15 seconds. That’s the time it takes to allow fraudsters into your network with a botnet.

A botnet typically consists of a network of IoT devices that have weak security and have been infected by malware. The device is then remotely controlled from another location. These could be computers, phones, game platforms, baby speakers, children’s toys – basically anything that connects to the internet or internet of things (IoT).

Why would a criminal spend time researching or socially engineering a fake user profile when they have a quicker and easier tool available? Botnets can run through extensive lists of username and password variations to hijack accounts in seconds. With the huge amounts of leaked data available for criminals to take advantage of, the use of a botnet is a logical next step.

Botnets aren’t even that expensive; you can rent or purchase one for as little as £5. The Mirai botnet of 400,000+ devices (recently seen attacking the Finance sector) can be rented for as little as £2,000 a week.

So how does this affect the insurance industry?

Botnets are used to incept fraudulent policies on mass, to takeover accounts and access documentation and to make policy changes to later commit “crash for cash” fraud.

How many of your users have the same username and password spread across multiple accounts? I’m willing to bet that this is the rule, not the exception.

What can you do to protect yourself and your users?

When it comes to protecting yourself, you need to be able to recognize the devices that want to enter your secured portals. Has that device accessed this account before? If yes, you can assume they are a lower level of risk. If not, they need to jump through a few more hoops.

After all, why would someone be logging in from a children’s toy or be able to complete a lengthy form in milliseconds?

The Device intelligence you gain here can be fed into an authentication process to help you assess the risk that a device poses and step up the authorization with multi-factor authentication.

A botnet can’t provide the extra levels of authentication needed but your trusted customers can.