As we move further into 2021, it’s clear that fraudsters have largely honed in one particular area of attack: digital accounts.
This is not surprising, as the transformation taking place in business has put the digital account squarely at the Center of most consumers’ lives – according to the State of Fraud Report 2021.
Digital accounts are used to conduct business and commerce, store financial details, connect with friends and family, enjoy their favourite game or show, and so much more.
This year has revealed the critical need for enterprises to take a wider lens on fraud prevention – one that puts a high priority on securing accounts from being targeted by fraudsters.
To date, about one-third of the attacks detected across the Arkose Labs network were fake new account registrations.
Account takeovers, on the other hand, were powered largely by credential stuffing, with 285 million of such attacks detected in the first six months of the year.
Whether it be taking over existing user accounts, or creating fake accounts for a variety of purposes, fraudsters expertly disguise themselves as legitimate users to abuse and monetise digital accounts.
With customer-centricity driving success in this digital world, businesses must enable a seamless account login or registration process, while still being vigilant at monitoring these touchpoints as the starting points of fraud.
Top Attacking Countries
Top attacking countries in 2021 are dispersed across North America, South America, Europe, and Asia, highlighting the truly global nature of the cybercrime ecosystem.
The United States, Vietnam and Russia remained in the top 5 from 2020, while China and India surfaced as a key countries to watch.
Newer players also emerged out of Venezuela and Ukraine. Malicious actors in some countries concentrated their attacks on a particular industry.
While China and Vietnam focused at least 50% of their efforts on the tech industry, actors from Russia and Brazil targeted gaming with ⅔ of their attacks.
New Account Fraud Increases by 70%
Logins have traditionally stood out as the most attacked customer touchpoint across the Arkose Labs network.
However, the first half of 2021 has shown a rise in new account fraud to meet the levels of login related attacks.
Registration attacks increased 70% over the latter half of 2020, climbing up to 43M attacks in a single week at its peak.
With businesses working hard to increase customer loyalty in a competitive digital market, account creation is a key part of enhancing customer lifetime value and encouraging repeat business.
Sign-up incentives that successfully attract consumers attract fraudsters equally. The registration process is abused by attackers using synthetic or stolen credentials to monetize bonuses and infiltrate platforms.
This can lead to a wide array of downstream fraud like spam, phishing, and carding that’s often harder or more expensive to block and can leave a blemish on a brand’s reputation
Attackers Adapt To A Mobile-First Marketplace
As mobile devices continue to be a more predominant channel for consumers to repeatedly access and interact with their favourite platforms, fraud is following suit to blend in with “normal” consumer behaviours.
2021 has seen the mobile attack rate increase to more than a quarter of attacks, up 40% from the end of 2020.
Industries like gaming, retail, and travel are experiencing above average mobile attacks as people have settled into shopping and playing games out of the palm of their hands.
Attackers are leveraging mobile usage across a multitude of touch points such as logins, in-platform abuse, and transactions which saw massive spikes in this attack type.
Mobile attacks can be deployed with device spoofing as numerous websites sell IP addresses with the appropriate device fingerprint.
Unearthing malicious intent requires a storytelling approach that connects data signals.
If the user’s device says it’s in Los Angeles based on the locale and time zone, but the IP address is coming from Europe, the story doesn’t check out.
Financial Services Targeted for Application Fraud and ATOs
While financial services platforms were hit with fake credit cards, personal loan applications, and government subsidies in 2020, this year has brought a diversification of account-related attacks as digital identities have been continuously disrupted.
This year logins have emerged as an attack touchpoint to watch, largely driven by automated attacks attempting to confirm legitimate accounts and access customer funds.
Meanwhile, cybercriminals are making it harder to detect a fraudulent application, leveraging stolen credentials to mirror a real person capitalise on sign-up bonuses, and simplified application processes.
Mobile attacks are still lagging behind desktop. However, it is anticipate this will change as mobile-first neobanks and FinTechs continue to gain market share, as consumers opt for mobile banking en-masse.