Criminals masquerade as customers by co-opting real behavior, devices and even identities
Real Behavior: Attackers simulate entire populations of users with genuine human characteristics to conduct fraud at scale. For example, to test out thousands of stolen credit cards for validity, an attacker may record a genuine human session with the application, with real mouse-movements, key strokes, timing, etc., and then replay that interaction thousands of times.
Real Devices: Attackers hijack devices via malware and pretend to be the device owners. For example, an attacker may use man-in-the-browser malware to divert funds after a victim has successfully logged into her own bank account via MFA.
Real Identities: Attackers steal pieces of real people’s identities, to pass themselves off as those customers online. For example, an attacker may steal a username and password to hijack a user’s online account or use a social security number to commit identity fraud.