Guest article contributed by Nash Ali, Head of Operational Strategy at NeuroID, a part of Experian
While businesses are still strategizing their approach to using generative AI (genAI) tools, fraudsters are wasting no time putting it to work. GenAI is key to many of the spikes in social engineering scams, automated ATO attacks, and next-generation, human-like bots being deployed at an alarming scale.
GenAI-powered fraud is straining fraud prevention teams, and the problem is only growing. To help counter fraudsters’ advancement, Experian announced on August 13 that it acquired NeuroID. NeuroID and Experian have a track record of successfully safeguarding consumers and businesses from evolving fraud threats, with both organizations conducting extensive research on impending threats and defenses against them.
Research Shows an Alarming Rise in Next-Generation Bots, GenAI-Powered Fraud
In a recent seven-week study, NeuroID found next-generation bots aren’t just a problem for the future: they’re here and are already causing issues for businesses. Our latest Emerging Trends in Fraud report outlined that trend in-depth, including patterns indicating that for nearly half of NeuroID customers attacked by bots, more than 95% of attacking bots were next-generation.
Per Experian’s 2024 U.S. Identity & Fraud Report, the U.S. is adopting genAI faster than other countries. We’re facing an urgent need for modern, genAI-ready fraud solutions. Experian’s report also found that genAI fraud is a top concern for businesses: 70% of businesses say genAI-powered fraud is expected to be a major challenge over the next 2-3 years, and they’re largely uncertain in their ability to address the problem.
The genAI fraud landscape is changing month-to-month, making planning even more challenging. From January to June 2024, bot-led attacks doubled. This summer, in particular, saw a considerable uptick in bot-led attacks, bucking a trend of typically slower summer months—June 2024 attacks were nearly three times larger and longer lasting than June 2023 attacks. Fraudsters’ mentality has changed, too; rather than spreading smaller attacks across many businesses, they’re identifying and zeroing in on a handful of vulnerable targets and launching large-scale attacks to cause maximum damage.
What Makes The Next Generation of Bots So Dangerous?
First-generation bots were simple scripts designed to execute basic tasks. Fraudsters deployed them to spam forms and scrape data, but user-agent analysis and IP blocklists easily stopped these basic bots. In the following decades, evolving bot generations began to maintain cookies, execute JavaScript, utilize headless and full-fledged browsers, and simulate basic human interactions like cursor movements and keystrokes.
Even as bots grew to replicate humans’ behavior better, they still lacked human randomness. Prior-gen bots’ programmatic sequences—whether it be impeccably consistent keystrokes, repeated IP addresses and user agents, or unnaturally linear cursor movements—are easy to spot. Businesses have relied on these giveaways to identify and block bots before they cause damage.
Next-generation, also known as fourth-generation, bots are different. They don’t exhibit the tell-tale signs of their predecessors, making them incredibly difficult to stop with traditional detection methods. Fourth-generation bots rotate through thousands of IP addresses, alter user agent strings, and utilize mobile emulators to bypass the device-based defenses that stopped older bots. These hyper-sophisticated bots can also use “behavior hijacking,” recording and replicating users’ swipe and mouse patterns, hover times, and other behavioral cues to create seemingly random actions that appear human.
These advanced bots aren’t available only to equally sophisticated fraudsters. In the past, fraudsters needed at least basic coding knowledge to control bots effectively. Now, readily available genAI fraud tools like FraudGPT allow anyone to generate the code and synthetic identities needed to launch a large-scale bot attack.
How NeuroID and Experian are Fighting Back
Unlike traditional bot detection tools, NeuroID can detect the nuanced differences between a human-like bot and a real human user. It has proved effective against next-generation bots, catching 99.8% of all first-through-fourth-generation bots.
Experian is making this technology available at scale to more businesses than ever. Within Experian’s fraud risk suite, NeuroID’s behavioral analytics provide new insights into user behavior during account openings, logins, and transactions. The combination of NeuroID’s behavioral analytics and Experian’s data-driven insights gives businesses a solution that can effectively respond to evolving fraud threats.
I’ll be taking the Identity Week stage to talk more about the evolution of fraud bots and defending against them. Join me on September 11 at 11:50 in Theatre 4 for “Next-Gen Bots Are Here and They Act Just Like Us”, stop by booth #921 to chat with the NeuroID team, and download our Emerging Trends in Fraud Report for more.
