Blame bad bots for online fraud sweeping the United Kingdom
Online fraud is becoming a scourge across the United Kingdom, and in the past year alone we’ve watched police tackle a record breaking number of scams.
One of the most dangerous attacks used by fraudsters is Account Takeover (ATO), whereby cybercriminals take ownership of online accounts by abusing stolen passwords and usernames, often accessed on the Dark Web. A Freedom of Information (FOI) request earlier this year revealed that ATO is the most common form of online fraud in the UK and new data from the 2022 Imperva Bad Bot Report shows ATO attacks rose a staggering 148 percent in 2021 alone.
Bad bots are malicious software applications that carry out automated tasks and, last year, bad bot traffic reached record levels, accounting for 27.7 percent of global website traffic, up 2.1 percent from 2020. This surge in traffic, combined with advanced bots' increasing ability to evade detection, means every consumer-facing business -- indeed every business that has a web page or app with a user login function -- needs to have a bot management strategy in place. This means understanding their relative risk exposure and identifying times when attacks are most likely to spike, so that proper protection measures can be implemented to deal with any situation.
Ready or not, bad bots are coming
The first thing for any business to understand is how likely they are to be targeted by such attacks. The risk posed by bad bots, and ATO in particular, varies considerably from industry to industry. For example, the percentage of internet traffic from bad bots was highest in sports (57 percent), gaming and gambling (54 percent), telecom and ISP (47 percent), and food & beverages (45 percent) -- more than three times higher than the lowest industry, education. Indeed, for each of these four industries, there is more web traffic that comes from bad bots than actual human customers.
Even more concerning, all four industries experienced a high percentage of fraudulent login attempts in 2021. Sports and gaming and gambling in particular came under sustained attack throughout the year with more than one-third of all attempts -- 34 percent and 35 percent respectively -- were ATO attempts.
Businesses also need to be aware of the sophistication level of bots. The travel industry, for instance, experienced an overwhelming proportion of evasive bad bots (nearly 4 in 5) compared to other sectors. That means, travel firms are more likely to experience advanced attacks which are harder to detect and stop. Evasive bots are more dangerous because they can evade common defenses, using techniques such as random IP cycling, switching up their identities, entering through anonymous proxies, delaying requests, and other tools to better mimic human behavior.
The moment of greatest danger
Once organizations have assessed their relative threat level, measuring the likely volume and the sophistication of the attacks, the next step in developing a good defensive strategy is identifying times when bot attacks are likely to spike. Bot traffic attacks often surges during periods of high demand -- last year, advanced bot traffic sessions on retail sites spiked by 73 percent from October to November 2021 as bot operators targeted big shopping days like Singles Day, Black Friday and Cyber Monday. Some industries -- in particular retail and entertainment -- have long had to contend with swarms of sophisticated scalping bots that acquire high-demand, limited-quantity items so fast that human users can struggle to compete -- attempting to hijack major events like the release of a new blockbuster or hot new console.
Similarly, during Euro 2020 on days when England played, ATO attacks were up to three times higher than other days when the tournament was underway. Weeks later, ATO attacks grew 43 percent ahead of the start of the Summer Olympic Games in Japan, spiking 74 percent during the first week of competition. These incidents strongly suggest that bot operators are strategically choosing moments to strike when they can cause the most chaos.
Therefore, it’s essential for any bot management strategy to not only understand the baseline level of defense that’s required, but also to build in processes to identify instances when bot activity will be elevated and have measures in place to increase protection and mitigation accordingly.
Filtering out bad bots
Filtering out malicious bot activity should not compromise the human customer experience nor prevent good bot traffic like search engine crawlers that help your site to be found.
For example, one way to reduce the risk of ATO attacks is to have multi-factor authentication (MFA) like answering security questions or providing biometric information. However, having to go through this process every time a user wants to login is time-consuming and often frustrating. Therefore, rather than requesting MFA every time, businesses should develop an adaptive process where MFA can be requested depending on the perceived risk. For instance, if a user is trying to access an account from an unusual location or an unknown device, MFA can offer an additional layer of protection.
Unfortunately, more sophisticated bots are increasingly able to disguise their nature. ATO attacks in particular often involve the use of advanced evasive bots that are capable of imitating human behavior, and thus are harder to isolate. Therefore, businesses also need cutting edge AI-based technology which can deploy a host of attack analytics to identify the most advanced ATO attempts.
Beating back the bots
Bad bots are a challenging problem for any business to deal with, but defeating them is by no means impossible. While the severity of the threat -- both in terms of attack volume and sophistication - is trending upwards, bots are still a manageable problem if businesses take proper precautions.
As long as companies have a firm grasp on the relative threat level they face and are able to identify occasions when attack volumes are likely to spike, they can develop a tailor-made bot management strategy which seamlessly filters out bad bots while minimizing the disruption for genuine customers.
Image credit: davincidig/depositphotos.com
Tim Ayling is VP EMEA, Cyber-Security Specialists at Imperva.