The 3 Big Takeaways from Experian & NeuroID’s Next-Gen Fraud Bots Webinar
Modern fraud bots pose a unique threat to digital businesses. At NeuroID, a part of Experian, we’ve been leading the fight against next-generation fraud bots: our team is hypervigilant about analyzing our attack data to better understand fraud bots’ evolution and ensure our products help to protect against even the most advanced bot attack techniques.
Last week, Mike Thibodeaux, VP of Fraud Solutioning at Experian, and Nash Ali, Head of Operational Strategy at NeuroID, held a webinar to discuss some of our research into bots’ rapid evolution. The big takeaway wasn’t shocking: bots are more advanced than ever, and traditional bot detection tools aren’t holding up against today’s attacks. But our experts dug past the surface to unearth more insights that financial institutions (FIs) need to keep in mind as they modernize their bot detection strategies:
Takeaway #1. Detecting next-generation fraud bots is hard, but not impossible
There’s lots of talk about why next-generation bots are so good at beating traditional detection solutions. The main reason is, to the untrained eye or unfit detection solution, next-generation bots are virtually indistinguishable from real humans.
“Next-generation bots are notoriously difficult to detect with current controls because they are trained to look like humans,” Ali said. “They’re designed to emulate human behavior, where they actually leave detailed device fingerprints and cursor movements … they’ve become really, really hard to detect.”
All of this makes these sophisticated bots seem unbeatable, and many businesses think the only way to slow them down is to implement heavy-handed, privacy-intensive identity checks. But, according to Ali and Thibodeaux, fraud teams can stop next-gen bots without adding an exhaustive amount of friction for their users. There are still giveaways that reveal today’s bots, but the giveaways are extremely nuanced and aren’t caught by any other tool in a standard fraud stack; spotting them requires a solution designed to identify the granular behavioral giveaways of a next-gen bot.
“Identity verification and step-up authentication tools are still important. But behavioral analytics will allow you to be more targeted in how you detect fraud,” Thibodeaux said. “Using behavioral data to reveal risks is an important compliment to the other solutions you have in place and can make your overall fraud stack more effective.”
Takeaway #2. Fraudsters aren’t putting past-gen bots to rest quite yet
Because of their sophistication and availability, next-generation bots give fraudsters a clear advantage over older bots. Many fraud professionals assume that fraudsters are all-in on their new bot armies (which is certainly true in some cases: half of attacks we studied were comprised almost exclusively of next-gen bots), but, generally, fraudsters are still making good use of past-generation bots.
“Bots have evolved, but that doesn’t mean that earlier generation bots have gone away. We actually see the generation one-through-four bots coexist,” Ali said. “If you don’t have the right level of controls, fraudsters are more than happy to hit you with older, less-sophisticated bots.”
What’s the point of using less-sophisticated bots when a more advanced (and likely more powerful) option is available? The answer is straightforward: different bots are best for different tasks. For a fraudster who just wants to scrape verified pre-fill data without actually completing an onboarding flow, a simpler bot can likely do the job quicker and cheaper than a more sophisticated one.
“There is no singular silver bullet [for all bots], of course, but there are a few dimensions that you’ve got to look at,” Ali said. “The first is device intelligence, which is still valuable. The second is network intelligence. Then you add in the third dimension, behavior, which is essential to capturing bots. With that three-dimensional picture of behavior, device and network, you get a holistic defense mechanism against bots of every kind.”
Takeaway #3. Businesses know they can’t stop modern bot attacks, but they’re not sure how to adapt
Experian’s 2024 U.S. Identity and Fraud Report identified Generative AI (GenAI)-powered fraud as the second-greatest challenge facing businesses over the next 2-3 years, but one that businesses weren’t as confident in their ability to address compared to other fraud types.
Ali and Thibodeaux conducted a live poll on the webinar and the results were similar: 74% of attendees said that they were somewhat confident or not very confident in their ability to stop a modern bot attack, and most said that at least some past bot attacks had gone undetected.
In other words: businesses know they have a problem, but they haven’t figured out how they should approach it. According to Thibodeaux, there are solutions on the market that fare well against today’s GenAI-powered fraud attacks, but a real answer to modern fraud attacks needs to be ready for tomorrow’s attacks, too.
“We’ve seen a lot of fear around GenAI in the market. I’d like to assure people that there are solutions available that can protect against it,” Thibodeaux said. “But an effective solution requires an ongoing understanding of how these bots are evolving, because they’re not done. There’s gen 4 bots right now and there’s going to be gen 5 soon. You need a partner that is invested in understanding bots’ evolution and continually adapting to stay in front of it.”
Want more expert next-gen bots insights? Watch the full webinar recording now, and download our Fighting the Future of Fraud: Understanding and Combating Next-Gen Bots report for an in-depth breakdown of next-generation bots’ capabilities.
(Some quotes have been lightly edited for context and clarity.)