Skip to content
Compliance & Risk

The rising tide of bot attacks: Exploiting identity vulnerabilities

Kennedy Meda  Fraud Prevention Manager & SME / Deseret First Credit Union

· 5 minute read

Kennedy Meda  Fraud Prevention Manager & SME / Deseret First Credit Union

· 5 minute read

In recognition of International Fraud Awareness Week, we take a look at ways that financial institutions, companies, and individual persons can protect their identities from online bots

In the rapidly evolving landscape of cybersecurity, the prevalence of bot attacks has become a cause for widespread concern. Regardless of an organization’s size or industry, the escalating volume of bots across the internet poses a significant threat. The 2023 Enterprise Bot Fraud Benchmark Report sheds light on this growing menace, identifying three common types of bot attacks — carding, account takeover (ATO), and scraping. The statistics are alarming, with all three categories showing substantial year-over-year increases.

ATO attacks saw a staggering 123% rise in the second half of 2022, marking a 108% YoY increase from 2021. Carding attacks, in which bots use multiple simultaneous attempts to authorize stolen credit card credentials, increased by 161%; and scraping attacks, in which bots search websites for data that could be used in fraud schemes, saw a rise of 112% during the same period.

Understanding bot attacks

Bot attacks, fundamentally malicious activities executed by automated programs or bots on digital platforms, exploit vulnerabilities with speed and scale. These attacks can manifest in various forms, such as:

      • New account fraud — Bots create fraudulent accounts using stolen or synthetic identities to exploit incentives, promotions, or credit offers.
      • Account takeovers — Bots attempt to gain control over user accounts by exploiting vulnerabilities in authentication processes or using stolen credentials.
      • Scraping — Bots scrape websites for data, often for purposes such as competitive intelligence, spamming, or selling data on the dark web.
      • Distributed Denial-of-Service (DDoS) attacks — Overwhelming a network, system, or website with a flood of traffic from multiple sources, rendering it inaccessible to legitimate users.

Bot attacks against financial institutions

Financial institutions, in particular, have become prime targets for bot attacks, exposing vulnerabilities in the account opening process. Criminals are now leveraging hybrid bots — combining human and automated inputs — to open money mule accounts at an unprecedented scale. These hybrid bots can elude most banks’ detection capabilities, allowing criminals to open numerous accounts rapidly.

Research indicates that one in every 100 mule accounts is opened by a bot. Criminals exploit stolen or synthetic identities to establish untraceable accounts, often letting them lie dormant to avoid detection. Startlingly, 62% of all new accounts created by criminals in 2022 were financial accounts, making new accounts 9.5-times riskier than mature accounts, according to the Identity Theft Resource Center.

The issue of mule accounts is not confined to a specific region, rather, it’s a global problem. In 2022, in the United Kingdom alone, 39,578 cases on bank accounts were indicative of money mule behavior. While this is a reduction from 2021, these cases still account for 68% of misuse of bank accounts, according to Fraudscape 2023 report.

Simultaneously, bots are escalating ATO rates, with fraudsters employing them to gain unauthorized access to victims’ banking, e-commerce, or other accounts. According to Sift’s Q2 2023 Digital Trust & Safety Index, ATO attacks spiked by a staggering 427% in Q1 2023, compared to all of 2022. As more commerce and financial services move online, ATO attacks become not only more accessible but also more profitable. Predictions suggest that global ATO fraud losses will reach almost $17 billion by 2025.

AI and biometric authentication in combatting bot-linked fraud

In the face of these escalating threats, organizations are turning to advanced technologies to bolster their defenses. Artificial intelligence (AI) and biometric authentication emerge as powerful tools in the fight against new account fraud and account takeover linked to bots. Some of the ways these advance technologies are being employed, include:

AI-powered detection systems

AI-driven solutions can analyze vast amounts of data in real-time, identifying patterns and anomalies indicative of bot activity. Machine learning algorithms can adapt and learn from evolving attack patterns, enabling organizations to stay ahead of sophisticated bot attacks. By employing AI-powered detection systems, financial institutions can enhance their ability to identify and mitigate threats with unprecedented speed and accuracy.

Biometric authentication

Traditional authentication methods are often vulnerable to bots that exploit stolen credentials. Biometric authentication — leveraging a customer’s unique physical or behavioral characteristics such as fingerprints, facial recognition, or voice patterns — provides an additional layer of security. Bots struggle to mimic the intricate and individualistic nature of biometric identifiers, making it significantly more challenging for them to succeed in ATO attempts or new account fraud.

Multi-factor authentication

Combining AI with biometric authentication in a multi-factor authentication (MFA) approach creates a robust defense mechanism. MFA requires users to provide multiple forms of identification, such as a password, a biometric scan, and a device confirmation. This multi-layered approach adds complexity for bots attempting to breach accounts, significantly reducing the likelihood of successful attacks.

Promoting the enhancement of Know Your Customer rules

Beyond fortifying against bot attacks, the integration of AI and biometric authentication positively impacts the implantation of Know Your Customer (KYC) rules. By implementing these advanced technologies, financial institutions can gain a deeper and more accurate understanding of their customers. Biometric authentication, in particular, provides a unique and irrefutable link between users and their accounts, enhancing the reliability of identity verification.

This heightened KYC strength not only safeguards against fraudulent activities but also ensures that financial institutions can truly know their customers. The combination of AI and biometric authentication establishes a secure and transparent relationship between users and financial institutions, fostering trust and integrity in the digital realm.

Conclusion

As the threat landscape evolves, the integration of AI-powered detection systems and biometric authentication emerges as a formidable defense mechanism, providing real-time analysis and robust identity verification. The significance of these advanced technologies extends beyond defense, positively influencing KYC practices and fostering secure and transparent digital relationships.

The collaboration between industry players and advocates underscores the necessity for heightened cybersecurity measures, awareness, and the continuous advancement of authentication mechanisms. By embracing these innovations, organizations can stay one step ahead in the relentless battle against evolving cyber-threats such as bots, ensuring the trust and integrity of digital interactions in an ever-changing landscape.


For more on this subject, you an access the 2023 Cybersecurity Industry Statistics: Account Takeover, Ransomware, Data Breaches, BEC & Fraud report here.

More insights