Automated fraud

Automated fraud significantly impacts your brand and damages the trust that you have built with your customers. Automated fraud is a fast, effective way for attackers to gain access to higher-value assets, and as bots attacks evolve to be more sophisticated — they are only getting harder to detect.

What is automated fraud?

Automated fraud is similar to traditional fraud, such as using a stolen credit card to purchase goods, only it is committed by bots instead of humans. Criminals first acquire stolen data, including names, addresses, and credit card numbers, from places like the dark web, and then use programs to rapidly test this data against websites.

Automated fraud is especially effective as attackers are able to perform multiple transactions in a very short space of time. For example, if a new list of credit card numbers become available, bots are able to cycle through them, attempting illicit purchases quickly before card issuers notice their customer data has been exposed.

Four major security threats sophisticated bots poseRelated Solution brief

3 billion automated bot attacks occurred in the second half of 2018

Bots can perform 100+ attacks per second

Sources: forbes.com, infosecurity-magazine.com


How automated fraud works

An attacker obtains a list of stolen credit card numbers from the dark web and uploads them to a command-and-control server, which instructs a compromised device to attempt transactions.

The device attempts to use the stolen credit card numbers with various retailers to purchase goods. Any goods successfully purchased are later resold on other sites.

Once the retailer is alerted of fraud, an investigation takes place with both the retailer and card issuer which is both costly and lengthy.

Get protected with


Types of automated fraud

Credit card fraud

Credit card fraud uses lists of stolen credit card numbers to attempt online transactions. When goods are successfully purchased, they can later be resold on different sites for monetary value.

Gift card fraud

Gift card fraud involves trying different combinations of numbers on a website until one of the numbers succeeds. Typically an attacker’s bot would try numbers against a balance inquiry webpage until they return valid information. With this (now verified) gift card number, the attacker would purchase goods to later be resold.

Virtual currency fraud

Virtual currency fraud uses stolen credential lists to attempt to log into online accounts, such as gaming websites, to steal virtual currency or virtual goods. Typically combined with credential stuffing and account takeover attacks, virtual currency and virtual goods can often be resold for cash in various online marketplaces.


Traditional bot management solutions aren’t enough any more

Retailers, especially larger organizations, normally have protections in place to detect and prevent automation fraud. For example, if multiple transactions from a single source location are attempted, bot protection products block them and flag the activity as suspicious.

But traditional bot protection techniques, such as signature checking and traffic analysis, are no longer enough as attackers have turned to more sophisticated bots and the use of botnets to avoid detection.

Attackers have started to take advantage of operating system and application bugs to exploit machines en masse and create extensive networks of systems — known as botnets — which they can control.

Unlike traditional automated transactions, distributed attempts leverage these massive botnets to avoid detection. Since each transaction comes from a legitimate device from a different source, these attempts are extremely difficult to differentiate from legitimate humans.


There are now more than 17 billion connected devices worldwide.

Sources: iot-analytics.com

Our solution

It’s your responsibility to protect your customers

Your customers are not always focused on security — in fact 51 percent of people still reuse passwords across web apps. But what they do expect are good customer experiences that are secure — and they trust you to protect them. When your business and customers become victims of automated fraud — it’s your reputation and business that takes the blame.

Fraud costs business billions of dollars in damages every year and results in higher insurance premiums and higher card transaction costs as providers look to prevent their losses.

Instart offers industry-leading protection against even the most sophisticated bots with technology that collects signals across both the client and server to validate users and their browsers to ensure that the visitor is indeed human. Instart leverages its unique Nanovisor technology to protect against account takeover attacks, credential stuffing, inventory holding, and many other bot-based malicious activity.