As gamers shelter, fraudsters get to play
Video games provide a rare escape to locked-down consumers, and many modern games are so sophisticated that they support their own digital storefronts — with the potential for real-world losses if fraudsters find a way in.
Gaming and retail were the top fraud targets during the first half of the year, as fraudsters focused on things that consumers were doing while sheltering from the COVID-19 pandemic — being active with online gaming platforms and e-commerce shopping.
Digital gaming rated highest in the percentage of its industry traffic that was fraudulent, at 27%, while retail was at 24%, according to fraud prevention network Arkose Labs' third-quarter 2020 fraud report.
By comparison, social media saw a 21% fraud rate, while technology was at 14%, travel at 13% and financial channels at 7%.
The Arkose fraud prevention platform recorded 65 attacks per second against the gaming industry. The quarterly research was based on actual user sessions and attack patterns during the COVID-19 pandemic analyzed from January to June 2020.
"Video games are a very lucrative target because they kind of operate like a social media site, in that the users can send messages to each other," said Keith Gosschalk, founder and CEO of San Francisco-based Arkose Labs. "Fraudsters will send malware links and other fraud schemes in that manner, or they will create an account with the intent of sharing content that is fraudulent."
Many publishers offer in-game purchases as a way to generate revenue beyond the one-time purchase of the game itself. In-game items can sometimes be sold or traded among players, creating an incentive for scammers to enter the in-game economy.
"Those items have a certain degree of monetary value associated with them, depending on how rare they are," Gosschalk said. "The top players want to have all of the cool stuff, so they are willing to buy these virtual goods from other players."
Fraudsters may even steal entire game accounts or characters, to either strip player accounts of their valuable in-game items or sell in their entirety.
And then there is the payments credentials of the players, as fraudsters keep digging until they can get into players' accounts, Gosschalk added. Once there, they purchase more of the virtual currency for the game, with the intention of cashing out.
"They use a stolen credit card to kind of launder money through this process," Gosschalk said. "They buy a bunch of virtual currency to trade and sell, sort of cleaning up that money in the process."
One of the problems in thwarting fraud in the digital-game world is that too many consumers have a very static view of what video games are, said Vanita Pandey, vice president of marketing and strategy at Arkose Labs.
"People think you still buy one of those CD games and you play," Pandey said. "In reality, it has become this connected ecosystem of its own and everyone's account is like a bank account with currency used to buy more items, plus it's a social interaction tool."
Also, many players are younger consumers who may have little experience guarding against fraud. "These kids are spending time not supervised, and the games have become like baby-sitters in many cases," Pandey noted.
Ultimately, Arkose Labs is encouraging consumers to protect video game accounts as strongly as they would their bank accounts. Arkose says more than 60% of youths ages 9 to 12 are protected by Arkose technology.
The quarterly research also revealed a growing trend has intensified in which fraudsters, who have relied on automated bot attacks and threats at unlimited scale, are turning more to human labor because fraud-prevention technology is thwarting other efforts.
Adding the human factor with the increase in online activity because of COVID-19 kept the Arkose Labs network busy during the quarter, reporting it halted 1.1 billion bot attacks and a 25% attack rate increase across all transactions.
"If a website has sophisticated enough tools that the automated attacks can't penetrate, and the cost of writing overriding software is prohibitive, another attack consideration is hiring humans to do those attacks instead," Gosschalk said.
Called "sweatshop" attacks, fraudsters hire people across the world in places where labor is cheap. Human-led attacks accounted for 33.5% of all attacks, with bots at 66.5%.
"They give them the data and show them what to do, and they create accounts and post credentials, and do it all day," Gosschalk added. "If you hire 50 people to do the same thing, you are talking about hundreds of attacks an hour, instead of thousands, but if you are making $15 to $20 per minute from each human, it scales nicely and profitably."