Bots are a tenacious threat to businesses large and small. Even as fraud prevention teams are developing new solutions, criminals are continually advancing their bots and leveraging artificial intelligence to scale their attacks.
A recent study from NeuroID, a part of Experian, which evaluated 55 financial services providers over a seven-week period, found that 71% of these companies experienced bot attacks in that timeframe. And for those attacked, 43% were hit by next-generation fraud bots almost exclusively.
Next-generation fraud bots, also called fourth-gen bots, are more prevalent and sophisticated than fraud teams have ever seen. They are capable of bypassing fraud prevention tools that were effective against earlier bot generations. And they’re poised to become even more sophisticated.
Fourth-Generation Bots: More Human Than Ever
Early generations of bots are now easily identified by behavioral analytics due to their inhuman speed and consistency. Second- and third-generation bots evolved with more sophisticated automation than their first-generation predecessors, including headless browsers and malware that bypassed device and browser characteristic checks. But still, they lacked the “humanity” to fool behavior based detection, which is trained to look for hundreds of layers of subtle “tells” to indicate if a user is human or bot; risky or trustworthy.
While earlier iterations lacked the subtle behavioral traits of human users, fourth-generation bots have been purpose-built to mimic human actions almost perfectly. These new bots rotate through thousands of IP addresses, alter user agent strings, and utilize mobile emulators, giving them new avenues for attack.
Next-generation bots can even hijack consumer behaviors by recording users’ swipe and mouse patterns, hover times, and other behavioral cues, integrating these elements into their operations.
These capabilities have made bots more dangerous than ever. For instance, a major bank in NeuroID’s study identified a fraud attack due to a spike in daily application volume. The institution received several thousand high-risk applications in a week, and the bank struggled to understand how cybercriminals made the applications appear so convincing.
Upon investigation, the attack was led by highly sophisticated next-generation bots that most tools would not have been able to identify. Further analysis uncovered an additional 20,000 fourth-generation bots that sent almost 25,000 fraudulent applications in four weeks.
Lower Barriers to Entry
Not only are new bot generations harder to detect, but generative AI has also lowered the barriers to entry for criminals, making it faster and easier to create and deploy bots.
Two years ago, cybercriminals would need an advanced education in JavaScript or Python to create a fraud bot. With AI, platforms like FraudGPT can create a bot in seconds, meaning anyone can efficiently conduct fraud at scale. Criminals have used AI-derived bots for everything from account opening and credential stuffing fraud to phishing and malware attacks.
The rapid evolution of bots has made many traditional fraud protections ineffective. Prevention tools must catch all generations at all times, which requires software that can continuously sift through massive amounts of data.
Historically, bot detection has relied on tools like IP blocklisting, user agent analysis, and simple behavioral heuristics. These methods were effective against the first generations of bots that utilized predictable patterns, but they are not anymore.
While bots are determined to beat behavioral analytics, it is still winning, for now: best-in-class behavioral analytics is built on nuanced user behavior patterns that bots can’t fully replicate yet.
For example, mouse movement is much more human-esque in fourth-generation bots, but there are still subtle behaviors which give bots away. NeuroID data scientists have scrutinized the details of thousands of bot interactions and compiled an extensive body of data. They have used that knowledge to compare bot behavior against genuine user data, and developed algorithms that identify the small distinctions in mouse trajectories.
From that research, they have also been able to extrapolate methods to address autofillers, transition times, and other behavioral secrets that bots have defeated. Fraud experts have iterated new prevention tools based on those past bot interactions, which they have used to craft tools that can detect and defeat bots.
Every Business Is a Target
Fintechs and payments processors, especially those that have simple onboarding processes, are often considered the most likely targets for cybercriminals. They typically are easier for fraudsters to penetrate due to their focus on smooth onboarding sometimes introducing new fraud vulnerabilities. However, bot activity has risen at banks, credit unions, lenders, and others—sending a clear message that every business is a target.
This is partly due to the fact that cybercriminals have a wider array of tools at their disposal as well. With genAI creating new bot capabilities, the investment from fraudsters is less for a potentially bigger payoff from a large target. If cybercriminals identify an organization that doesn’t have updated fraud prevention measures, they will concentrate all their efforts on it using any methods available to them.
First- and third-generation bots are still heavily used in fraud attacks, and the fourth generation won’t be displaced even though the fifth generation is on the way. Bot generations build upon each other, which means any effective solution will need to evolve likewise.
A Multidimensional Approach
Cybercriminals will never stop innovating, and advanced fraud bots will be a challenge for companies for years to come. Even as fraud prevention teams find ways to thwart fourth-generation bots, the fifth generation is on the horizon.
Bots aren’t just an issue for high-profile companies—they are increasingly being deployed against any organization that doesn’t have modernized fraud prevention measures. In addition, criminals constantly add layers of complexity to their attacks, as evidenced by the emerging trend of hybrid human/bot fraud attacks.
Because of the continual and formidable threat of bots, organizations must take a multidimensional approach that incorporates behavioral analytics and device and/or network intelligence to detect bots effectively.
For that reason, many organizations have turned to bot-detection specialists like NeuroID for help. Because bots pose an increasingly daunting threat to organizations, it’s essential to have a partner that can provide the tools to defeat both the bots of today and the iterations to come.
