Arkose Labs, provider of online fraud and abuse prevention technology, released new data on the latest fraud trends that reveal a massive spike in fraud across all industries from Black Friday onwards. As consumers continue to flock online in droves greater than ever before, credential stuffing, account takeover (ATO) attacks and gift card fraud are poised to be top attack vectors in 2021.

“2021 remains full of unknowns, however what’s certain is the frequency and severity of fraud will never return to pre-pandemic levels,” said Vanita Pandey, VP of Marketing and Strategy at Arkose Labs. “With digital channels serving as an invaluable lifeline for much of the world, the Arkose Labs network saw 4 times as many transactions compared to the year prior. This increased activity has created an ideal breeding ground for attacks as fraudsters work to blend in with trusted users, rendering typical models of good versus bad user behavior obsolete.” 

The Black Friday Effect and Gift Card Fraud

As in previous years, the Arkose Labs network recorded a sustained increase in fraud in the ecommerce industry from Black Friday through the end of the year. This year, however, this sustained increase in fraud occurred across all industries -- even those not typically associated with Black Friday, such as social media, online dating and financial services. This could be attributed to fraudsters leveraging social media or cloud-based communications platforms to spread disinformation about deals. It’s likely also a result of attackers targeting payment platforms or financial accounts, and blending in with traffic due to increased consumer usage.

Also during the holiday season this year, electronic gift card fraud ran rampant. Fungible and difficult to track, gift cards provide fraudsters with quick money and generally easy getaways. In Q4 of 2020, fraudsters used botnets to brute force attacks on gift card websites by testing thousands of card number and PIN combinations per minute. Bots and sweatshops were also used to continually check the card balances and redeem them.  

Credential Stuffing and New Attack Types

The influx of new digital accounts created in Q4 of 2020 led to a drastic increase in credential stuffing attacks, which power account takeover attacks. Account takeovers fuel fraud, as once an account is compromised, an attacker can use that information to carry out numerous types of downstream fraud. Credential stuffing attacks more than doubled in Q4 compared to Q3, and increased by nearly 90% compared to Q1.  

Hybrid attacks also increased in Q4 of 2020, with bots being used to launch large-scale, low-reward attacks requiring brute force and humans supplementing attacks in which more nuance is required. 

Geographical Fraud Trends

In Q4 of 2020, North America experienced a marked increase in fraud attacks, specifically from the United States, where tens of millions of people experienced unemployment and financial distress due to COVID-19 lockdowns. Bots drove the region’s 24.2% attack rate, with just 3.5% of attacks originating from humans. Gaming was the top attacked industry, however social media and retail transactions also served as popular targets. 

Asia returned to the forefront of attacks, accounting for 50% of all attacks, with top attacking countries from this region including Vietnam, India, Indonesia, Thailand and the Philippines. 

Europe also had another busy quarter for attacks, as many major countries returned to lockdowns, spurring on incentives to carry out fraud. 52% of all EU-based attacks originated from Russia, however non-typical fraud nations like the Netherlands, Germany, Ukraine and Turkey also joined in. In terms of human-driven attacks, Russia also topped the leaderboard, followed by the United Kingdom.  

“Looking ahead, we can expect to see high levels of credential stuffing continue as fraudsters test stolen credentials to repeatedly launch ATO attacks. As more consumers engage with digital commerce, companies will offer more promotions to remain competitive, which in turn will lead to fraudsters opening even more new accounts at scale in order to take advantage of these promotional efforts,” said Pandey. “Fighting fraud may be more complicated than ever, but with the right approach and tools businesses have a timely opportunity to stop fraudsters in their tracks, while at the same time maintaining a great digital experience for their customers.”   

The Q1 Arkose Labs Fraud and Abuse Report is based on actual user sessions and attack patterns that were analyzed by the Arkose Labs Fraud and Abuse Prevention Platform from October to December 2020. These sessions, spanning account registrations, logins and payments from financial services, ecommerce, travel, social media, gaming and entertainment were analyzed in real-time to provide insights into the evolving fraud and risk landscape. Unsophisticated bot attacks don’t result in a user session and thus have not been included in this report. The report focuses on attacks from fraud outlets that combine state-of-the-art technology with stolen identity credentials and human efforts.

To access the full Q1 2021 Fraud and Abuse Report, please click here.