Fraud Prevention

Human-Driven Attacks Rose 77% During First Half of 2021

September 21, 20214 min Read

human-driven atttacks

In human-driven attacks, fraudsters employ click farms to orchestrate attacks that need more nuanced human interaction. Usually, these attackers step in when bots are unable to bypass fraud defense mechanisms that are designed for need a higher level of human interaction

During the first half of 2021, there was a 77% increase in human-driven attack volume over the second half (H2) of 2020. When compared with the bot attacks, there was a six-fold increase in human-driven attacks. This is indicative of a growing trend where fraudsters are increasingly leaning towards hybrid and human-assisted attacks at scale.

Large volumes of attacks leveraging human fraud farms emanated from Asian countries including China and Vietnam, which contributed 60% of all human-assisted attacks. Asia continues to be an important region for fraudsters as it enables them to find cheap human labor to supplement automated attacks as well as a more nuanced human activity such as sending phishing messages on dating platforms. In Europe, fraudsters relied more on automation-driven attacks such as credential stuffing, looking to maximize the RoI.

Human-driven attacks impact all industries

Fraudsters leverage human fraud farms to orchestrate attacks according to the target industry. In H1 2021, tech and online gaming saw particularly high levels of human-driven attacks, with Europe, North America, and Asia at the forefront of these attacks. For instance, fraud farms in China and Vietnam targeted the tech industry – with at least 50% of their efforts focused on this industry. Similarly, fraud farms in Russia and Brazil targeted online gaming, which constituted two-thirds of their attacks. This is not to suggest that other industries were spared from the scourge of fraud farms.

Here is a snapshot of human-driven attacks across industries:

Financial services: Financial services companies witnessed an unsuspected growth in an old scam – the micro-deposit fraud. Fraudsters manipulated the micro-depositing process by deploying fraud farms to create fake accounts using stolen credit card information. Once the account was created successfully – also indicating that the credentials are valid – the fraudsters would proceed to make deposits as low as $0.02 to an existing bank account, which over a period of time can add up to millions of dollars.

Gaming: Nearly 75% of the attacks on the online gaming industry were targeted at login and registration points. New registrations are usually carried out by human fraudsters, which explains the huge spike in human-driven fraud in this industry. That said, credential stuffing is still a prevalent tactic to attack this industry constituting 46% of overall attacks.

Social media and streaming services: At 32% of attacks being human-driven, fraudsters targeted logins on social media and streaming platforms. They tried to resell access to compromised accounts of real users for profit. Another use of these compromised accounts is to disseminate spam and phishing messages and make them look originating from real people.

Online dating: One of the worst-hit industries in terms of human-driven attacks, online dating registered a whopping 85% of attacks coming from malicious humans. Unlike the past few quarters where automation was the main driver of attacks in the industry, there is a spike in human-driven attacks, which means online dating must now prepare for the onslaught of fraud farms as well. This is because human fraudsters not only use account takeover for romance scams but also sell verified accounts for further abuse.

Tech platforms: Logins and new account registrations are the most attacked touchpoints for tech platforms. Generally, fraudsters create fake accounts on these platforms to abuse the freemium and promotional offers for free server time, meant to attract new customers, including mining cryptocurrency, which disrupt servers of these tech platforms and affect good users. The human-driven attack rate was 31% for tech platforms.

Retail and travel sites: These two industries have been under constant siege for a long time. In H1 2021, they witnessed 33% of attacks that were human-driven.

A wake-up call to strengthen the fight against human-driven attacks

The increase in human fraud attack rate during H1 2021 has been unprecedented. From being minuscule in the past, the threat of human-driven attacks has grown into a massive concern for the industries, globally. This should serve as a wake-up call for businesses to prepare for the inevitable onslaught and make efforts to strengthen fraud prevention by according the highest priority to digital account integrity, failing which they run the risk of losing customers.

To get more insights on fraud trends and maintaining digital account security while ensuring a great customer experience, download a copy of the Arkose Labs 2021 State of Fraud Report.