Full Report
Okta says over 46% of new customer registrations are bot-driven fraud attempts
Analysis Summary
Based on the provided context, the incident described is a large-scale surge in **account/signup fraud**, characterized by automated bot activity targeting customer registration processes.
# Incident Report: Surge in Automated Customer Signup Fraud
## Executive Summary
In 2024, a significant surge in automated activity resulted in approximately 46% of customer registration attempts being fraudulent, reversing recent downward trends. This activity is potentially fueled by AI-enabled attack workflows, severely impacting retail, e-commerce, and financial services sectors. The response involves shifting security strategy to focus on dynamic identity verification to combat this new threat surfaced by telemetry data.
## Incident Details
- **Discovery Date:** Ongoing analysis throughout 2024, figures released in the 2025 report (June 25, 2025 publication date).
- **Incident Date:** Primarily throughout 2024.
- **Affected Organization:** Specific organizations are not named; reported by Okta based on Auth0 platform telemetry.
- **Sector:** Predominantly Retail/E-commerce (69% of attempts), Financial Services (64%), Energy/Utilities (56%), and Manufacturing (54%).
- **Geography:** Global (based on a global survey and platform telemetry).
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout 2024, with peak activity on April 6th.
- **Vector:** Automated bot activity targeting new customer registration forms (signup attempts).
- **Details:** Bot activity accounted for 46% of all customer registrations in 2024. Peaks reached nearly 93% of signups being fraudulent on one day (April 6, 2024).
### Lateral Movement
- *Not applicable for signup fraud; the focus is on initial acquisition.*
### Data Exfiltration/Impact
- **Details:** The primary impact is the creation of fraudulent accounts used for subsequent activities such as extracting membership benefits, exploiting signup incentives, or potentially initiating subsequent account takeover (ATO) attacks. Genuine data exfiltration is a downstream risk.
### Detection & Response
- **How it was discovered:** Operational telemetry data gathered from the Auth0 customer identity platform and a global consumer survey (Customer Identity Trends Report 2025).
- **Response actions taken:** Organization insight points to a necessary shift from static to dynamic security strategies, placing identity verification at the center to address AI-enabled threats.
## Attack Methodology
This summary describes high-volume programmatic attacks on registration endpoints, rather than traditional network intrusions:
- **Initial Access:** Automated account creation using bots targeting web signup forms.
- **Persistence:** N/A (Focus is on initial account creation).
- **Privilege Escalation:** N/A (Focus is on gaining an initial identity/account).
- **Defense Evasion:** Utilizing AI-enabled workflows to mimic human behavior during registration.
- **Credential Access:** N/A (No evidence of explicit credential theft described, but fraudulent credentials are being created).
- **Discovery:** N/A (Focus is on execution, not reconnaissance).
- **Lateral Movement:** N/A
- **Collection:** Utilizing fraudulent accounts to perform secondary activities like scraping signup incentives or surveying service usage.
- **Exfiltration:** Potential future abuse of the fraudulently created accounts.
- **Impact:** Skewing operational metrics, draining promotional resources, and potentially leading to downstream account compromises.
## Impact Assessment
- **Financial:** Implied costs associated with lost signup incentives, resource drain on customer service/support for fraudulent accounts, and potential financial losses in the retail/finserv sectors.
- **Data Breach:** Not explicitly a breach of *existing* customer data, but rather the mass creation of fictitious identities.
- **Operational:** Significant distortion of customer registration metrics (avg. 46% fraud rate).
- **Reputational:** While not detailed, widespread fraud impacts the perceived trustworthiness of online services.
## Indicators of Compromise
Since this focuses on application traffic rather than malware:
- **Network indicators:** High volume of registration requests originating from automated scripts or botnets (specific IPs/User Agents not provided).
- **File indicators:** None mentioned.
- **Behavioral indicators:** Unusually high ratio of new account creation to genuine human activity; extreme fluctuations in signup success/failure rates across short time frames.
## Response Actions
Specific company containment steps are not detailed, but the strategic response involves:
- **Containment measures:** Requires immediate enhancement of registration workflow validation (e.g., advanced CAPTCHA, bot detection).
- **Eradication steps:** Removal/suspension of fraudulently created accounts discovered via telemetry.
- **Recovery actions:** Implementing dynamic identity verification strategies to curb future bot activity.
## Lessons Learned
- The current threat landscape is rapidly evolving due to AI, allowing bots to execute registration attacks at a staggering scale (nearly 50% fraud rate).
- Traditional security measures are insufficient, as evidenced by the fluctuating but consistently high fraud baseline (never below 30% after the low point).
- Identity assurance is the new critical defense perimeter against programmatic abuse.
## Recommendations
- Implement dynamic security strategies focused on identity verification at the point of registration.
- Enhance anti-bot controls specifically targeting signup endpoints, especially in high-risk sectors like Retail and Financial Services.
- Continuously monitor application telemetry for anomalous traffic patterns indicative of large-scale automated registration attempts.
- Review and fortify signup incentives/promotional structures to prevent abuse by bulk-created accounts.