In-and-Out Fraudsters: Unmasking Short-Lived Fraud Attacks

Over a five-month span, NeuroID analyzed 150+ fraud attacks targeting 17 different customers, with the goal of collecting in-depth data insights into how probing attacks, ambient fraud, and other evolving strategies are impacting our customers’ revenue growth and fraud vulnerability. We’re excited to share our research with you in a new series called The Crowd Goes Wild!, focused on the power of crowd-level applicant visualization.

Insights from the Frontline

One interesting finding from our study highlighted the truly ephemeral nature of fraud attacks: 74% of the attacks lasted less than 33 hours. At the end of the five-months, the customers we were tracking had experienced, on average, a full-day fraud attack every other week.

These short spikes of risky behavior give us insights into different fraud strategies. They could be instances of ‘ambient fraud’, a term coined in Alloy’s guide on stopping fraud attacks, which refers to a constant level of fraudulent activity that most Financial Institutions (FIs) face. This includes continuous tests by fraudsters on FIs’ fraud protection systems for weak spots, as well as small-scale fraudulent activity from novices and first-person fraudsters (this type of probing is visible via crowd-level alerting, and you can patch weak spots before they’re taken advantage of—let us show you how).

These brief bursts of activity could also signal the onset of a Fraud Ring or other High Velocity Attacks. Fraud Ring Attacks involve careful precision and patience, with fraudsters testing defenses to inform a broader, more deliberate strategy. On the other hand, High Velocity Attacks rely on speed and brute force, typically launched by individual fraudsters who’ve found a vulnerability.

Understanding High Velocity Attacks

High Velocity Attacks are initiated when a fraudster uncovers a loophole in your fraud defenses and broadcasts this information, often on the dark web. This results in a rapid increase in low-quality or clearly risky applications that can overwhelm your defenses. Even if 90% of these risky applications are stopped, the remaining 10% can still pose a substantial threat due to the sheer volume.

Fraud Ring Attacks and High Velocity Attacks aren’t mutually exclusive. Some fraud rings might use stolen identities to launch High Velocity Attacks, while others could disseminate the exploit they used after being thwarted, causing High Velocity attacks against other FIs. 

Preventing the Onslaught

Given that most attacks wrap up in roughly a day, real-time alert systems are of paramount importance. Keeping your automated fraud defenses updated with best practices and implementing a pre-review step for risky applicants can mitigate these attacks. 

NeuroID’s behavioral analytics not only provides real-time alerts for suspicious activity spikes but also orchestrates user behavior, effectively halting users linked with active fraud attacks.

When identified and understood, even risky application spikes serve as critical indicators to fortify your defense against future fraud attacks. 

This is just a small look at the takeaways from our The Crowd Goes Wild! Series: Application Spikes use case snapshot. Download the full report to read more on the trends, takeaways, and top-of-funnel revenue insights from the frontline of fraud.