg Intelligence. This will lead to an exponentially larger attack surface for fraudsters to target. Rather than just PCs and mobile devices, attackers can compromise smart appliances, connected automobiles and virtual reality devices.”
Not only in the attack surface larger, but so is cyber-defense perimeter. “Digital platforms need to upgrade and advance their fraud and security defense strategies in 2022. What worked in the past is no longer viable, and they will need to adapt to ever-evolving attacks that target user touchpoints,” noted Arkose Labs’ Founder and CEO Kevin Gosschalk in the report.
Top Fraud-Fighting Trends
The Arkose Labs report, based on actual user sessions and attack patterns analyzed by the Arkose Labs Fraud Deterrence Prevention Platform from January through December 2021, spans account registrations, logins, and payments from financial services, ecommerce, travel, social media, gaming, and entertainment.
The State of Fraud and Account Security report uncovered the top fraud-fighting trends from 2021:
· Account security became paramount in 2021. Attackers jumped at the opportunity to monetize their efforts by targeting login and registration points at scale. Login and fake account attacks increased 85% year-over-year and every fifth login attempt was an account takeover (ATO). Additionally, one in four new account registrations was fake, more than doubling (2.5 times) in 2021 compared to 2020. Credential stuffing also saw a dramatic increase in 2021, accounting for 4% of traffic and 80% of login attacks.
· Attackers followed consumer engagement across industries. Attackers capitalized on areas of high consumer engagement. Five out of the six industries analyzed experienced increased attack probability in 2021, with travel and entertainment sites seeing the biggest impacts. Attackers specifically preyed on the resurgence in travel with scraping attacks, compromising a massive 45% of traffic on travel sites. Attacks on financial services doubled in 2021 over 2020, and climbed to three times the normal attack rate over the holiday season.
· Attacks are more volatile than ever. A single attack can consume nearly 80% of traffic, and in 2021, some of the most intense attacks detected measured upwards of 76 million credential stuffing attempts per week. Attack rates doubled during peak season in November, making it the most dangerous month in 2021, and earning it the nickname “Black November," due to its unparalleled volume of cyberattacks. However, these high-velocity attacks overwhelm servers and fraud and security teams, regardless of season, and businesses must adapt to its mitigating damages.
· The intelligent bot revolution is in full play. Bots mimic human behavior with a high degree of accuracy, accounting for 86% of all attacks. Automated attack and evasion orchestration includes combinations of sophisticated measures including stolen and synthetic credentials, CAPTCHA solving, human fraud farms, device spoofing, IP spoofing and hijacking and attack scripts. Today's bot signatures are three times more complex than signatures of previous years, challenging fraud and security teams with triple the values to analyze in an average bot signature. This level of intelligent planning makes it more difficult to assess risk and make accurate decisions. Businesses require even more sophisticated analysis to detect anomalies and prevent loss.
· Metaverse companies emerge as likely targets by “master fraudsters.” The rise of virtual worlds creates new attack opportunities for bad actors. Insights from the Arkose Labs Global Network show scams, micro-transaction abuse, and unfair play are top threats in a metaverse world. These companies experienced 80% more bot attacks and 40% more human attacks than other businesses. Master fraudsters attack targets by scripting together multiple tools with intense persistence. They combine bots and fraud farms, and invest large amounts of capital, creating virulent attacks to disrupt fair commerce that include micro-transaction fraud, spam and scams.
· Asia leads the world in perpetrating attacks. In prior years, Russia consistently topped the list of attacking countries. While widespread attacks out of Russia still persist, attackers from Asia took the top spot in 2021, with 40% of all attacks coming from this region. More specifically, one of every two Asian attacks originated in China. Leveraging an ecosystem of tools and low-cost resources, two-thirds of Chinese attacks targeted registration, primarily driven by primarily driven by abusing free trials for crypto mining.
Increasing Awareness
The report highlighted the need for companies to adopt increased awareness and diligence when it comes to thwarting cybercrime.
"The increase in frequency and severity of fraud was higher in 2021 than any other year we've monitored, which is especially jarring considering how extraordinary the 2020 numbers were," noted Vanita Pandey, chief marketing officer for Arkose Labs. “As fraudsters become more sophisticated, we must outpace their efforts and continue to provide the best-in-class solutions to keep consumers' online accounts secure."
"From the earliest days of online information to the rapid evolution of today's metaverses, the internet has come a long way," Pandey continued. "It's imperative that companies protect their online platforms and their consumers from malicious activities."