Threat Management, Endpoint/Device Security, Application security

Even with bot management, organizations lose 6% a year via account fraud

One hundred dollar bills with Benjamin Franklin's profile are scattered in a pile.
Bot-driven fraud led to nearly 70% of respondents to a Kasada survey to say they lost more than 6% of revenue last year, even while using bot-management products. ("Cash Money (part two)" by jtyerse is licensed under CC BY-NC-ND 2.0.)

Kasada on Thursday reported that 69% of companies that have a bot management product report losing more than 6% of their revenue because of bot-driven account fraud this year, up from 64% in 2021.

The report also found that 40% of companies lost 10% of revenue or more, a major increase from 2021 when only 5% reported that level of revenue loss. Account fraud includes account takeovers (ATO) and new account fraud, in which threat actors use bots to create fake accounts and then gain access to loyalty programs and take advantage of promotional discounts.

A majority of companies (62%) have spent more than $500,000 fighting bots within the past 12 months, which Kasada reports is a 14-point increase from last year when only 48% were spending more than $500,000. Some 21% of companies have spent $2.5 million or more fighting bots this year. And, 85% expect to spend even more on bot mitigation in the next year, increasing from last year when only 63% reported that they planned to spend more.

“Bots continue to evolve and thrive at the expense of companies,” said Sam Crowther, founder and CEO of Kasada. “As this year’s research confirms, it’s imperative that companies have an anti-bot solution that evolves, keeping them a step ahead of attackers.”

Nick Rago, Field CTO at Salt Security, said organizations are seeing more lost dollars related to bot activity despite an increase in bot mitigation spending because bots have become more focused on targeting APIs. Rago said it’s much more difficult to discern if transactions are bot activity in APIs versus a web and mobile applications, which can challenge a bot with various client-side validations to ensure the authenticity of the user. 

“APIs are headless, so the only way to identify a valid user from a sophisticated bot is with runtime protection that can provide deep contextual behavioral analysis to identify malicious intent,” Rago said. “Many organizations still do not possess this type of sophisticated runtime protection and are relying on WAFs and gateways which were not designed to protect against the sophistication of the bot activity we are seeing today.”

Bud Broomhead, chief executive officer at Viakoo, added that organizations have two choices: fight on the current playing field, which currently favors bots; or change the fundamental mechanisms inside the organization so that threat actors have to develop new methods of attack. 

“Blockchain, AI/ML, biometrics, and other forms of identity management have emerged for this very reason,” Broomhead said. “For example, requiring use of Apple’s PassKey (which does not require passwords for authentication) might thwart some of the bots currently causing these losses from bot-driven account fraud.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.