Why Bots Are the Next Big Thing in Account Takeover Fraud

Why Bots Are the Next Big Thing in Account Takeover Fraud

Account takeover fraud may sound like a familiar term in cybersecurity, yet its prevention methods in the e-commerce domain are still nuanced.

Retailers are historically concerned with payment fraud systems related to chargebacks. This happens when a customer makes a purchase online with a credit card and then requests a refund from the issuing bank despite receiving the ordered goods or services.

Better known as friendly fraud, this type of fraud makes it difficult for retailers to distinguish between trustworthy customers and fraudsters. Due to low-security infrastructures on e-commerce platforms, this risk for account takeover becomes increasingly high.

At the same time, trustworthy customers are frustrated with lengthy verification processes and the risk of stolen credentials due to account takeover fraud. As customers expect convenience with their online shopping experience, they are continuously asked to jump through multiple security hoops to prove their identity and intentions.

Methods Used in Account Takeover Fraud

Cybercriminals employ various methods to execute account takeover fraud. Account takeover fraud, often referred to as ATO, is a form of identity theft where an attacker gains unauthorized access to a victim’s account to commit fraud, steal funds, or cause other forms of financial and reputational damage. In this discussion, we will explore some of the most common techniques fraudsters use to gain unauthorized access to a victim’s account.


Phishing is one of the most prevalent methods cybercriminals use to obtain sensitive information from victims. The attacker sends an email or message disguised as legitimate communication from a trusted organization, such as a bank or a social media platform. These communications often contain a link that directs the victim to a fake website that looks identical to the legitimate site, where they are prompted to enter their login credentials, which the attacker then captures.

Credential Stuffing

Cybercriminals take advantage of the fact that many people reuse their login credentials across different platforms. Once they access one account, they can access other accounts owned by the same individual. Credential theft attacks use automated software to test stolen username and password combinations across multiple websites.


Malware, such as keyloggers, spyware, and trojans, can be used by attackers to gain unauthorized access to a victim’s account. This software is typically installed on a victim’s device without their knowledge and captures sensitive information such as login credentials and financial data.

SIM Swapping

This technique involves the attacker impersonating the victim to convince their mobile service provider to transfer the victim’s phone number to a new SIM card controlled by the attacker. Once they obtain the victim’s phone number, they can intercept two-factor authentication (2FA) codes sent via SMS and access the victim’s accounts.

Social Engineering

Social engineering attacks involve manipulation and deception to trick victims into divulging sensitive information or granting unauthorized access to their accounts. This can include posing as a customer service representative or using personal information gathered from social media to build trust with the victim.

Brute Force Attacks

These attacks involve using software to systematically guess a victim’s password by repeatedly trying multiple combinations. Brute force attacks can be successful if the victim’s password is weak or easy to guess.

What Is Account Takeover Fraud in E-commerce?

Traditional Account Takeover

Account takeover is a form of identity theft and fraud. It happens when someone gains control over an account by using the customer’s credentials and makes unauthorized transactions on their behalf. This includes accounts that one has with their bank, email, credit card, and essentially any online website account.

For example, customers can be targeted through phishing, malware scams, and spyware schemes. Other methods include purchasing stolen passwords, personal information, or security codes from cybercriminals. Audits of the dark web have uncovered that more than 15 billion account credentials are sitting in the cybercriminal marketplaces (rising by 300% since 2018). (From Exposure to Takeover: The 15 billion stolen credentials allowing account takeover)

Once the cybercriminal has control over the account, they can purchase items on the e-commerce site, withdraw funds, change credentials of the account, and similarly gain access to other accounts of that specific customer.

The costs are directly borne by the customer, but retailers similarly lose revenue and reputation for having vulnerable security as customers choose competitors with more reliable online platforms.

Modern Bots

Today, hackers release bots that can be programmed using machine learning to perform thousands or millions of account takeover attack attempts per minute. According to Gartner (2021) , credential stuffing attacks (that enable account takeover) are one of the four leading types of malicious bot attacks experienced in e-commerce.

The easy access to stolen credentials (through the dark web), as well as users’ apathy to secure passwords, has created a “business opportunity” for hackers. As a result, there is a surge of malicious bots and account takeovers. Regardless of the size or industry of the e-commerce platform, all websites are exposed to such attacks if left unprotected.

Step by Step: How Modern Account Takeover Happens

These are the steps that usually happen during an account takeover:

  1. Hackers purchase thousands or millions of account credentials from the dark web.
  2. Using machine learning, they program the bots to attack endpoints of websites using the user accounts, thousands or millions per minute. Examples of endpoints include login, cart, and payment.
  3. The bots test all the login credential combinations (known as “credential stuffing”).
  4. Where successful, the hackers access accounts with the working credentials.
  5. Personal data is collected and exploited by making payments, purchasing gift cards, loyalty points, and taking advantage of anything else possible on the account.

Even if the bots are initially detected, the sophistication of these bots means that 30% of them will automatically change their IP address to remain undetected. Besides rotating their IPs, they can stay hidden by simulating actual browsers, mimic human behavior, or hide in user sessions. This highlights the importance of cybersecurity tools on e-commerce sites to specifically address bots that have become increasingly sophisticated.


How E-commerce Retailers Experience Losses Due to Bots

According to research done by Riskified (2021), more than a quarter of e-commerce retailers are not equipped or prepared to handle account takeover attacks. The result is that 2 out of 3 online customers walk away from e-commerce retailers and look for alternative options after experiencing an account takeover.

Similarly, with the increase of e-commerce following the pandemic, fraud followed suit. In the U.S., account takeover fraud saw 43% of all fraud attempts, making it the top three fraud cases among online retailers in 2020. Reports have also shown that account takeover fraud rose by 378% since the beginning of the pandemic.

Based on research from Juniper (2021), $20 billion will be lost in e-commerce due to fraud in 2021 alone.

All this to say, account takeover fraud through bots is adding friction to the customer experience on e-commerce platforms as retailers fail to address both security and convenience for their shoppers, resulting in both customer and revenue loss.

Real-case Examples of Bot Attacks

One case of an account takeover attack saw hackers releasing 5.7 million requests over two days to perform a credential stuffing attack. The bots rotated through 250,000 different IP addresses, 8,000 autonomous systems, and 215 countries. This highlights that traditional account security methods are out of date, and online retailers need to enhance their security to address bot attacks if they want to stay competitive.

Another case addressing fraud in e-commerce similarly saw an account takeover attack peak at approximately 1,500 attack attempts per second. The bot traffic can be seen below in red, whereas green showcases the legitimate ones.

Graph from Perimeterx showcasing account takeover attack

Clearly over 90% of attempts are malicious. Also, thanks to the thousands of IP addresses used by the bots, they achieved an 8% success rate in the attack, resulting in stolen customer credentials and revenue loss to the retailer.

3 Things E-commerce Retailers Can Do to Fight the Bots

1. Implement Bot Detection Technologies to Alleviate the Burden on Human Customers

E-commerce retailers try to respond to bot attacks with various methods that have been proven unsatisfactory. For example, many retailers use CAPTCHA requirements for customers or other ways asking customers to “prove their humanity” and jump through hoops at every step.

For example, in the CAPTCHA, users need to interpret an image with letters and numbers mashed together, or select images that contain a certain attribute. However, studies by Gartner (2021) show that these types of methods can and are repeatedly beaten by determined attacker bots or by cloud-based analysis tools.

Additionally, such prevention methods are poor, as (Gartner) CAPTCHA images saw a 50% abandonment rate by users, especially on mobile, meaning 50% of customers do not even proceed to enter the online platform.

E-commerce platforms should focus on moving the separation of bot from human analysis to the background and reduce the need for tests of humanity for a user. Consequently, it allows for loyalty, engagement, and trust between customers and the online business to increase.

2. Analyze Behavior of Trustworthy Customers to Increase Trust

By implementing behavioral analysis technologies retailers can observe users’ activity in the online space. This includes anything from timing and placement of their mouse, mouse-clicking, typing behavior, scrolling, and swipe patterns on mobile devices.

For high-volume e-commerce retailers with frequent user interaction, this can be a method to design a behavioral norm for a specific customer. Thus, any deviation from “the norm” can indicate fraudulent behavior.

This is especially helpful for e-commerce retailers, as their platforms (along with retail banks and popular gaming sites) usually experience frequent user interactions where such data can be compiled and compared.

Each interaction can be questioned with “Is this a human or a machine?” and then “Is this a known or unknown behavior of the customer?” allowing for a segmentation for known (low-risk) and unknown (moderate-risk) users. In fact, 98% of human customers are indeed legitimate and should be trusted.

The majority of human users have positive intentions when dealing with online business. Therefore, to avoid distrusting your customers, such behavioral analysis can help to increase security without sacrificing on customer experience.

3. Implement Adaptive Authentication: Low-risk Versus High-risk Activity

Adaptive authentication is a way to deploy two-factor or multi-factor authentication. It selects specific authentication factors based on the customer’s tendencies and risk profile, and thus adapts authentication methods based on the situation.

There are two main benefits to such an approach. On the one hand, users experience a seamless interaction while shopping online. On the other hand, the online retailer can evaluate and analyze information by distinguishing between trustworthy customers and fraudulent bots. This is done without revealing the risk-mitigating strategies to the fraudsters.

Where a bot acting as a trustworthy customer may have shown normal human behavior at login or the start of the online activity, a strategically placed authentication gate will help to block transactions or activity when they become high risk (such as making payments).

However, during low-risk activity (such as browsing the online store, adding items to the cart, and checking notifications), authentication measures can be more lenient to avoid disrupting the user experience. For every high-risk event or for all high-value assets, there is an adequate protection measure in place while remaining invisible to the user. As a result, high security is coupled with a seamless customer experience.

Additional Resources

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.


Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Table of Content
Get A Demo