Criminals attempt 25 million payments and logins a month
During the last quarter of 2014 and the first quarter of 2015, 4 percent of all attempts to create new online accounts were definitely illegitimate, as were 2.3 percent of all account logins, and 3.2 percent of all payment attempts.
There were 11.2 million fraud attempts during the holiday shopping season alone, the company said.
"This is actually undercounting the problem because it is not counting the gray area ones that might require further review," said Alisdair Faulkner, chief products officer at ThreatMetrix.
He declined to provide the statistics for how many transactions fall into the possibly fraudulent category, but they would typically lead to additional verification steps, such as two-factor authentication.
This was the company's first such report, so older historical data is not available.
Twelve of the top 20 e-commerce sites, three of the major credit card brands, five of the top banks are among the institutions that use ThreatMetrix to spot fraud.
The highest level of attempted fraudulent payment and logins was in the media industry, he said, which includes such services as social networks, content streaming, and online dating. About 4 percent of all payment attempts were fraudulent, and 6.2 percent of account login attempts.
E-commerce sites saw the highest level of account creation fraud, however, at 6.7 percent of all attempts.
According to ThreatMetrix, fraudsters are increasingly creating new accounts to make use of stolen credentials.
Faulkner said he was surprised to see the increase in attacks, and suggested that criminals may be trying to use the credentials they stole in last year's high profile data breaches.
He also suggested that it's not just e-commerce, finance and media companies that are vulnerable, but other types of enterprises as well, if their employees used their company email addresses as credentials at breached companies.
"Employee identities are already in someone else's hands," he said. "You need to protect your company against everyone else's data breaches -- not just your own."
Some companies are already using identity verifications systems like that of ThreatMetrix, especially for remote logins.
This technology could have prevented the recent breach at the Partners HealthCare System, Faulkner said, where criminals were able to get into employee email accounts.
The ThreatMetrix report also analyzed the most common methods hackers used.
Device spoofing, for example, was used in 6.1 percent of all transactions, and was the most common technique used when logging into stolen accounts.
Identity spoofing, at 4.3 percent, was most used when creating new accounts.
Geographic spoofing, at 3.3 percent, came in most handy when criminals were trying to make payments. Payment transactions also frequently involved IP spoofing, bots, and man-in-the-middle techniques.
These numbers have all been increasing over the past six months, he added.
The numbers are higher than actual incidents of fraud, Faulkner said, because individually any of these methods could have a legitimate explanation.
For example, there might be reasons why someone's IP address sets off warning bells.
"It could be that someone is very privacy conscious," he said, "Or using VPNs to connect through their work. Just because you're spoofing an IP address, doesn't necessarily mean you're illegitimate."