As digital transformation accelerates at an unprecedented rate, strategic initiatives such as revenue collection, customer loyalty, and brand awareness are now primarily online.
And they’re increasingly being hijacked by hackers, leading to account takeover (ATO), fraud losses, and damaged brands. Any business that operates e-commerce applications or manages user accounts of value is a target.
The Attractive ROI of Online Fraud
Attackers decide where to spend their time and resources in the same way you might evaluate the cost versus value of an important purchase. If a target is dirt cheap to compromise and the value is astronomical, it’s an easy decision. If a target is highly valuable and highly guarded, an attack requires more investment, making the cost of successful compromise higher.
Today’s attackers have access to readily available tools, infrastructure, and compromised data, so it often costs pennies on the dollar to steal high-value data through automation. The more technology advances, the lower the costs fall, even for harder-to-obtain targets. So how do you demotivate attackers from targeting your site? Keep them guessing.
Learn new strategies for demotivating attackers in the eBook: Attacker Economics: Hacker Cost vs. Value
A famous bank robber, Willie Sutton, stole an estimated $2 million over his 40-year career on the run in the early 1900s. When asked why he robbed banks, he replied, “Because that’s where the money is.” If Willie Sutton were alive today, we can safely assume he wouldn’t be robbing banks anymore. He’d be defrauding applications.
The Fraud Business Is Bigger (and Smarter) Than Ever
Thanks to the low barriers to entry and easy access to resources, online fraud has become big business, and the process for mining personal identifiable information (PII) has reached industrial proportions. More than 30 billion records have been breached in the last seven years alone.
The status quo is unacceptable. Estimated online fraud losses are staggering, yet business leaders often reserve budget in anticipation of paying out chargebacks. Plus, security controls intended to thwart fraudsters can frustrate real customers, leading to abandoned transactions and lost revenue.
To protect critical assets from sophisticated cybercriminals and ensure the success of strategic business imperatives, organizations need to adapt as attackers evolve.
Aite Group Report—The Industrialization of Fraud: Fighting Fire with Fire
Where Attacks Originate: Automation
Today, most website visitors aren’t human. They’re bots.
While some bots are benign, like chatbots and search engines, most are bad bots used by malicious attackers to gain unauthorized access, take over customer accounts, and even commit fraud while eroding the customer experience. And they’re constantly retooling to mimic user behavior and bypass common countermeasures like CAPTCHA. Here are some of the most relevant automated attack trends, and how you can fight back against them.
Ninety percent or more of an enterprise's online and mobile traffic can be from cybercriminals performing automated attacks with the intent to steal customer data and commit fraud.
These attacks, known as credential stuffing, can lead to account takeover and serious fraud losses, while also negatively impacting application performance and skewing analytics. And if that wasn’t enough, attackers also aim to jeopardize your customers’ trust by siphoning money and points from loyalty programs.
These attack efforts stack up to big losses for online business. E-commerce, airline ticketing, money-transfer, and banking industries will cumulatively lose over $200 billion to online payment fraud between 2020 and 2024.
From the attacker’s perspective, credential stuffing is an attractive investment. The cost per attempt is less than $0.002 with returns ranging from 100% to over 150,000%. And it’s unlikely that password management will mitigate these threats. A recent password security report from LastPass shows that employees reuse a password an average of 13 times. Even when consumers are notified that their accounts have been breached, only about a third change their passwords.
Over 80% of hacking-related breaches involve brute force or the use of lost or stolen credentials.
2021 Credential Stuffing Report
Shape solutions, part of F5, have a multi-leveled approach to defeat credential stuffing – protecting over 4 billion transactions per week.
For every connection to a site or application, Shape creates and assigns a Device ID – a unique identifier to each device visiting your site created in real-time utilizing advanced signal collection and machine learning algorithms. Utilizing this unique identifier as well as other signals, Shape solutions can identify and stop attempts to use compromised credentials in real-time, blocking bots that emulate human behavior and fraudsters who manually hack applications to bypass anti-automation defenses.
Shape Enterprise Defense: Solution Overview
Shape, part of F5, protects over 4 billion transactions per week from sophisticated attacks on behalf of the world’s largest companies.
CAPTCHA and Other Cybersecurity Myths That Are Hurting Your Business
Are your sites using CAPTCHA to mitigate automated attacks? If so, it’s probably not working, and it could be causing unintended consequences such as customer abandonment due to excessive friction. And with an increase in third-party CAPTCHA solving services, both automated and human powered, it has become increasingly simple to bypass CAPTCHA. Your web and mobile applications need better protection.
The last thing you want to do is base real business decisions and security outcomes on a myth, even if it does sound convincing.
Cybersecurity Myths That Are Harming Your Business
Retailer Fixes Fraud Without Increasing Friction
Known for their luxury product offering and friction-free online experience, a North American retail chain prided themselves on providing a great customer experience. But the company was ravaged by automated attackers taking advantage of their streamlined system.
After trying and failing to combat attackers with traditional countermeasures (CAPTCHA, blocking IP addresses, etc.), the retailer turned to Shape solutions. After three weeks of observation, they went live with mitigation, and the results were immediate.
From day one, when Shape went into blocking mode, we saw a nearly 100% drop in fraud from automation.
While customers are loyal, fraudsters are not; once we stopped them, they went away.
An Adaptive Security Approach
In the following 30-day period, the retailer saved over $500,000 in fraud that would have been lost due to account takeover and gift card cracking. The attackers attempted to retool around Shape’s defenses, but because Shape tracks hundreds of network, device, and environment signals, the attackers were easily found and blocked again.
With automated attackers repelled by Shape, the origin servers saw only the human visitors—a mere 1% of the previous load. By reducing 99% of traffic, Shape lifted “a huge burden off our infrastructure, which had a direct positive impact on revenue.”
Retailer Solves Shoe-Bot Spikes, Fixes Fraud, Friction and Fake
This retailer was successful not only because of the initial mitigation measures, but because of the solution’s ability to adapt to changing attacker tactics. Bad actors will find a way around static security countermeasures if the target is sufficiently attractive. In fact, attackers now leverage trained artificial intelligence (AI) models to bypass security. Organizations, especially those that guard highly sensitive customer information, need to continue to hold business and technology partners accountable for ensuring the security and integrity of the application even after launch.
Fake Reservation Story: The Power of Signals & Sharing Data to Stop Application Attack
As defenses improved to block questionable behavior, attackers responded by creating tools to exploit and imitate individual users with all their nuances.
Future Outlook: Preparing for Adaptive Attackers
Staying ahead of shifting attack strategies will continue to be an ongoing battle.
As fraud mitigation evolves to block increasingly sophisticated automation and minimize the ROI for bot-based fraud, attackers won’t give up. They’ll pivot to methods that are harder to identify, such as emulating human behavior, commissioning human click farms, and manually hacking applications. While automation is the main focus today, organizations should prepare themselves to fight against a hybrid of automated and human-driven fraud.
The cyber threats facing businesses today will only continue to grow. Globally, fraud loss is increasing annually in double digits. As digitization continues and more customers are seeking services online, the risk surface will expand and become even more porous. Your business can prepare for the future threat landscape by considering a cross-functional approach to security that considers top-line potential, bottom-line pressure, and customer experience together.
The New Business Imperative
Breaking the Cycle of Online Fraud
Considering Your Fraud Mitigation Investment
Is it enough to just spend more on tools to detect online fraud? Short answer: no. Enterprises find that despite spending billions annually on tools to detect online fraud, direct fraud losses continue to climb. Juniper Research projects that online fraud losses in aggregate will exceed $48 billion per year by 2023.
Current fraud tools require extensive configuration, generate ambiguous risk scores, and require fraud teams to develop their own rules, potentially applying a lot of friction to legitimate users and ultimately hurting revenue. For lasting protection against an increasingly dynamic attack surface, businesses need to invest in security solutions that continuously adapt to attackers without introducing friction for real customers.
Stopping automated attack traffic does more than prevent fraud; it reduces overall business costs.
Successful Online Fraud Prevention in Action
Many companies have successfully deployed online fraud prevention solutions to ensure strategic business outcomes. Read their stories below and consider how strengthening your fraud prevention efforts could have a dramatic impact on your organization.
Global Dating Platform Defeats Account Takeovers
Stopping automated attack traffic does more than prevent fraud; it reduces overall business costs. See how Shape helped a global dating platform’s IT team eliminate distracting traffic and decrease site latency from 250ms to 100ms.
International Airline Fights Fare Scrapers
Traditional website defenses fall short against adaptive automated adversaries. Learn how Shape helped an international airline deflect sophisticated bots attempting to steal proprietary flight information.
Could your WAF use a boost?
Shape specializes in reducing fraud, however F5 Device ID+, the foundational component of our anti-bot and anti-fraud solutions can be used to enhance your other security tools. Integrating our real-time device identifier into your web application firewall (WAF) or your corporate application access solution can detect and block known bad devices – saving your applications from a potential breach.
The best part? We offer this free of charge.
Start Your Free Trial
Stay Ahead of Online Fraud in a Multi-Cloud World
F5 solutions protect e-commerce and digital initiatives such as customer loyalty and brand awareness by defeating attacks that compromise customer experiences and damage brand reputation—all without frustrating legitimate users.
Defend your e-commerce business against today’s dynamic attacks with comprehensive, multi-cloud application security and anti-fraud capabilities that protect your most critical assets from the most sophisticated cybercriminals.
WATCH A DEMO
In this five-minute demo, learn how F5 Shape Enterprise Defense leverages AI and machine learning to protect organizations from sophisticated attacks like account takeover.
We received your request. We'll be reaching out shortly.
Connect With Us
SPEAK WITH F5'S SECURITY EXPERTS
Got a security question, issue, or something else you'd like to discuss? We'd love to hear from you!
We'll make sure to contact you by email within one business day.