Merchants Get Real To Stop Fake Human Fraud Attacks

The fact that fraud levels spiked throughout the pandemic is well-known. Less reported on, but equally pressing, is the fact that fraud hasn’t only increased in amount, but it has gotten smarter, more sophisticated and harder to spot.

As NuData Vice President of Product Development Dave Senci told PYMNTS, fraudsters are getting smarter and more strategic about how they attack. Their techniques are improving, as they are applying more advanced methods to evade the systems put in place to detect them by leveraging attack types that are now human-driven.

“A human-driven attack isn’t as obvious as a basic large-scale attack,” he said. “It’s a low and slow attack that is very difficult to identify because it’s leveraging genuine human behavior to look more real. It’s more expensive for fraudsters to perform these attacks, but it’s worth the value.”

That means businesses should also get more sophisticated and take a broader look at their transactions to learn how to spot this new, emerging face of fraud.

Low And Slow: The New Way To Go

The last interaction of what Senci called “unsophisticated” attacks by fraudsters was much larger and wider-ranging than their emerging counterparts. These were large-scale attacks with written scripts aimed at millions of usernames and passwords to see which were genuine and usable for further fraud. And the world of security adapted to these unsophisticated and highly automated mass fraud attempts as businesses learned to add a CAPTCHA or another bot challenge to stop the bots in their tracks.

But fraudsters are an intrepid group, who have proven very willing to adapt their tactics to counter the tools put in place to stop them, which has led to the spike of sophisticated attacks now appearing in the market.

“Rather than a large-scale attack, a more sophisticated attack is going to be a lower-scale attack that imitates real human behavior and interactions that make the action less obvious than scripted attacks that tests millions of usernames and passwords at once,” he said.

While these next-gen fraud techniques that can imitate human behavior have improved, they’re far from unbeatable or undetectable, Senci said.

“If you look at each data point individually, everything looks normal, but when you combine them and contextualize them together, things start to look off,” he said.

They don’t act like real consumers either. They tend to fill out data too quickly, in an uncommon order and with too much toggling back and forth between another page, he said of these behavior patterns that can easily be associated with fraud if the system is properly programmed to look for it.

The Battle Going Forward

Fraudsters are going to attack as long as it’s lucrative to keep doing so, said Senci. NuData saw this in the travel industry that was shut down earlier this year. While the business was more or less shut down for most of 2020, the attack traffic didn’t go down accordingly.

“We actually saw in the travel and events space, 22 percent of their overall traffic was attack traffic,” he said. “Why is that so significantly high? Well, if you think about COVID and the amount of vouchers and credit that was distributed out from the events and travel space, that gave fraudsters the motive to go attack the industries that may have had lower volume, but still have a strong value stored in those accounts.”

The fraudsters will always go to where they perceive they can score value easily, he said. The criminals move on to easier prey if systems become too complicated and expensive for them.

“If I’m a fraudster, and I’m going to perform an attack on a company that takes me five hours, but I’m only getting $350 of value out of the retail account, I’m going to go find something else to attack,” he said.