Signifyd reveals how to beating the bots at their own game

AI is paving the way for massive growth in the retail sector, but it’s also a powerful tool for fraudsters. Gayathri Somanath, Signifyd’s vice president of product explains how to beat the bots

Somanath: bot attacks on e-commerce enterprises are on the rise

Every industry has embraced automation and artificial intelligence. Deploying smart machines allows businesses to become more accurate, more efficient and more profitable.

But while that’s all very well for the good guys, online fraud rings and retail scalping outfits are increasingly turning to AI for the same reasons. They embrace innovation and new ways of expanding their portfolios, and their profits. 

Bot attacks on e-commerce enterprises are on the rise, and must be taken seriously. As much as 70% of traffic to e-commerce checkout pages is generated by malicious bots, according to Javelin Strategy & Research. And we have seen a substantial increase in bot attacks in the last year on Signifyd’s Commerce Protection Platform.

Two of the main ways these operators take advantage of consumers and defraud retailers are:

1. Rapid-fire fraud

Rapid-fire fraud targets the entire online payment journey that a legitimate customer would typically make — from account creation and credit card authorisation, to final credit card verification at checkout.

The seeds of rapid-fire fraud are planted on the Dark Web where fraud rings can buy thousands of stolen usernames and passwords, among other personal identifiers. The fraudsters use these credentials to launch a variety of online attacks – creating many fake accounts or user profiles at once, launching credential stuffing attacks to take over accounts in bulk, conducting card testing and a fusillade of fraud.

The number of such attacks is increasing dramatically – Signifyd has tracked a 146% increase in rapid-fire attacks in the past year, and the lightning-fast speed of the attacks makes them potentially devastating. 

2. Scalping

While scalping and rapid-fire fraud have similar intent and use similar technology there are key differences. Scalping is not expressly illegal, whereas rapid-fire fraud is, by definition, a crime.

Scalping is more formally known as unauthorised reselling. Many thousands of buyers have recently experienced this, being unable to buy a PlayStation 5 for Christmas. Scalping rings in the United States and UK scooped up thousands of Sony PS-5’s on the day they were released. Then they posted photos of their caches on social media and marketplace sites, where the consoles were selling for up to 10 times their RRP.

The practice lives in a grey area. It’s not illegal, though there is a movement in the UK to outlaw it. But it does violate some retailers’ policies, and it is certainly detrimental to business.

While the sale might have been made, the retailer’s reputation will have suffered. Shoppers are upset with the retailer they turned to and perhaps resorted to paying twice the price (or more) on a marketplace. The retailer is seen as unable to control its inventory and helping to create a black market for a sought-after product.

And it’s not a good look for the brand either. In this case Sony has been tarnished because its product is being sold for a ridiculously high price. Both Sony and the retailer have lost control of the customer experience and the opportunity to build a relationship with the buyer.

Beating the bots

Traditional fraud detection methods will likely fail when it comes to detecting scalping schemes. Identity based signals— like phone, user account name and email address — will indicate that a cardholder is making the purchase as bots have set up accounts designed to do this. 

Detection tools need to look at a different set of attributes. An anti-scalping solution should focus on device activity, especially high activity coming from the same device, behavioural trends or patterns that indicate non-human activity like click and typing speeds and high velocity purchases across a high sample size.

These anomalies must be detected at lightning speed in order to foil the scalpers. The only way to confidently spot the worrisome patterns is to look across a broad network of merchants. Fraudsters typically launch these attacks across multiple sites simultaneously in order to snatch as many of the highly coveted products as possible.

All that calls for machine learning and a powerful data platform that can, for example, aggregate the accounts created from a single device across thousands of merchants in the last 30 seconds. Ideally, brands and retailers will want to combine a robust fraud solution that can differentiate legitimate from fraudulent transactions across the buying journey with a flexible tool that can understand and monitor complex business policies.

With the proper flexibility, a retailer can dictate under what circumstances extra steps should be taken to confirm that a human is doing the buying. And depending on the situation, the retailer can prescribe what extra steps are required — a captcha or call to customer service, for instance. That sort of technology can ensure that an army of bots is not about to clean out the one product that everybody wants.

The good news is that the technology to help with scalping and rapid-fire fraud is available — and effective. While the scalpers and fraudsters are no doubt plotting more work-arounds as you read this, rest assured that they are not the only ones hard at work on the next new thing.