Credential Stuffing Hero
Credential stuffing

Credential stuffing is a fraudster technique that uses automated scripts to check username and password combinations across popular websites and applications, looking to gain unauthorized access to accounts.

Learn more

Problem overview

Fraudsters acquire large batches of stolen credentials from phishing attacks, data breaches or by purchasing them on the dark web with the intent of using them to take over consumer accounts. In order to check credentials for successful logins at scale, fraudsters create automated scripts which can run thousands of combinations in minutes.  

Most organizations have bot mitigation controls in place to detect credential stuffing and other automated attacks. To circumvent these controls, fraudsters have started to abuse legitimate open banking platform providers to test batches of credentials and reverted to testing smaller, more frequent batches instead of testing at scale.

View Solution Brief

Credential stuffing in numbers

65 %

Percentage of people who reuse the same password across multiple websites and applications

50 %

Percentage of new deposit account applications opened by bots

15  Billion

Estimated number of stolen credentials for sale on the dark web


Gartner®: How to Mitigate Account Takeover Risks

Account takeover attacks continue to plague digital environments despite existing authentication processes. Access the Gartner report and get recommendations on the capabilities required to build a comprehensive ATO prevention strategy that balances risk mitigation with cost and UX considerations.

Get the Report
Rectangle 2890
Additional account takeover
use cases

Remote access attacks

Legacy fraud prevention controls have limited or no ability to detect remote access attacks. When a RAT is present on a user’s device, the bank’s systems detect a genuine device fingerprint, with no traces of proxy, code injections, or malware, and with the proper IP and geo-location. 

Learn More  >

Phishing site detection

Over 90% of all cyber attacks start with some form of phishing via email, text message, or phone call. While phishing attempts used to be easy to spot due to multiple spelling errors and poor grammar, fraudsters now have access to AI tools such as ChatGPT to help them craft well-written messages capable of tricking even the savviest users. 

Learn More  >

SIM swapping

Financial fraud involving SIM swapping is growing in several regions around the world. Not all cases of stolen device fraud require a SIM swap. In these cases, often carried out by highly organized criminal gangs, fraudsters use password engineering to unlock the device. 

Learn More  >

Request an intelligence briefing

Join us for a 30-minute deep dive with a BioCatch expert to learn the latest tactics, techniques, and procedures (TTPs) fraudsters use to scam your customers
and harm your brand.

Request a Briefing