The Bot Workers Powering the 24/7/365 Fraud Factory
Fraudsters have typically treated summer like off-season at a ski resort—a time to dim the lights, run a skeleton crew, and not waste energy until the lucrative winter months. With online traffic dwindling as people gravitate outdoors, the potential upside for fraudsters didn’t justify the time and effort needed to launch an attack in the summer. It was better to wait until the usual, more reliable targets, like back-to-school and holiday shoppers, came back into the picture.
The summer slump has become a widely recognized phenomenon and a critical preparation season for many businesses. Fraudsters’ summer break has traditionally given fraud professionals a few months to catch their breath, research new solutions, and gear up for the inevitable fall fraud resurgence.
Until now. The lull the industry expects didn’t happen. What changed this summer, and what alarm bells does it ring for the year to come?
Summer Vacation Gone Wrong
For fraud teams expecting relief from the summer heat, 2024 delivered a rude awakening. This June, fraud attacks stretched nearly three times longer than those in June 2023, with a staggering 300% increase in risky user IDs linked to these events. The worst attack we saw lasted over a week, a major departure from the typically short-lived summer attacks we’ve come to see as a proven pattern.
Fraudsters suddenly have the resources to unleash summer attacks at a scale we haven’t seen before. Where did all this firepower come from? Did fraudsters just amp up their recruiting efforts in the early part of the year?
Kind of. Except the new recruits aren’t humans: they’re hyper-sophisticated bots. In June 2024, bots led 2X more attacks than they did in January 2024, and bots are now making up the majority of attacks. The growing bots-as-a-service industry, which provides fraudsters with plug-and-play fraud bot tools, has enabled fraudsters to unleash high-volume, sophisticated bot attacks with little effort or technical knowledge. In other words, the prohibitive downsides that dissuaded summer attacks no longer exist, opening the floodgates for a year-round bot blitz.
The Summer Fraud Business Model
Bots and other sophisticated automation tools have driven a spike in summer fraud activity, but this doesn’t change the fact that online traffic and spending are still at their lowest point of the year. So what’s in it for fraudsters?
The most obvious advantage is that, at the moment, many businesses simply aren’t ready to stop today’s bots, so there’s immediate value in attacks. They haven’t put the right tools in place to differentiate humans from human-like bots, so they might not even know when a bot attack is underway. As the year rolls on and businesses have more time to implement solutions, that’ll change, so fraudsters are striking while businesses are at their most vulnerable point.
There’s a long game in play, though. In the past, once a bot successfully infiltrated a business’s ecosystem, fraudsters would have to act immediately. The bot-created accounts had clear giveaways that, if they weren’t spotted at onboarding, were bound to be identified sooner rather than later. Fraudsters had to maximize their impact before that happened, which often meant that their attacks were limited by whatever permissions the business gave to its new customers.
Modern bots don’t carry those same liabilities, though. They can go through onboarding and create an account just as a human would—behavior patterns and all—skirting businesses’ bot detection tools. Since these bot-created accounts look like normal customers, fraudsters can let them simmer and build trust with their attack target, then strike when the time is right. For example, a bot can open an account in June, lay low during the typical restriction period for a new account, and then be used to exploit a holiday promotion in December. The summer surge may be just the beginning of fraudsters’ larger winter plans.
Have We Seen The Worst of Bots?
Given the little effort needed for fraudsters to deploy constant, year-round bot attacks, is it right to assume that is our new normal and that the upcoming seasons will be high, but steady?
Unfortunately not. Everything we’ve seen so far suggests that fraudsters are getting better and better at using their new tools, and that they’re more selective and strategic than ever about who they target. Even with the increased summer volume, there’s no reason to believe that the winter won’t bring even more eye-popping volume as traffic peaks and businesses relax their defenses.
If you’re going to be prepared for the winter rush, now is the time to adopt and test new tools. Luckily, fall brings an ideal proving ground for solutions and should provide a glimpse at how fraudsters are preparing to deploy their high-powered bot armies over the coming months.