Importance of Fraud Prevention
More than ever, the world increasingly runs in a digital environment. In the last couple of years, there has been a proliferation in the number of digital user accounts, This has in turn resulted in increased attacks against these accounts. Fraudsters use several tools and tactics – such as bots, scripts, human click farms, and a combination of these – to launch attacks that cause financial and reputational losses to businesses and harm consumers. It is, therefore, critically important to combat fraud and online abuse.
The actions taken to detect and prevent fraudulent activities are collectively called fraud prevention. In recent years, fraud prevention technology has made enormous advances that help detect and fight sophisticated fraud attacks. Advanced data analytics, artificial intelligence, machine learning, device forensics, among others are now being extensively used in the fight against fraud.
That said, fraud prevention is not a one-time activity. It is an ongoing cycle where businesses must constantly monitor to detect and stop fraud attacks. They must use their learnings to continually improve risk-decisioning that can help them fight evolving fraud tactics.
The Business and Customer Experience Impacts of Fraud
Fraud can have long-term implications on businesses and consumers. In addition to causing financial losses, it can be a traumatic experience for consumers who may need to spend time and effort to restore their compromised digital identity. They may have to repay loans which they never solicited, their credit scores may suffer, obliterating their future chances of seeking credit; they may even be penalized for their accounts being used for criminal activities.
Businesses face direct and indirect losses due to fraud. In addition to financial losses, businesses suffer reputational damage, erosion of customer trust and the risk of customer churn. Fraud can impact businesses in the following ways:
Financial: Businesses in the US alone bear fraud costs of approximately $42 billion annually. It is estimated that on average a business loses about 5% of its revenues to fraud each year. In addition to the costs associated with assessment, detection, and remediation of fraudulent activity, businesses must compensate consumers whose accounts are compromised and incur password reset costs. Many businesses still use free – or nearly free – fraud prevention solutions that not only fail to protect them in the long term but also add covert fraud losses to the overall costs.
Operational: Customer services are affected by a deluge of calls to customer support, which increase operational costs. Businesses also incur costs on reassessment and redesigning of fraud strategies. They may add fraud solutions to tackle the new threats. This can result in non-communicative tech-stacks that add to information overload and impede instant risk-decisioning.
Reputational: Customers are increasingly relying on social media platforms to review businesses they wish to transact with. Adverse comments about fraud incidents from irate customers can damage the brand equity and have a negative impact on future business prospects. Disruption to user experience and compromised accounts can lead to negative news coverage and customer discontent, which can affect the brand image and customer churn. Customers may choose to switch over to competing businesses, which impacts the revenues. The damages are not limited only to customers, as suppliers, partners, and investors may lose confidence in the business and may snap the ties. This can also affect the ability to attract and hire talent to the company. Both brand building and customer acquisition are time-intensive activities that bring results over a period of time. Therefore, these are rather long-term losses and may take businesses a long time to salvage their brand equity.
Legal and compliance: Stringent directives, such as the GDPR, mandate businesses to ensure security of customer data. Fraud causes non-compliance, which means businesses must pay hefty fines and penalties. Fraud also exposes businesses to various lawsuits – from clients, consumers, and even investors – that can drag on for years. Depending on the extent of fraud, businesses incur legal and compliance costs that only add up to overall losses.
Repeat attacks: Once a business network is compromised, its vulnerability to future attacks increases. User credentials become exposed to theft, reselling, and use in future attacks. Furthermore, once this information gets shared in the fraud ecosystem, the business becomes more attractive to several other types of attacks.
Downstream abuse: A fraud attack is the starting point for multiple downstream costs. For instance, to stop fraud, businesses increase manual reviews, which require more effort and time to monitor the incoming traffic. According to an Arkose Labs’ poll of 100 IT executives, on average, a business may need to spend between one and five hours remediating an account takeover attack.
How Do Fraudsters Make Money off Attacks?
Fraudsters are in the business of making money. And they have multiple avenues to monetize their attacks. Fraudsters mobilize their resources to reap maximum profits from the least possible investments. They rely heavily on automation to scale up the attacks. Bots with advanced, human-like capabilities are easily and cheaply available which allows fraudsters to scale up their attacks – and monetary benefits – in no time. These bots not only mimic human behavior fairly accurately but also have the capabilities to hand over the attack baton to human click farms when faced with defense mechanisms that require more nuanced human interaction.
Using bots and human click farms, fraudsters try to compromise genuine user accounts or create fraudulent new accounts to exploit them for monetary gains. Some of the common ways fraudsters make money from the attacks are:
Reselling databases: Frequent incidents of data breaches over the years have provided fraudsters with large volumes of consumers' personal information. They use credential stuffing and password spraying to arrive at valid username-password combinations. Fraudsters can then sell these valid lists of credentials to third parties. They can also choose to categorize them according to industries, assets in the accounts, or other parameters, which can fetch them greater returns.
Stolen credentials: Using stolen credentials such as credit card details, fraudsters can make expensive purchases that can be resold later at a premium.
New account fraud: Many businesses – such as online gaming platforms, BNPL service providers, technology platforms, and so forth – offer cash rewards, access to premium services for limited duration, or compute resources, to attract new customers. Using bots and click farms, fraudsters create thousands of fake new accounts that can be used to pocket these bonuses. Fraudsters also combine stolen consumer details with fake identity elements to create synthetic identities that can be used to open new lines of credit such as applying for a loan or a new credit card.
Account takeover: Account takeover is a rising challenge for businesses as fraudsters break into genuine user accounts to use them for several types of fraud. Draining the funds contained in the account is just one way of making money. Fraudsters redeem loyalty points, access saved payment details and passwords, and use the compromised accounts as launchpads for other crimes such as money laundering and money muling.
Limitations of Current Approaches
Given the rise in fraud, businesses are deploying solutions to fight imminent fraud attacks. Many businesses still rely on traditional and outdated solutions such as CAPTCHAs for bot detection. These solutions are, however, no longer effective against the advanced capabilities of today’s bots. While bots have evolved at a great speed, CAPTCHAs have failed to keep pace. This has led to legacy CAPTCHAs being outsmarted by even the basic bots. Furthermore, bots have attained capabilities to mimic human behavior so they can bypass these solutions with ease. In a situation where more nuanced human interaction is required, these bots hand over the attack to human click farms. This makes fraud prevention even more challenging.
Some of these bot-mitigation solutions are even available cheaply or for free. However, such solutions add to long-term costs as they fail to stop attacks and add unnecessary friction that disrupts user experience. Discontented users may switch over to competing businesses resulting in customer churn and loss of revenues.
Fraud prevention using purely data-driven solutions is becoming challenging, as digital identities have been manipulated at scale and human behaviors have evolved. Fraudsters can access valid login credentials and impersonate good users. They can also hide their real intent and location using tactics such as IP spoofing and device obfuscation, among others. This means digital signals can no longer be relied upon to indicate clear ‘trust’ or ‘mistrust’; they are increasingly falling into the gray area. Blocking users may affect good customer throughput, whereas lenient authentication allows fraudsters to sneak through.
The Arkose Labs Approach
Arkose Labs follows a zero tolerance to fraud approach which helps global businesses fight fraud while maintaining a superior user experience. Digital businesses are assured of rapid remediation of attacks while maintaining a completely user-centric approach. This is achieved through active vigilance and optimization of the partner's traffic. Furthermore, Arkose Labs is committed to working closely with its partners and helping them adapt to the evolving attack tactics for future-proof protection in a fully user-centric way.
Arkose Labs goes beyond data-driven fraud mitigation to help businesses detect fraud even when digital identifiers have been compromised en masse. The Arkose Labs platform helps increase good user throughput without disrupting the user experience. It does not block any incoming user. Instead, based on the insights from user sessions, the risk engine informs the adaptive step-up challenges to continuously evolve according to the changing attack techniques. Using targeted friction, Arkose Labs bankrupts the business model of fraud to foil credential stuffing, password spraying, account takeover, and new account fraud, among others. This enables businesses to enhance their fraud prevention capabilities and ward off evolving threats with confidence while keeping user experience front and center.