KuppingerCole’s newest report on “Passwordless and Authentication Solutions” includes FUTURAE! The right time to integrate the future is now. Start here!

We value your privacy

We use cookies to improve your experience on our site through website traffic analysis. To find out more, read our updated privacy policy.

Market Insights

Why Bots Are The Next Big Thing In Account Takeover Fraud And How E-Commerce Can Fight Them Now

Account takeover fraud may sound like a familiar term in cybersecurity yet its prevention methods in the e-commerce domain are still nuanced.

Account Takeover

Retailers are historically concerned with payment fraud systems, related to chargebacks. This happens when a customer makes a purchase online with a credit card and then requests a refund from the issuing bank despite receiving the ordered goods or services. Better known as friendly fraud, this type of fraud makes it difficult for retailers to distinguish between trustworthy customers and fraudsters. Due to low-security infrastructures on e-commerce platforms, this risk for account takeover becomes increasingly high.

At the same time, trustworthy customers are frustrated with lengthy verification processes and the risk of stolen credentials due to account takeover fraud. As customers expect convenience with their online shopping experience they are continuously asked to jump through multiple security hoops to prove their identity and intentions. E-commerce retailers should act now to ensure their platforms are secure and convenient to maintain business relationships with online shoppers, avoid losing them to competitors, and lower cart abandonment rates.

What is Account Takeover Fraud in E-commerce?

Traditional account takeover

Account Takeover is a form of identity theft and fraud. It happens when someone gains control over an account by using the customer’s credentials and makes unauthorized transactions on their behalf. This includes accounts that one has with their bank, email, credit card, and essentially any online website account. For example, customers can be targeted through phishing, malware scams, and spyware schemes. Other methods include purchasing stolen passwords, personal information, or security codes from cybercriminals. Audits of the dark web have uncovered that more than 15 billion account credentials are sitting in the cybercriminal marketplaces, rising by 300% since 2018.

Once the cyber-criminal has control over the account they can purchase items on the e-commerce site, withdraw funds, change credentials of the account, and similarly gain access to other accounts of that specific customer.

The costs are directly borne by the customer, but retailers similarly lose revenue and reputation for having vulnerable security as customers choose competitors with more reliable online platforms.

Modern bots

Today, hackers release bots that can be programmed using machine learning to perform thousands or millions of account takeover attack attempts per minute. According to Gartner (2021), credential stuffing attacks (that enables account takeover) are one of four leading types of malicious bot attacks experienced in e-commerce. The easy access to stolen credentials (through the dark web), as well as users' apathy to secure passwords, has created a ‘business opportunity’ for hackers. As a result, there is a surge of malicious bots and account takeovers. Regardless of the size or industry of the e-commerce platform, all websites are exposed to such attacks if left unprotected.

Step-by-step: How modern account takeover happens

These are the steps that usually happen during an account takeover:

  1. Hackers purchase thousands or millions of account credentials from the dark web.
  2. Using machine learning they program the bots to attack endpoints of websites using the user accounts, thousands or millions per minute. Examples of endpoints include login, cart, and payment.
  3. The bots test all the login credential combinations (known as ‘credential stuffing')
  4. Where successful, the hackers access accounts with the working credentials
  5. Personal data is collected and exploited by making payments, purchasing gift cards, loyalty points, and taking advantage of anything else possible on the account.

Even if the bots are initially detected, the sophistication of these bots means that 30% of them will automatically change their IP address to remain undetected. Besides rotating their IPs, they can stay hidden by simulating actual browsers, mimic human behaviour, or hide in user sessions. This highlights the importance of cybersecurity tools on e-commerce sites to specifically address bots that have become increasingly sophisticated.

How E-Commerce Retailers Experience Losses Due To Bots

According to research done by Riskified (2021), more than a quarter of e-commerce retailers are not equipped or prepared to handle account takeover attacks. The result is that 2 out of 3 online customers walk away from e-commerce retailers and look for alternative options after experiencing an account takeover. Similarly, with the increase of e-commerce following the pandemic, fraud followed suit. In the U.S., account takeover fraud saw 43% of all fraud attempts making it the top three fraud cases among online retailers in 2020. Reports have also shown that account takeover fraud rose by 378% since the beginning of the pandemic. Based on research from Juniper (2020), $17 billion was lost in e-commerce due to fraud in 2020 alone. Further, they predict that this number will exceed $25 billion in three years making it a significant concern for online e-commerce platforms.

All this to say, account takeover fraud through bots is adding friction to the customer experience on e-commerce platforms as retailers fail to address both security and convenience for their shoppers, resulting in both customer and revenue loss.

Real-case examples of bot attacks

One case of an account takeover attack that saw hackers releasing 5.7 million requests over two days to perform a credential stuffing attack. The bots rotated through 250,000 different IP addresses, 8,000 autonomous systems, and 215 countries. This highlights that traditional account security methods are out-of-date and online retailers need to enhance their security to address bot attacks if they want to stay competitive.

Another case addressing fraud in e-commerce similarly saw an account takeover attack peak at approximately 1500 attack attempts per second. The bot traffic can be seen below in red whereas green showcases the legitimate ones.


Graph from Perimeterx showcasing account takeover attack

Clearly over 90% of attempts are malicious. Also, thanks to the thousands of IP addresses used by the bots, they achieved an 8% success rate in the attack, resulting in stolen customer credentials and revenue loss to the retailer.

3 Things E-Commerce Retailers Can Do To Fight The Bots

1 Implement bot detection technologies to alleviate the burden on human customers

E-commerce retailers try to respond to bot attacks with various methods that have been proven unsatisfactory. For example, many retailers use CAPTCHA requirements for customers or other ways asking customers to “prove their humanity” and jump through hoops at every step. For example, in the CAPTCHA users need to interpret an image with letters and numbers mashed together, or select images that contain a certain attribute. However, studies by Gartner (2021) show that these types of methods can and are repeatedly beaten by determined attacker bots or by cloud-based analysis tools.

Additionally, such prevention methods are poor as research done by a global customer showed that CAPTCHA images saw a 50% abandonment rate by users, especially on mobile, meaning 50% of customers do not even proceed to enter the online platform.

E-commerce platforms should focus on moving the separation of bot from human analysis to the background and reduce the need for tests of humanity for a user. Consequently, it allows for loyalty, engagement, and trust between customers and the online business to increase.

2 Analyse behaviour of trustworthy customers to increase trust

By implementing behavioural analysis technologies retailers can observe users’ activity in the online space. This includes anything from timing and placement of their mouse, mouse-clicking, typing behaviour, scrolling, and swipe patterns on mobile devices. For high-volume e-commerce retailers with frequent user interaction, this can be a method to design a behavioural norm for a specific customer. Thus any deviation from ‘the norm’ can indicate fraudulent behaviour.

This is especially helpful for e-commerce retailers as their platforms (along with retail banks and popular gaming sites) usually experience frequent user interactions where such data can be compiled and compared. Each interaction can be questioned with “Is this a human or a machine?” and then “Is this a known or unknown behaviour of the customer?” allowing for a segmentation for known (low-risk) and unknown (moderate-risk) users. In fact, 98% of human customers are indeed legitimate and should be trusted.

The majority of human users have positive intentions when dealing with online business. Therefore, to avoid distrusting your customers, such behavioural analysis can help to increase security without sacrificing on customer experience.

3 Implement adaptive authentication: low risk versus high-risk activity

Adaptive authentication is a way to deploy two-factor or multi-factor authentication. It selects specific authentication factors based on the customer’s tendencies and risk profile, and thus adapts authentication methods based on the situation.

There are two main benefits to such an approach. On the one hand, users experience a seamless interaction while shopping online. On the other hand, the online retailer can evaluate and analyse information by distinguishing between trustworthy customers and fraudulent bots. This is done without revealing the risk-mitigating strategies to the fraudsters. Where a bot acting as a trustworthy customer may have shown normal human behaviour at login or the start of the online activity, a strategically placed authentication gate will help to block transactions or activity when they become high risk (such as making payments). However, during low-risk activity (such as browsing the online store, adding items to the cart, and checking notifications) authentication measures can be more lenient to avoid disrupting the user experience. For every high-risk event or for all high-value assets there is an adequate protection measure in place while remaining invisible to the user. As a result, high security is coupled with a seamless customer experience.

If you want to explore possibilities with us for ensuring a seamless customer experience with high security you can check out our offers here.