The Arkose Labs Q1 2021 Fraud and Abuse Report finds that credential stuffing attacks were the major attack vector in Q4 2020 and rose 90% when compared with Q3 2020. The overall attack volumes spiraled Black Friday 2020 onwards and transcended across industries
The year 2020 was unprecedented in many ways. It forced people to stay home, rendered millions jobless and introduced vast swathes of new users to the digital world. This flurry of activity also pushed fraud into newer frontiers and at scales never seen before. As we amble into 2021, while life may slowly return to normal, the volumes of digital traffic and fraud will never return to what they were before the pandemic struck.
In 2020, the sheer number of online users provided fraudsters with the opportunity to blend in with good users—at any given time of the day—which corrupted the typical models of what good and bad behavior looked like. As digital debutants created new accounts to register their presence in the online realm, fraudsters were in for a treat. Fraudsters had a wide platter of genuine user accounts to attempt account takeover attacks at scale that would power downstream fraud.
Insights from the Arkose Labs Q1 2021 Fraud and Abuse Report
The Arkose Labs Q1 2021 Fraud and Abuse Report reveals that overall there were four times as many transactions on the Arkose Labs network, with credential stuffing attacks emerging as the major attack vector in 2020. Compared to Q3 of 2020, credential stuffing attacks more than doubled in Q4, which was a nearly 90% jump from Q1 levels. This is largely due to the altered socio-economic factors, which changed the fraud trends with many law-abiding citizens taking to fraud, in order to make ends meet. As a result, friendly fraud rose and there was also a major rise in the chargebacks as many consumers even disputed genuine transactions. Fraudsters latched on to this opportunity and thus was born the refund fraud. Fraudsters also indulged in stimulus fraud for a double-dip of gains.
Black Friday 2020 onward, the attack volumes spiralled up with fraud transcending beyond industries that are typically involved in the digital commerce splurge. Apart from retail, industries not generally associated with Black Friday, such as social media platforms, online dating companies and financial services also saw sharp attack spikes in the second half of Q4 2020. The majority of these attacks were automated and the attack rate remained above 25% for much of the quarter. Although bots remained the preferred mode of attack with nearly 4 billion attacks, there was a rise in hybrid attacks, where bots were used to launch many large scale/low reward attacks—that relied on brute force—with humans supplementing attacks in which more nuance was required. Sweatshops accounted for nearly 470 million attacks.
Online dating and ecommerce were the most attacked verticals in Q4 2020
As the number of online users increased, many products and services came from behind to take the front seat—online collaboration, video conferencing, streaming services, online gaming, virtual classrooms and so on. This enabled fraudsters to attack these new vectors and industries. That said, all industries were under attack—some more than the others due to the sheer volume of users. However, the attack patterns varied according to the industry in Q4 2020, as described below:
- Media: In Q4, 2020, media companies—comprising online streaming and entertainment, social media and online dating platforms on the Arkose Labs network—had an overall attack rate of 10.87%. Media companies are largely mobile-driven and in Q4 2020, 47% of all transactions emanated from mobiles. It is, therefore, no surprise that they also had the highest mobile attack rate in Q4, with 28.5% of all attacks originating from a mobile device.
- Online dating: This vertical saw a 2.3% attack rate in Q4 2020 with 78% attacks being human-driven. This is because interacting with other people requires more human capabilities than bots can mimic. These attacks were largely account takeover attempts for subsequent use in phishing or scamming campaigns.
- Social media: The attack rate for social media in Q4 2020 was 12%. Being a mobile-centric industry, a large chunk—46%—of social media interactions were on the mobile device, with a mobile attack rate of 28%. However, it was a surprise to see social media platforms under incessant attacks on Black Friday and throughout the holiday season.
- Online gaming: The most attacked sector throughout the year saw no let up even in Q4 2020. The sector witnessed the highest attack rate of 32.7%. Gaming platforms were barraged with bot attacks, that attempted account takeover of high value gaming accounts. Attackers launched high-volume campaigns to target multiple consumer touchpoints—such as logins, which was the most attacked touchpoint on the Arkose Labs network. Of all the transactions in this sector, 35% were on the mobile channel, with a 19% mobile attack rate. Attack rates on gaming consoles, however, were significantly low.
- Retail: Retail was the second most attacked sector in Q4 2020, with nearly one-fifth of the traffic representing an attack. Interestingly, ecommerce was besieged by human sweatshops that constituted 20% of the attacks—a significantly higher figure than any other industry and second only to online dating. This underscores the fact that retail sites are a hot target during this period of the year and fraudsters try to maximize returns by using every resource available.
- Gift card: Most people were home during the holiday season in 2020, which made for a good case of gifting electronic gift cards. Fraudsters particularly targeted gift cards in Q4 2020, as they are easy to monetize and hard to track, much like cash. Further, in the absence of stringent authentication for gift cards, fraudsters could decamp with the heist, undetected.
- Financial services: Throughout the year, this sector was deluged with fake credit card and personal loan applications, as fraudsters targeted government programs meant to help small businesses, such as the PPP. In Q4, however, the sector got some respite from fraud, which went down to 2.6% attack rate. Financial services, however, had the highest percentage of mobile transactions out of all industries—at 57.8%.
- Technology platforms: Cloud-based technology platforms saw a 6.2% attack rate in Q4, 2020 with new account openings emerging as a major attack vector. Sweatshop attack rate was high at 30%, while mobile attack rate was 22.2% mobile attack rate, as nearly 28.5% of all transactions were made through mobile devices.
Traditional fraud hubs re-emerged in Q4 2020
According to our Q1 2021 Fraud and Abuse Report, although Q3 2020, saw the emergence of Europe as the new fraud hub, in Q4 there was a massive spike once again in attacks originating from Asia—partly due to the fraud attacks on Singles Day. Traditional fraud hubs comprising Vietnam, Indonesia, the Philippines, Thailand, and India re-emerged among the top attackers.
Europe sprung a surprise again in Q4 with the Netherlands joining the ranks of most attacking countries. In Europe, bot-driven attacks largely peaked around Black Friday, which led to a 39% attack rate in Q4 2020. Fake account registrations shot up 22.5% in Europe, which were largely human-driven.
In Q4 2020, the top ten attacking countries constituted the bulk of attacks with a 32% increase in the attack volumes. Russia was the top attacking country with the Netherlands, Germany, Ukraine and Turkey close behind. In terms of human-driven attacks, Russia led the attack chart with the United Kingdom following at the second spot.
The silver lining in the 2020 cloud
It is true that 2020 took away a lot from us—human lives, health, jobs, togetherness—but it made us resilient. The unprecedented increase in digital traffic and the fraud that followed afforded online platforms an opportunity to stress test their systems. These platforms realized that the old models of determining suspicious behavior were now redundant and they needed a fresh approach to root out fraud when there is no let up in traffic levels even during the traditional low-sales periods.
The emergence of the new work order, where a large section of people work from home has completely altered consumer behavior. It has also provided the much-needed impetus for digital transformation efforts for internal fraud and security teams, who seem to have realized the redundancy of large on-site teams when efficient monitoring and security practices are possible online.
Get deep-dive insights
The year 2020 has ended but has left behind elevated levels of fraud across all industries. According to the Arkose Labs Q1 2021 Fraud and Abuse Report, credential stuffing attacks are expected to reach new levels in 2021 as attackers test stolen credentials to repeatedly launch account takeover attacks. These ATO attacks will form the basis of many downstream attacks. Fraudsters are also likely to indulge in creating new fake accounts to abuse promotions and bonuses that businesses will offer to attract new customers. As a result, the fraud landscape will be a complex melee, which will make fraud prevention even more complicated.
To get more insights into this complicated threat landscape—specific to your industry and use cases—and the most appropriate approach to stop fraud in 2021 while safeguarding user interests, download your copy of the Arkose Labs Q1 2021 Fraud and Abuse Report.