In part two of this multi-part series on fake account creation bots, we look at why automation is used to create fake accounts and how they impact businesses.
What is a Fake Account Creation Bot?
A fake account creation bot is an automated computer program designed to create large numbers of fake accounts inside online systems, typically at great speed and scale.
Why is Automation Used?
As discussed in Part One of this series, there are a large number of reasons why someone might want to create fake accounts. Malicious actors usually need to create very large numbers of fake accounts to achieve their ends, and so most malicious actors will use automation. Most benign fake accounts are created manually.
The manual creation of large numbers of accounts is difficult and time-consuming. Automation is used to speed up and simplify the process of creating large numbers of fake accounts.
Malicious actors want to monetize their activities with fake accounts and minimize their labor to do so, but significant coordination and management of the accounts is necessary. Automation makes this easier, allowing malicious actors to log into many accounts at the same time, as well as coordinating the actions of these accounts. For example, they may wish to buy up limited availability items from a retailer over a short period of time, amplify fake news or disinformation on social media, or vote for a particular choice in an online poll.
Additionally, mass liking or reviewing of products and services, spamming, and coordinated denial of services attacks require coordinated action from many accounts to be effective. Automation provides a means to accomplish this aim.
Since automation needs to be developed to manage and coordinate the accounts, it may as well be used to create the accounts as well. Since the development effort is the same, automation will be used wherever needed – for account creation, for account coordination and management, and even for keeping track of which accounts have been detected or suspended.
Security and fraud teams will be attempting to identify and suspend fake accounts, and frequently their actions are effective in doing so. Automation allows attackers to create a surplus of accounts to achieve their ends – even if some are taken down, they will still have enough to accomplish their goal.
Automation also allows attackers to attempt to avoid detection. By creating random names, details, and by using a diversity of infrastructure to create and manage them, security teams are presented with challenges to the identification of fake accounts.
Finally, automation allows attackers to keep track of the large number of usernames, passwords, and profile information, such as names, dates of birth, locations, and other identifying information, which both allows the attackers to produce fake accounts that look more “real”, and also prevent easy detection; a smart security team might, for example, look for accounts that use the same password as a known fake account, and subject these accounts to greater inspection.
Why Should Businesses Care?
Fake accounts can be used against the enterprise hosting the accounts or against their customers. Many times, the financial loss or damage caused by these fake accounts is not clear to security and fraud teams.
Fake accounts cause the business a direct financial loss. Financial loss can come in various forms including but not limited to:
- Theft of goods, gift cards, points, discounts and other monetary assets from the business or its customers. Businesses typically are on the hook to provide restitution to customers suffering loss on their apps.
- Chargebacks for goods purchased by fake account bots using stolen credit cards.
- Bonuses, discounts, and other incentives paid out to fake account bots.
Loss of Revenue/Market Share
The actions of fake account bots may cause current customers to take their business elsewhere, moving to a company unencumbered by fake account issues. Potential customers may also opt not to use the company’s services if they find or have been told of issues with fake accounts by peers or news stories.
Increase in Operating Costs
Fake accounts can impose higher operating costs for businesses. These costs include verification of accounts, security personnel and technologies to mitigate fake accounts and bots, the cost of investigating customer complaints, and higher than necessary infrastructure and data fees. Costs will also be incurred to issue refunds or other costs to users that fall victim to bot activity.
Fake accounts cause financial loss, breach of PII, account take over, fraud, and frustration. These issues end up in the news, on social media, and in rumors, resulting in a negative perception of the business. Negative perceptions of reputation will cause customers to be wary about patronizing the business and trusting the company with their data.
Bad User Experiences
Fake account bots can cause negative experience for a business’ users through a number of methods including:
- Fraud – Fake account bots can be used to defraud users, such as in online gambling.
- Denial of Product – reseller bots using fake accounts can win lotteries and get access to limited inventory and high demand items like sneakers, preventing legitimate customers from buying the product.
- Denial of Service – Coordinated activity of a large numbers of fake accounts can cause latency issues on the application and ultimately cause a service outage.
- Value Distortion – Fake reviews, fake followers and likes, all cause a distortion of value. Users will spend their time, attention and money on products or content that appears to be high quality and popular, only to find out that they were fooled by fake account bots.
- Friction – activity of fake account bots can result in businesses imposing strict controls on all users including the requirement to prove one’s identity, sometimes repeatedly.
- Incentive manipulation – Fake account bots that can game incentives offered by businesses can cause businesses to change these programs or even to discontinue these programs entirely, making it harder for legitimate customers to earn status, points, and discounts.
Low Customer Engagement and Time on App
Fake accounts can lead to bad experiences for users, causing them to spend less time using the company’s services, leading to less engagement and reduced spending. For social media and other companies that rely on advertising revenue, less user engagement and time spent leads to direct loss of revenue.
Fake accounts can be used as landing zones for more complex attacks resulting in a potential data breach. In the event of a data breach there are many requirements imposed on businesses to report the breach, notify customers, investigate the source and extent of the breach, and remediate it. These requirements differ by industry and geographic jurisdiction but all result in lots of time and effort being dedicated to addressing the breach. Data breaches also lead to reputational damage and potential loss of revenue and market share.
The activities of fake account bots can bring about regulatory scrutiny for a business. This scrutiny is distracting for leadership as their attention is diverted from important business issues to dealing with the regulatory inquiry. Costs are associated with investigations and businesses can potentially be fined financially or sanctioned in a variety of ways.
Customers, advertisers, and other stakeholders negatively impacted by the activity of fake account bots on a business’ applications may sue the business. These legal issues can result in financial settlements, reputational damage and other undesirable results.
Business Process Disruption
Fake account bots can force businesses to change their business processes to address the effects of fake accounts, incurring costs in time and money, and making the company less able to respond to changing business needs.
Distortion of Business Metrics
Fake accounts negatively impact key business metrics relied upon to make decisions. Metrics around conversions, click rates, cart abandonment, and retargeting are all negatively impacted by the activity of fake account bots. Businesses might incorrectly identify a drop off in business or poor performance of products, marketing campaigns, and teams due to distorted metrics caused by fake account activity. This leads to incorrect and potentially harmful business decisions being made, negatively impacting the business.
Fake accounts can lead to a sub-par experience and business performance which results in a competitive disadvantage. Competitors with better means of handling bots and fake accounts provide a better customer experience and can entice valuable customers away from their less able competition.
Fake Account Scheme Cheat Sheet
Since there are so many different use cases and fraud schemes associated with fake accounts, Table 1 below contains a cheat sheet showing a summary of the main negative consequences business will likely suffer due to the activity of different kinds of fake account creation bots.
|Fake Account Use Case||Negative Consequences|
|Advance Other Fraud Schemes||
|Credential Stuffing / Account Takeover||
|System Vulnerability Exploitation||
|Social Media Monetization||
|Fake Reviews / Ratings||
|Online Polls and Surveys||
|Customer Support Spamming||
|Birthday Incentive Manipulation||
|Online Gambling Cheating||
|Reservations for Sale||
|Raffle / Lottery Rigging||
|Burner / “FInsta” Accounts||
|Parents Monitoring Kids with Fake Profiles||
Why Some Companies Do Not Care
Despite the negative consequences that fake accounts can have on a business and it’s customers, not all businesses are willing to prevent fake account creation or detect fake account activity. There are several reasons why some companies are incentivized to turn a blind eye to fake accounts.
For many businesses including startups, their value is determined by metrics such as the number of app downloads, the number of registered users, user engagement, and daily or monthly active users. Since fake accounts and the bots that manage them contribute positively towards these metrics, some companies turn a blind eye to them. The more fake accounts and bots they have on their platform, the more impressive the metrics look leading to a higher valuation. This issue was at the core of Elon Musk’s acquisition of Twitter where he wanted a reduction in price as he alleged that most of Twitter’s users were bots.
Monetization of Fake Accounts
For advertising driven businesses, impressions and clicks are critical metrics. The more ads and the more users click on those ads, the more money they make. Since bots running fake accounts are typically very active online, these accounts tend to “see” many ads and might even be programmed to click on those ads. Bots are thus contributing significantly to the revenue of the business.
Another example where a business monetizes fake accounts is intermediaries, i.e., financial aggregators. Many financial aggregators charge a transaction fee for their services. If an aggregator charges businesses on their platform a transaction fee for a service rendered, such as credit card validation, they will make money when attackers use bots to create large numbers of fake accounts and use them to test stolen credit cards. The aggregator is not incentivized to stop these fake account bots because they are generating transactions that the aggregator will charge their customers for performing.
Business from Fake Accounts
Not only can fake accounts contribute indirectly to the revenue of the business, they can also directly purchase goods and services. This is an issue when reseller bots are used to buy up limited inventory items like sneakers, gaming consoles, and concert tickets. Businesses may turn a blind eye to these bots and their fake accounts as they are buying goods and services from the business and contributing directly to revenue.
Malicious fake accounts tend to be created using automation by fake account creation bots. This is because most malicious purposes require the creation and management of large cohorts of fake user accounts. Using automation reduces the amount of time and complexity in creating, managing, and coordinating these fake accounts. Fake accounts have many negative consequences for businesses. Their costs, profits, reputation, customer experience may all suffer. It should therefore be a priority for businesses to mitigate fake accounts and the bots that create and manage them. However, there are some businesses that may turn a blind eye to fake account bots as the activity of these bots inflates the value of their products or contributes directly or indirectly to the revenue and profits of the business.