Fraud Prevention

Credential Stuffing Fraud Attacks Make Up 5% of All Digital Traffic

August 5, 20214 min Read

credential stuffing fraud

Credential stuffing fraud, which refers to automated sifting through volumes of stolen data to arrive at reams of valid username-password matches, continues to provide fraudsters with valid credentials to compromise and abuse these accounts be a successful attack tactic despite increased detection. The breakneck speed of digital transformation has made digital accounts the center-piece of most of the consumers' lives and a lucrative target for fraudsters. 

The bedrock of any account takeover attack is credential stuffing, which in recent times, has witnessed an unprecedented increase. According to Arkose Labs' latest 2021 Fraud and Abuse Report, there were 285 million credential stuffing fraud attacks detected and stopped on the Arkose Labs network in the first six months of the year with spikes of upwards of 80 million in a single week.

Despite significant investments in bot prevention, 1 in every 20 account logins – meaning 5% of all digital traffic globally – are still bots mimicking real users. Fraudsters constantly evolve the tools and data they use to easily attack at scale, blending in with real users to bypass bot prevention measures.

What makes credential stuffing fraud so prevalent?

Credential stuffing attacks are incredibly easy to launch. With one incident of a data breach after another, fraudsters have large volumes of stolen credentials at their disposal that can be validated in no time with the deployment of bots and automated scripts. Automation and other sophisticated tools have made validating tens of thousands of username-password or email-password combinations possible in just a few minutes.

Despite the $1+ billion spent by enterprises on botnet solutions, credential stuffing continues to plague platforms across industries. In the first half of 2021, credential stuffing made up 29% of all attacks across the Arkose Labs global network. Fraudsters who use scripts powered by machine learning are able to overcome solutions designed to detect and stop automated attacks. These advanced bots can run JavaScript and can be programmed to simulate human behavior all the way to keypresses, mouse movements, and clicks.  

The low barriers to entry, ease of deployment, and the ability to generate profits from successfully compromised accounts make credential stuffing a prevalent attack tactic. High-volume credential stuffing attacks can overload servers to disrupt the user experience.

Credential stuffing fraud causes direct, operational, and long-term damages

Credential stuffing powers account takeover (ATO) attacks that are on an upswing. This is because ATO attacks provide fraudsters with a myriad of ways to monetize their exploits – from draining funds, reward and loyalty points, encashing gift cards, to stealing and reselling stored financial information and worse to use these compromised attacks as launchpads for many criminal activities including money laundering, drug trafficking, and more.

Businesses continue to be at the receiving end of credential stuffing fraud attacks suffering losses worth billions of dollars every year. These include not only direct losses – accruing from lost revenue, attack remediation, restoring user accounts, and at times refunding stolen amounts – but also operational losses, where businesses suffer increased compliance and legal burden, increased number of calls to contact centers, more manual reviews, and implementation of additional security protocols in addition to the added burden on server usage and IT infrastructure. Another indirect, but potentially severe damage is the loss of brand equity. A recent Arkose Labs' survey has found 90% of the businesses polled agree that credential stuffing fraud attacks negatively impact user experience.

In view of an unprecedented increase in digital activity and subsequent rise in credential stuffing fraud attacks, it becomes critical for digital businesses to take cognizance of the heightened risks they face in order to take adequate steps to maintain account integrity.

Businesses must maintain the sanctity of digital accounts

Customers now demand a seamless, customized, and personalized experience from digital businesses that they interact with. Therefore, customer-centricity has acquired a different level of importance that was never seen before. As a digital account – complete with personal and financial information – becomes an integral part of a consumer's life, businesses must maintain the integrity of their customers' digital accounts as sacrosanct, failing which they run the risk of losing customers to competitors.

With time, the importance of account integrity will only increase. This is because of the speed at which digital channels are being used for day-to-day activities, translating into heightened attacks on digital accounts, only with greater severity. Therefore, digital businesses must make efforts to maintain the security and integrity of their customers' digital accounts.

To get actionable insights on how businesses can safeguard their customers from credential stuffing fraud attacks and other threats,  download your copy of the 2021 State of Fraud Report now.