The Impact of Toll Fraud and Fake Accounts

The largest and most well-known companies are susceptible to the most sophisticated cyber threats, often only discovered until it’s too late.

Toll fraud and fake account creation are two advanced threats that bad actors employ for massive profit.

Toll Fraud is committed by fraudsters against innocent companies through abuse of the phone verification or 2FA flows of applications, with the goal of generating a high volume of voice calls to premium rate numbers.

Fake Account Creation is committed by a wide range of attackers, through automating the generation of new user accounts en masse, which then get used to fraudulently take advantage of the target. For example abusing the free usage tier, automated social interactions like views and follows, or entries into lottery systems.

The traffic generated by Toll Fraud and Fake Account Creation can easily be mistaken for real usage of an application. When combined, these attacks create a nasty one-two punch for any business, especially damaging to large enterprises — the scale of these nefarious schemes can be immense.

This case study highlights two of our customers, for which these types of abuse amounted to millions of dollars, despite both of them already using bot detection providers that they thought were keeping them safe from automated attacks.

Enterprise Customer Background and Challenges

Customer #1: Fortune 100 Retailer

As a Fortune 100 company and one of the world’s largest retailers, the first Kasada customer generates over $20 billion in annual revenue. Before using Kasada, they noticed the creation of an abnormally large number of odd-looking accounts. Accompanying this was a massive infrastructure bill due to a massive number of multi-factor SMS verification texts being sent. These ballooning infrastructure costs began cutting into their margins.

One such example was how it impacted new product launches. When a hot new item debuted — and a lottery launch offered a small number of users a chance for first dibs — the retailer would experience surges in Fake Account Creation. These bogus accounts required SMS two-factor authentication (2FA) to activate them, and each message for each authentication cost the company money to send and verify. At its peak, the SMS charges for this retailer amounted to more than $600,000 per month, over 6x of what they should have been.

Green triangle 6x

SMS charges were over $600,000 per month

This global retailer is targeted by some of the industry’s most sophisticated adversaries, wreaking havoc through fake account creation, fraudulent checkout, scraping, and SMS toll fraud. Prior to Kasada, their bot defense tool was built-in bot protection from their CDN provider. This led them to believe these cost increases were due to real human traffic rather than bots.

Customer #2: Leading Global Streaming Platform

As one of the leading streaming platforms for gamers across the planet — with over 100m monthly active users — fake account creation compounded the SMS fraud, fueling infrastructure scaling nightmares for our second customer. They were also losing millions of dollars annually directly from SMS verification charges.

This was driven by user registration spikes in the tens of millions of daily attempts. In turn, this inflated requests for SMS verification codes. While some requests were sent to routine locations, others were sent to less standard countries, with higher rates per message. The chart below breaks down the traffic into bots and humans. As you can see, when the true nature of the requests was revealed, humans made up less than 25% of total traffic.

Attack Traffic vs. Real User Traffic

Prior to using Kasada, this customer had no idea there were so many bots on their site or that they were costing them hundreds of thousands each and every month. Their total yearly bill amounted to a stunning $9.2M a year. They were using a CAPTCHA-based bot detection solution, which led them to believe that these costs were being legitimately generated by their large user base, rather than by bots.

A Common Thread: Red Flags from Previous Bot Protection Vendors

Despite their existing bot detection tools saying otherwise — in both cases, some clever employees at each organization began to suspect that the traffic patterns they were seeing were indicative of automated tools rather than real users.  If correct, that meant they were losing millions to fraud.

This hunch led them to investigate if other tools on the market could prove their theory and do a better job at detecting these crafty attackers.

Our Customers Found a Frictionless, Reliable, and Effective Solution in Kasada

To stop fake account creation and toll fraud, you need to detect these actions in the first place. Kasada specializes in invisibly and effectively separating bad bots from legitimate users — without making people perform puzzling tests, like CAPTCHAs.

After only an hour of going live with Customer #1 (the Fortune 100 Retailer), Kasada quickly detected thousands of bots attempting to register accounts and was able to turn them away. Over the first 48 hours of implementation, Kasada discovered and deterred approximately 9 million automated bots. The graph below shows our customer’s login traffic as it hit Kasada during this period of time. Prior to hitting Kasada, the CDN’s built-in bot management tool should have filtered out the bots, but we found otherwise.

Retail Customer

Similarly, when Customer #2 (the Leading Global Streaming Platform) first implemented Kasada, we quickly found that over 70% of the traffic was from bots that were successfully bypassing their original anti-bot provider, in order to commit fraud. Kasada’s Bot Defense solution put a stop to that.

​​Along with effective and responsive detection, a key factor in the success of these cases was Kasada’s ease of use. Enterprises large and small often have little capacity to take on big projects. Many in the industry complain of the hidden complexities involved in implementing bot detection, both during the initial onboarding and the ongoing maintenance required to play the game of cat and mouse with attackers.

We’ve designed our product with these pain points in mind. Kasada requires minimal initial integration work from the customer to get protected, with near-zero ongoing human management, no rules, and no risk-scoring configuration needed. This design philosophy helped these customers quickly put a stop to the problem shortly after reaching out to us.

Dramatic Cost Savings and Optimized Digital Experience with Kasada

After implementing Kasada, our customers often celebrate big wins that have had huge impacts on revenue, user experience, and brand equity.

Green triangle $8M

saved annually by reducing SMS verification costs

Impact for Customer #1: Fortune 100 Retailer

Prior to implementing Kasada, SMS verification costs were at an all-time high due to a cumulative attack creating millions of fake accounts.

Results include:    
  • 87% Reduction in SMS Verification Costs: Amounting to a savings of $8 Million annually.

  • Optimized User Experience: Significantly reduced malicious bot traffic, preventing the creation of millions of fake accounts.

  • Improved Brand Image:

After Kasada was onboarded to protect the User Registration API, a sharp decrease in costs proceeded for several months. In October 2022, a new attack leveraging Solver Services was launched, and in short succession, Kasada created several new defense innovations – quickly defeating the attack and bringing costs back down. Simultaneously we worked with the customer to identify fraudulent emails and phone numbers being used in the attack, enabling the retailer to ban accounts. After this success, Kasada then released a second set of defenses that brought SMS verification costs to an all-time low — maintaining this ever since.

The graph below tells the story over time. Twilio SMS verification expenses incurred by the retailer are outlined in red. In green, the impact of Kasada on savings through the nearly 2-year period.

Twilio SMS Costs

Impact for Customer #2: Leading Global Streaming Platform

Identifying and managing bot traffic is crucial for website security and performance, as excessive bot traffic can lead to issues like fraud, site slowdowns, and even security breaches.

Before using Kasada, our streaming platform customer was unaware that 75% of their website traffic was attributed to bots.

Results include:    
  • Eliminated Fake Account Creation: Significantly decreased malicious bot traffic to their authentication service, preventing millions of fake accounts from being created.

  • Dramatically reduced SMS charges: to the tune of $8 million in savings in the first year alone.

  • Improved user experience: greatly reduced false positives, and lowered costs by removing visual challenges — including CAPTCHAs.

  • Brand Protection: The implementation of Kasada’s solution has resulted in increased customer satisfaction and loyalty.

Want to learn more?

  • Sign with a red and blue background reading "I Was There Aruba" with an illustration of the island of Aruba.

    I purchased a luxury vacation to Aruba for only $151.73 – thanks to credential stuffing

    Travel accounts are attractive targets for fraudsters. Once access is gained, they can easily book vacations, transfer points, or sell accounts on the dark web.

  • Captchas are getting harder. Error message on a screen with a galaxy image grid, instructing the user to select images containing life forms for captchas.

    Why CAPTCHAs Are Not the Future of Bot Detection

    I’m not a robot” tests are definitely getting harder. But does that mean more complex CAPTCHAs are the right path forward to outsmart advancing AI and adversarial technologies?

Threats constantly evolve. Your protection should, too.