All posts by Julie Lee

A spoofing attack occurs when a threat actor impersonates a trusted source to gain access to sensitive information, disrupt operations or manipulate systems.

Bots have been a consistent thorn in fraud teams’ side for years. But since the advent of generative AI (genAI), what used to be just one more fraud type has become a fraud tsunami. This surge in fraud bot attacks has brought with it:  A 108% year-over-year increase in credential stuffing to take over accounts1  A 134% year-over-year increase in carding attacks, where stolen cards are tested1  New account opening fraud at more than 25% of businesses in the first quarter of 2024  While fraud professionals rush to fight back the onslaught, they’re also reckoning with the ever-evolving threat of genAI. A large factor in fraud bots’ new scalability and strength, genAI was the #1 stress point identified by fraud teams in 2024, and 70% expect it to be a challenge moving forward, according to Experian’s U.S. Identity and Fraud Report.  This fear is well-founded. Fraudsters are wasting no time incorporating genAI into their attack arsenal. GenAI has created a new generation of fraud bot tools that make bot development more accessible and sophisticated. These bots reverse-engineer fraud stacks, testing the limits of their targets’ defenses to find triggers for step-ups and checks, then adapt to avoid setting them off.   How do bot detection solutions fare against this next generation of bots?  The evolution of fraud bots   The earliest fraud bots, which first appeared in the 1990s2 , were simple scripts with limited capabilities. Fraudsters soon began using these scripts to execute basic tasks on their behalf — mainly form spam and light data scraping. Fraud teams responded, implementing bot detection solutions that continued to evolve as the threats became more sophisticated.   The evolution of fraud bots was steady — and mostly balanced against fraud-fighting tools — until genAI supercharged it. Today, fraudsters are leveraging genAI’s core ability (analyzing datasets and identifying patterns, then using those patterns to generate solutions) to create bots capable of large-scale attacks with unprecedented sophistication. These genAI-powered fraud bots can analyze onboarding flows to identify step-up triggers, automate attacks at high-volume times, and even conduct “behavior hijacking,” where bots record and replicate the behaviors of real users.  How next-generation fraud bots beat fraud stacks  For years, a tried-and-true tool for fraud bot detection was to look for the non-human giveaways: lightning-fast transition speeds, eerily consistent keystrokes, nonexistent mouse movements, and/or repeated device and network data were all tell-tale signs of a bot. Fraud teams could base their bot detection strategies off of these behavioral red flags.  Stopping today’s next-generation fraud bots isn’t quite as straightforward. Because they were specifically built to mimic human behavior and cycle through device IDs and IP addresses, today’s bots often appear to be normal, human applicants and circumvent many of the barriers that blocked their predecessors. The data the bots are providing is better, too3, fraudsters are using genAI to streamline and scale the creation of synthetic identities.4 By equipping their human-like bots with a bank of high-quality synthetic identities, fraudsters have their most potent, advanced attack avenue to date.   Skirting traditional bot detection with their human-like capabilities, next-generation fraud bots can bombard their targets with massive, often undetected, attacks. In one attack analyzed by NeuroID, a part of Experian, fraud bots made up 31% of a business's onboarding volume on a single day. That’s nearly one-third of the business’s volume comprised of bots attempting to commit fraud. If the business hadn’t had the right tools in place to separate these bots from genuine users, they wouldn’t have been able to stop the attack until it was too late.   Beating fraud bots with behavioral analytics: The next-generation approach  Next-generation fraud bots pose a unique threat to digital businesses: their data appears legitimate, and they look like a human when they’re interacting with a form. So how do fraud teams differentiate fraud bots from an actual human user?  NeuroID’s product development teams discovered key nuances that separate next-generation bots from humans, and we’ve updated our industry-leading bot detection capabilities to account for them. A big one is mousing patterns: random, erratic cursor movements are part of what makes next-generation bots so eerily human-like, but their movements are still noticeably smoother than a real human’s. Other bot detection solutions (including our V1 signal) wouldn’t flag these advanced cursor movements as bot behavior, but our new signal is designed to identify even the most granular giveaways of a next-generation fraud bot.  Fraud bots will continue to evolve. But so will we. For example, behavioral analytics can identify repeated actions — down to the pixel a cursor lands on — during a bot attack and block out users exhibiting those behaviors. Our behavior was built specifically to combat next-gen challenges with scalable, real-time solutions. This proactive protection against advanced bot behaviors is crucial to preventing larger attacks.  For more on fraud bots’ evolution, download our Emerging Trends in Fraud: Understanding and Combating Next-Gen Bots report.  Learn more Sources 1 HUMAN Enterprise Bot Fraud Benchmark Report  2 Abusix 3 NeuroID 4 Biometric Update

There’s a common saying in the fraud prevention industry: where there’s opportunity, fraudsters are quick to follow. Recent advances in technology are providing ample new opportunities for cybercriminals to exploit. One of the most prevalent techniques being observed today is password spraying. From email to financial and health records, consumers and businesses are being impacted by this pervasive form of fraud. Password spraying attacks often fly under the radar of traditional security measures, presenting a unique and growing threat to businesses and individuals.  What is password spraying?  Also known as credential guessing, password spraying involves an attacker applying a list of commonly used passwords against a list of accounts in order to guess the correct password. When password spraying first emerged, an individual might hand key passwords to try to gain access to a user’s account or a business’s management system.   Credential stuffing is a similar type of fraud attack in which an attacker gains access to a victim’s credentials in one system (e.g., their email, etc.) and then attempts to apply those known credentials via a script/bot to a large number of sites in order to gain access to other sites where the victim might be using the same credentials. Both are brute-force attack vectors that eventually result in account takeover (ATO), compromising sensitive data that is subsequently used to scam, blackmail, or defraud the victim.  As password spraying and other types of fraud evolved, fraud rings would leverage “click farms” or “fraud farms” where hundreds of workers would leverage mobile devices or laptops to try different passwords in order to perpetrate fraud attacks on a larger scale. As technology has advanced, bot attacks fueled by generative AI (Gen AI) have taken the place of humans in the fraud ring. Now, instead of hand-keying passwords into systems, workers at fraud farms are able to deploy hundreds or thousands of bots that can work exponentially faster.  The rise and evolution of bots  Bots are not necessarily new to the digital experience — think of the chatbot on a company’s support page that helps you find an answer more quickly. These automated software applications carry out repetitive instructions mimicking human behavior. While they can be helpful, they can also be leveraged by fraudsters, to automate fraud on a brute-force attack, often going undetected resulting in substantial losses.   Generation 4 bots are the latest evolution of these malicious programs, and they’re notoriously hard to detect. Because of their slow, methodical, and deliberate human-like behavior, they easily bypass network-level controls such as firewalls and popular network-layer security.  Stopping Gen4 bots  For any company with a digital presence or that leverages digital networks as part of doing business, the threat from Gen AI enabled fraud is paramount. The traditional stack for fighting fraud including firewalls, CAPTCHA and block lists are not enough in the face of Gen4 bots. Companies at the forefront of fighting fraud are leveraging behavioral analytics to identify and mitigate Gen AI-powered fraud. And many have turned to industry leader, Neuro ID, which is now part of Experian.  Watch our on-demand webinar: The fraud bot future-shock: How to spot & stop next-gen attacks  Behavioral analytics is a key component of passive and continuous authentication and has become table stakes in the fraud prevention space. By measuring how a user interacts with a form field (e.g., a website, mobile app, etc.) our behavioral analytics solutions can determine if the user is: a potential fraudster, a bot, or a genuine user familiar with the PII entered. Because it’s available at any digital engagement, behavioral data is often the most consistent signal available throughout the customer lifecycle and across geographies. It allows risky users to be rejected or put through more rigorous authentication, while trustworthy users get a better experience, protecting businesses and consumers from Gen AI-enabled fraud.  As cyber threats evolve, so must our defenses. Password spraying exemplifies the sophisticated methods and technologies attackers now employ to scale their fraud efforts and gain access to sensitive information. To fight next-generation fraud, organizations must employ next-generation technologies and techniques to better defend themselves against this and other types of cyberattacks.  Experian’s approach embodies a paradigm shift where fraud detection increases efficiency and accuracy without sacrificing customer experience. We can help protect your company from bot attacks, fraudulent accounts and other malicious attempts to access your sensitive data. Learn more about behavioral analytics and our other fraud prevention solutions.  Learn more

Dormant fraud is an especially insidious form of account takeover fraud that often goes undetected until it’s too late. Learn how to protect your organization.

Our behavioral analytics solutions help you stop fraud rings, fraud bots, and other third-party fraud attacks.

  With cyber threats intensifying and data breaches rising, understanding how to respond to incidents is more important than ever. In this interview, Michael Bruemmer, Head of Global Data Breach Resolution at Experian, is joined by Matthew Meade, Chair of the Cybersecurity, Data Protection & Privacy Group at Eckert Seamans, to discuss the realities of data breach response. Their session, “Cyber Incident Response: A View from the Trenches,” brings insights from the field and offers a preview of Experian's 2025 Data Breach Industry Forecast, including the role of generative artificial intelligence (AI) in data breaches. From the surge in business email compromises (BEC) to the relentless threat of ransomware, Bruemmer and Meade dive into key issues facing organizations big and small today. Drawing from Experian's experience handling nearly 5,000 breaches this year, Bruemmer sheds light on effective response practices and reveals common pitfalls. Meade, who served as editor-in-chief for the Sedona Conference’s new Model Data Breach Notification Law, explains the implications of these regulatory updates for organizations and highlights how standardized notification practices can improve outcomes. Bruemmer and Meade’s insights offer a proactive guide to tackling tomorrow’s cyber threats, making it a must-listen for anyone aiming to stay one step ahead. Listen to the full interview for a valuable look at both the current landscape and what's next.  Click here for more insight into safeguarding your organization from emerging cyber threats.  

Account farming is the process of creating and cultivating multiple user accounts, often using fake or stolen identities.

Mobile identity verification confirms the legitimacy of users accessing services via their mobile device.

Reject inferencing techniques unlock a more comprehensive view of your applicant pool for more informed underwriting decisions. 

In this report, we explore how the evolving fraud landscape is impacting identity verification, customer experience, and business priorities for the future.

AI fraud detection helps organizations enhance their security measures, reduce fraud losses, authenticate identity, and improve customer experience.

In this article...Recent trends in credit card debtThe rising tide of delinquenciesWhat is credit limit optimization?Benefits of credit limit optimizationEconomic indicators and CLO ImpactEnhanced profitability and risk mitigation This post was originally published on our Global Insights Blog. As credit card issuers grow, the size of their customer base expands, bringing both opportunities and challenges. One of the most critical challenges is managing growth while controlling default rates. Credit limit optimization (CLO) has emerged as a vital tool for banks and credit lenders to achieve this balance. By leveraging machine learning models and mathematical optimization, CLO enables lenders to tailor credit limits to individual customers, enhancing profitability while mitigating risk. Recent trends in credit card debt To understand the significance of CLO, it is essential to consider the current economic landscape. The first quarter of 2024 saw total household debt in the U.S. rise by $184 billion, reaching $17.69 trillion. While credit card balances declined slightly (a reflection of seasonal factors and consumer spending patterns), they remain a substantial component of household liabilities, with total credit card debt standing at approximately $1.26 trillion in early 2024. On average, American households hold around $10,479 in credit card debt, which is down from previous years but still significant. The average APR for credit cards in the first quarter of 2024 was 21.59%.* The rising tide of delinquencies In the first quarter of 2024, about 8.9% (annualized) of credit card balances transitioned into delinquency. This trend underscores the need for credit card issuers to adopt more sophisticated methods to assess credit risk and adjust credit limits accordingly. The rising rate of credit card delinquencies is a key driver behind the adoption of CLO strategies. What is credit limit optimization? Credit limit optimization uses advanced analytics to assess individual customers’ creditworthiness. By analyzing various data points, including payment history, income levels, spending patterns, and economic indicators, these tools can recommend optimal credit limits that maximize customer spending potential while minimizing the risk of default, all within the constraints set by the business in terms of its appetite for risk and capacity. For instance, a customer with a strong payment history and stable income might receive a higher credit limit, encouraging more spending and enhancing the lender’s revenue through interest and interchange fees. Conversely, customers showing signs of financial stress might see their credit limit reduced to prevent them from accumulating unmanageable debt. Benefits of credit limit optimization Improved profitability – By setting credit limits reflecting customers’ credit risk and spending potential, lenders can increase their revenue through higher interest and fee income. Reduced default rates – Lenders can significantly reduce the incidence of bad debt by identifying customers at risk of default and adjusting their credit limits accordingly. Improved customer satisfaction – Personalized credit limits can improve customer satisfaction, as customers are more likely to receive credit that matches their needs and financial situation. Regulatory compliance – CLO can help lenders comply with regulatory requirements by ensuring that credit limits are set based on objective, data-driven criteria. Economic indicators and CLO Impact Several economic indicators provide context for the importance of CLO in the current market. For instance, the Federal Reserve reported that in 2023, fewer than half of adult credit cardholders carried a balance on their cards, down from previous years. This indicates a more cautious approach to credit use among consumers, likely influenced by economic uncertainty and rising interest rates. Moreover, the disparity in credit card debt across different states highlights the varying economic conditions and the need for tailored credit strategies. States like New Jersey have some of the highest average credit card debts, while states like Mississippi have the lowest. This regional variation underscores lenders’ need to adopt flexible, data-driven approaches to credit limit setting. Enhanced profitability and risk mitigation Credit limit optimization is critical for credit card issuers aiming to balance growth and risk management. As economic conditions evolve and consumer behaviors shift, the ability to set personalized credit limits will become increasingly important. By leveraging advanced analytics and machine learning, CLO enhances profitability and contributes to a more stable and resilient financial system. One such solution is Experian’s Ascend Intelligence Services™ Limit, which provides an optimized strategy designed to enhance the precision and effectiveness of credit limit assignments. Ascend Intelligence Services™ Limit combines best-in-class bureau data with machine learning to simulate the impact of different credit limits in real time. This capability allows lenders to quickly test and refine their credit limit strategies without the lengthy trial-and-error period traditionally required. Ascend Intelligence Services Limit enables lenders to set credit limits that align with their business objectives and risk tolerance. By providing insights into the likelihood of default and potential revenue for each credit limit scenario, Ascend Intelligence Services Limit helps design optimal limit strategies. This not only maximizes revenue but also minimizes the risk of defaults by ensuring credit limits are appropriate for each customer’s financial situation. In a landscape marked by rising delinquencies and varying regional debt levels, the strategic use of CLO like Ascend Intelligence Services Limit represents a forward-thinking approach to credit management, benefiting both lenders and consumers. Learn More * HOUSEHOLD DEBT AND CREDIT REPORT (Q1 2024) – Federal Reserve Bank of New York

In this article...What is credit card fraud?Types of credit card fraudWhat is credit card fraud prevention and detection?How Experian® can help with card fraud prevention and detection With debit and credit card transactions becoming more prevalent than cash payments in today’s digital-first world, card fraud has become a significant concern for organizations. Widespread usage has created ample opportunities for cybercriminals to engage in credit card fraud. As a result, millions of Americans fall victim to credit card fraud annually, with 52 million cases reported last year alone.1 Preventing and detecting credit card fraud can save organizations from costly losses and protect their customers and reputations. This article provides an overview of credit card fraud detection, focusing on the current trends, types of fraud, and detection and prevention solutions. What is credit card fraud? Credit card fraud involves the unauthorized use of a credit card to obtain goods, services or funds. It's a crime that affects individuals and businesses alike, leading to financial losses and compromised personal information. Understanding the various forms of credit card fraud is essential for developing effective prevention strategies. Types of credit card fraud Understanding the different types of credit card fraud can help in developing targeted prevention strategies. Common types of credit card fraud include: Card not present fraud occurs when the physical card is not present during the transaction, commonly seen in online or over-the-phone purchases. In 2023, card not present fraud was estimated to account for $9.49 billion in losses.2 Account takeover fraud involves fraudsters gaining access to a victim's account to make unauthorized transactions. In 2023, account takeover attacks increased 354% year-over-year, resulting in almost $13 billion in losses.3,4 Card skimming, which is estimated to cost consumers and financial institutions over $1 billion per year, occurs when fraudsters use devices to capture card information from ATMs or point-of-sale terminals.5 Phishing scams trick victims into providing their card information through fake emails, texts or websites. What is credit card fraud prevention and detection? To combat the rise in credit card fraud effectively, organizations must implement credit card fraud prevention strategies that involve a combination of solutions and technologies designed to identify and stop fraudulent activities. Effective fraud prevention solutions can help businesses minimize losses and protect their customers' information. Common credit card fraud prevention and detection methods include: Fraud monitoring systems: Banks and financial institutions employ sophisticated algorithms and artificial intelligence to monitor transactions in real time. These systems analyze spending patterns, locations, transaction amounts, and other variables to detect suspicious activity. EMV chip technology: EMV (Europay, Mastercard, and Visa) chip cards contain embedded microchips that generate unique transaction codes for each purchase. This makes it more difficult for fraudsters to create counterfeit cards. Tokenization: Tokenization replaces sensitive card information with a unique identifier or token. This token can be used for transactions without exposing actual card details, reducing the risk of fraud if data is intercepted. Multifactor authentication (MFA): Adding an extra layer of security beyond the card number and PIN, MFA requires additional verification such as a one-time code sent to a mobile device, knowledge-based authentication or biometric/document confirmation. Transaction alerts: Many banks offer alerts via SMS or email for every credit card transaction. This allows cardholders to spot unauthorized transactions quickly and report them to their bank. Card verification value (CVV): CVV codes, typically three-digit numbers printed on the back of cards (four digits for American Express), are used to verify that the person making an online or telephone purchase physically possesses the card. Machine learning and AI: Advanced algorithms can analyze large datasets to detect unusual patterns that may indicate fraud, such as sudden large transactions or purchases made in different geographic locations within a short time frame. Advanced algorithms can analyze large datasets to detect unusual patterns that may indicate fraud, such as sudden large transactions or purchases made in different geographic locations within a short time frame. Behavioral analytics: Monitoring user behavior to detect anomalies that may indicate fraud. Education and awareness: Educating consumers about phishing scams, identity theft, and safe online shopping practices can help reduce the likelihood of falling victim to credit card fraud. Fraud investigation units: Financial institutions have teams dedicated to investigating suspicious transactions reported by customers. These units work to confirm fraud, mitigate losses, and prevent future incidents. How Experian® can help with card fraud prevention and detection Credit card fraud detection is essential for protecting businesses and customers. By implementing advanced detection technologies, businesses can create a robust defense against fraudsters. Experian® offers advanced fraud management solutions that leverage identity protection, machine learning, and advanced analytics. Partnering with Experian can provide your business with: Comprehensive fraud management solutions: Experian’s fraud management solutions provide a robust suite of tools to prevent, detect and manage fraud risk and identity verification effectively.  Account takeover prevention: Experian uses sophisticated analytics and enhanced decision-making capabilities to help businesses drive successful transactions by monitoring identity and flagging unusual activities. Identifying card not present fraud: Experian offers tools specifically designed to detect and prevent card not present fraud, ensuring secure online transactions.  Take your fraud prevention strategies to the next level with Experian's comprehensive solutions. Explore more about how Experian can help. Learn More Sources 1 https://www.security.org/digital-safety/credit-card-fraud-report/ 2 https://www.emarketer.com/chart/258923/us-total-card-not-present-cnp-fraud-loss-2019-2024-billions-change-of-total-card-payment-fraud-loss 3 https://pages.sift.com/rs/526-PCC-974/images/Sift-2023-Q3-Index-Report_ATO.pdf 4 https://www.aarp.org/money/scams-fraud/info-2024/identity-fraud-report.html 5 https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/skimming This article includes content created by an AI language model and is intended to provide general information. 

Ensuring fair lending practices while leveraging machine learning models is crucial for organizations committed to ethical and compliant operations.

Experian’s award-winning platform now brings together market-leading data, generative AI and cutting-edge machine learning solutions.