Image: BeeBright, Getty Images/iStockphoto

A report from online account security and fraud prevention company Arkose Labs found that there was a massive spike in online fraud in 2021, to the tune of an 85% year-over-year increase that found nearly all industries suffering a deluge of account fraud and cyberattacks.

Digital transformation, remote work and the metaverse are hot buzzwords that Arkose Labs Founder and CEO Kevin Gosschalk said are making online attack surfaces exponentially larger and exponentially more inviting as targets for savvy cybercriminals.

“In this new world, businesses and all digital platforms need to upgrade and advance their fraud and security defense tactics in 2022. What worked in the past is no longer viable, and they will need to adapt to ever-evolving attacks that target many touchpoints,” Gosschalk said.

SEE: Quick glossary: Metaverse (TechRepublic Premium)

There are some alarming statistics right off the bat in Arkose Labs’ report. By its reckoning, 21% of all online traffic was fraud or cyberattack related, one in four new account registrations were fake, 80% of all login attacks were credential stuffing attempts and the travel industry was hit particularly hard, with a 12.5 time increase in attacks as people return to traveling.

Arkose Labs breaks the bulk of the report up into six key attack trends in 2021, and warns that businesses need to plan not only for these, but the unknown attacks of tomorrow as well.

Account security becomes more of a problem

Most everyone understands the importance of account security nowadays, even if they don’t practice what they preach about multifactor authentication, password hygiene and good security habits. What most may not realize is the severity of the account security troubles facing us.

According to the report, one in five logins in 2021 was an account takeover attempt, registration attacks rose 2.5 times in 2021 and there was an 85% increase in attacks against login and signup pages.

Fraud follows the people

“There’s a direct relationship between fraud and consumer behavior,” the report said. This is evidenced by a 3 time drop in gaming account attacks in 2021 after businesses put more protections in place, and a possible move for many of those fraudsters toward attacking travel websites as people begin to travel in the wake of the COVID-19 pandemic.

In fact, a whopping 45% of all traffic on travel websites consisted of scraping attacks harvesting customer data for use in further fraud attacks.

Attacks are more volatile than before

Attacks have become more dangerous as cybercriminals gain access to an ever-increasing array of tools, the report said. This allows attackers to hit their targets harder, as evidenced by a 3 times increase over the normal attack rate during the holiday season, and the fact that one in five social media accounts were malicious, giving criminals a much broader reach.

In addition, volatility means that typical patterns and signs of attacks that security teams (and software) look for are increasingly unreliable. “This is especially true for credential stuffing attacks, which can cause extreme spikes in volatility – some of the most intense attacks detected measured upwards of 76 million credential stuffing attempts per week,” the report said.

Bots keep getting smarter

Eighty-six percent of all attacks in 2021 were automated, the report said. Those bots are getting much smarter, too: Arkose Labs said that it needed to analyze three times the data to detect modern bots than it used to need, and it expects that to only grow in difficulty.

The metaverse becomes a hot fraud target

Arkose Labs said that “master fraudsters,” which it defines as those with the capabilities to build persistent attacks, invest capital and use fraud farms, are far more likely to target metaverse companies. Those master fraudsters, it said, tend to use microtransaction fraud, disruption of fair commerce scams and spam to accomplish their goals.

SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)

Metaverse companies are also hot targets: In 2021 they faced 80% more bot attacks and 40% more human attacks than other businesses. “With highly persistent attackers and high stakes, companies investing in the metaverse must put a premium value on trust & safety at login, registration, and in-platform actions to protect digital identities in their virtual worlds,” the report said.

Asia takes the lead from Russia as the #1 attacker

Prior years saw Russia as the most common place for attacks to originate, but 2021 signaled a shift, the report said — now Asia is the top region for online fraud origination. While it’s true that Russia is largely located in Asia, Arkose Labs has a particular country in mind: China, it said, is the country where most fraud attacks are now originating.

Preventing fraud in 2022

Arkose Labs makes four recommendations for companies looking to fight online fraud in 2022:

    • Employ advanced bot detection software powered by machine learning software that is able to detect subtle signs of bots that are better than ever at impersonating humans.
    • Implement multi-layer user behavior analytics that can catch suspicious behavior in what the report calls “a large gray area of traffic that is neither obviously good or bad.”
    • Move away from login challenge strategies like CAPTCHA, which are increasingly able to be solved by off-the-shelf bot programs.
    • Turn attack data into actionable insights, ideally using software that takes a lot of the work away from security and IT teams and automates them into easy-to-digest reports or a dashboard of data.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday