It’s no longer a matter of if your business data has been breached; it’s a matter of how much has been stolen and who has it.
The dark web — a part of the internet only accessible through special software and authorization mechanisms that enable users to browse anonymously — is, in essence, a data supermarket. Fraudsters breach online consumer accounts, then sell stolen data to other bad actors who use that information for illegal activity. Hopefully, this is not news to you, but not many realize that the losses from fraud travel far beyond the fraud itself, severely impacting your bottom line in unexpected ways you may have labeled as an “operations problem.” We are going to break those down here.
But first, how is data stolen and how do fraudsters use it?
For fraudsters, criminal activity is their full-time job — and they’re pretty good at it. A fraudster needs only minutes from the point they purchase stolen data to when they use it. In 2020, 36 billion online user records were exposed, with the average price of customer credentials selling for $5 to $25 on the dark web.
Bad actors then leverage that purchased data to execute customer account takeovers through credential stuffing — using stolen user login credentials in attempt to access millions of websites such as banking, eCommerce, travel, and entertainment accounts. And given that 70% of consumers use the same password for all of their online accounts, fraudsters often have success logging in with the same credentials on various sites. Many incidents occur from automated methods like botnets, replay attacks, wireless keyboard and mouse hacking, and velocity variations (i.e., executing attacks at different frequency rates to avoid detection).
Due to their patterns, automated attack methods are usually easier to pin down. However, once those methods are blocked, many fraudsters turn to human-driven attacks. Bad actors execute these methods manually through repetitive copy and pasting of customer information to create new accounts or solve CAPTCHA questions redirected from bots to the human worker.
The not-so-obvious cost
This is where many fraud losses hide:
Authorization rates: Also known as bank acceptance rates, these are the rates that banks approve a customer purchase from your business. When customer accounts at your business are compromised, banks are notified of the fraud and either automatically or manually lower your acceptance rate. This change can affect every single purchase from other customers with safe accounts and restrict sales opportunities until you clear the issue up with the bank or credit merchant — an arduous process.
Misleading conversion rates: Fake noise created by bad actors with new account fraud like free trial downloads, fake reviews, inventory hoarding, and fraudulent purchases can skew the perceived success of a product or program in your business. As a result, you could make important decisions to continue or end a product or program without completely understanding the validity of its performance. For example, a sign-up promotion you think was a failure because the conversion rate was 1%, could actually be a success because 90% of the traffic was bot traffic.
Cost of finance: When your customer’s account with your business is hacked, there’s a good chance they’ll be less trustworthy to use a credit card with your business. Consequently, the customer may instead use other purchase means like gift cards or prepaid purchase cards when shopping with your company. These payment forms typically cost more in transaction fees for your business than a regular credit or debit card. For example, even if 1% of a high-revenue business’ customer base were to switch payment methods, this change could potentially add up to millions of dollars in extra costs per year.
Technology impact: Technology may make business more efficient, but it comes at a cost. And that cost can be altered by bad actors. According to our own data, for every legitimate login, there are 3 to 5 fraudulent ones. Any traffic, such as login attempts, is a transaction that takes up server bandwidth and power. So each illegitimate account that engages with your business also equates to more server space, licensing costs, hosting costs, and labor — all adding up to more money spent.
These potential ramifications are why it’s imperative to defend your business and customers against bad actors. Ensuring proper protection comes down to your company’s defensive strategy.
Break the cycle from dark web to bottom line
To stop fraudsters in their tracks, you need to make attacks more expensive for them. Just like your business, fraudsters also care about their bottom lines and the ROI of their actions. The tougher you can make it for bad actors to attack, the more likely they are to give up. There are two critical steps to breaking fraudsters’ attack lifecycles:
1. Find the hidden impact
While breaches like account takeovers and new account fraud are typically easier to spot, you must find the underlying damage fraudsters are doing to your business. Bringing these costs to light also helps other decision-makers in your company better understand the true severity of fraud, ensuring buy-in for necessary security tools.
If your security measures need to be improved, it could be beneficial to analyze your network for abnormalities. Are there free trials your company is running that are overperforming compared to past initiatives? Is there a user leaving hundreds of negative reviews that look suspicious? Are chargebacks surging? It’s critical to work with all departments involved in your company to solve these potential issues. For instance, talk to your customer service team to see if they’ve encountered any questionable behavior or customer requests. Or consult your marketing department to identify any strange patterns in free trial or conversion platforms.
By identifying the potential holes in your network’s infrastructure, you can consider where you need to investigate potential bad actors. And when you know the hidden costs behind the fraud, you can better understand where the true damage is occurring and adjust security accordingly.
2. Use a multi-layered security approach
Ideally, for each layer a fraudster tries to compromise, your security should have an answer.
For example, you can block simpler attack methods with an advanced firewall, which fraudsters may then counter with more sophisticated botnet and replay attacks. So, you’ll also need a bot mitigation solution and multi-factor authentication to counter those attack methods. Tools such as automation detection, account validity checks, and transaction verifications can help stop fraud attempts in deeper security layers. Overall, your security approach should disrupt fraud lifecycles and increase friction to make the “cost to hack” too high for a bad actor.
Given the constant evolution of fraudsters’ attack methods, your security approach should exist on a continuum and change with the trends. Protection is not a one-time purchase — it’s a constantly evolving puzzle. But by staying vigilant and on top of your security strategy, you can pivot before fraudsters inflict irreversible damage.
Establish value with proactive protection
When times are good and your business isn’t seemingly experiencing attacks (extremely rare, I know), it can be difficult to get universal buy-in on necessary security tools from fellow leaders. But just because you haven’t detected weaknesses or attack patterns doesn’t mean bad actors aren’t at work behind the scenes. When you demonstrate the impact of unseen problems like illegitimate product performance and technology costs from new account fraud, you build the case for why it’s critical to address problems before they arise. In the end, your bottom line may depend on it.
To learn more about this topic, listen to our podcast.