In recent months, incidents of data breach, cyber attacks, fraud, and online abuse have ramped up amid all the chaos created by the Coronavirus pandemic. Many companies have been forced to digitize at least some parts of their businesses to adapt to the growing effects of COVID-19 crisis. Daily life activities have taken the digital route. These accelerated digital transformations have vaulted the digital adoption by five years in just a matter of eight weeks, according to McKinsey Digital surveys.
Over 150 professionals join LinkedIn every minute and five new Facebook profiles are created every second, says the Domo’s Data Never Sleeps 5.0 report. This massive digital adoption is enabling fraudsters to abuse the new account creation process and fuel many types of fraud. New account fraud is not limited only to social media platforms but is also spreading its tentacles across industries--finance, ecommerce, gaming, and so forth--leaving organizations more vulnerable to abuse, as they try to attain new customers.
In an effort to offer a seamless new account opening experience, organizations only request minimal information from the customers. While it makes the onboarding process simpler, it makes it difficult for businesses to verify the legitimacy of the customers and to ascertain whether the customers signing up for new accounts are truly who they claim to be. On the other hand, fraudsters are becoming more sophisticated and strategic with their attack mechanisms. They are manipulating digital identities and stolen customer data to attack businesses at scale.
Multiple paths to monetization
Using fake new accounts to monetize digital identities is becoming commonplace. It has created a parallel economy where fraudsters are able to attain a strong ROI on their inventive strategies. These range from high-scale, bot-driven credential testing to low-value spam dissemination. Attackers are also using low-cost human resources--sweatshops--to carry out more nuanced attacks at scale, which makes it economical to manually carry out fraud, says Dark Reading.
Recommended Blog: Sweatshops are Powering the Rise of Human-Driven Fraud
The mass tested credentials and digital identities open up a panorama of abuse that fraudsters use for the following:
- Fraudulent Applications: Fraudsters use stolen credentials to sign up for new accounts that are used to open new lines of credit. For example, fraudsters signing up to seek a loan from a fintech lender or applying for a new credit card, with no intention of repaying.
- Promo Abuse at Scale: Large-scale abuse of new customer promotions falls under this category. These can range from fraudsters exploiting and selling free trials to gaining access to new products or introductory cash discounts or credits. This is usually carried out at scale using scripts or human sweatshops and can be a quick revenue source.
- Synthetic Identity Farming: In a digital world, identities are the real currency. Fraudsters use real data stolen from a number of individuals and combine it with fake information to create a composite identity that appears real. These fake identities are used to establish credit profiles, which can be monetized later.
- Account Validation Attacks: Fraudsters often use a new account origination process to test the validity and existence of an account or payment credential before launching organized account takeover or payment fraud attacks.
- Affiliate Fraud: Fraudsters create fake accounts to take advantage of affiliate marketing programs at scale, thus abusing a legitimate business practice to get companies to pay them. Bots are most often deployed to commit affiliate fraud at scale.
- Spam Abuse: New accounts are often created at scale to write fake reviews or send spam and phishing messages on social media or dating services platforms.
Recommended eBook: Beyond Digital Identity: The Next Wave of Fraud Detection
The new account fraud and abuse continuum
In recent years, fraudsters have increased the level of complexity of orchestrated attacks, by focusing on multi-step attacks that mask their true malicious intentions. This mostly plays out at the account registration stage, where attacks can inflict direct losses on a business.
However, differentiating between authentic users and fraudsters is no longer easy, as the traditional methods of fraud detection are unable to withstand the fraudsters’ enhanced abilities to bypass them.
Purely data-driven or traditional approaches are no longer viable
With rising fraud levels, businesses cannot allow attackers to bypass their defense mechanisms and disrupt business operations. When businesses tolerate fraud as a cost of doing business, it further feeds the ecosystem of crime.
However, relying solely on data to fight ever-evolving fraud is no longer a bankable solution. This is because fraudsters have manipulated digital identities at scale using the personal information found on the web and using extensive toolkits to mask their digital footprints. Although many businesses have integrated risk-based fraud solutions that analyze digital intelligence to assign risk scores, this solution depends on clear “trust” or “mistrust” signals from users. When the signal falls into the gray area, the solution cannot detect malicious intent.
As attackers continue to get more sophisticated in spoofing and cloaking techniques and online behavior of authentic customers become unpredictable, the clear identifiers that once marked the “good” or “bad” traffic are now increasingly falling into a gray area.
Recommended Read: New Account Fraud Solution Brief
A new approach to combat new account fraud
A seamless yet secure digital account opening process is important to retain and attract new customers. Since new account registration is a critical touchpoint, businesses must revisit their fraud strategies to fight new account fraud. They must take targeted action right at the account registration stage to bankrupt the business of fraud by increasing the cost of launching an attack. This will eventually wear away the attackers and protect the business and customer interests long-term.
The Arkose Labs Fraud and Abuse Prevention Platform helps protect digital businesses by shifting the attack surface away from the business network; and using real-time intelligence, rich analytics, and sophisticated step-up challenges to progressively diminish the economic viability of an attack. To learn how Arkose Labs approaches this conundrum of new fake account registrations, download the whitepaper A Deep Dive Into New Account Fraud and Its Impacts or schedule a demo.