Fraud as a Service: an emerging threat in the cyber landscape

Fraud as a Service (FaaS) describes a new type of fraud that is gaining prominence in the digital age. FaaS refers to the provision of fraud-related services, tools, and infrastructure by cybercriminals to other criminals or individuals who have the motivation, but not the technical expertise to commit fraud themselves. These services are typically offered on the dark web, where anonymity is guaranteed, and payments made in cryptocurrency help fraudsters further evade detection.

The use of FaaS allows for the ‘democratisation’ of financial crime. This makes it easier for individuals and small criminal groups to commit fraud, as they do not need to have specialised knowledge or resources. Additionally, FaaS providers often use sophisticated cloud-based infrastructures, such as bulletproof hosting and encryption, to evade detection, making it more difficult for law enforcement to disrupt their activities.

There are several types of fraud that can be committed using FaaS, but the most common include:

1. Phishing: Phishing is a type of social engineering attack where the attacker sends an email or message that appears to be from a legitimate source (such as a bank or government agency) requesting personal information. FaaS providers often offer phishing kits, which include pre-written emails, landing pages, and scripts, which can be used to set up phishing campaigns.

2. New Account Kits: Personal Identifiable Information and synthetic data are being sold as packaged kits on posting sites like Telegram. FaaS providers compile compromised data, then other fraudsters purchase the kit to create fraudulent accounts. Then they execute their ploys and monetise at higher values.

3. Credit card fraud: Credit card fraud is the unauthorised use of a credit card to make purchases or withdraw cash. FaaS providers often sell stolen credit card information, as well as tools and infrastructure, to test the validity of credit card numbers and create counterfeit cards.

4. Money laundering and mule account services: Money laundering is the process of making illegally obtained funds appear legal. FaaS providers often offer money laundering services, such as using money mules to transfer funds across borders and providing virtual currency wallets and exchanges, which can be used to launder money.

5. Account takeover (ATO): Account takeover is a type of fraud in which an attacker takes control of a victim's account and uses it for unauthorised transactions. FaaS providers often sell login credentials for popular online accounts, such as email and social media, as well as tools and services that can be used to take over accounts.

6. Business Email Compromise (BEC): Business email compromise is a type of fraud in which the attacker pretends to be a senior executive of a company and requests wire transfers, privileged information, or other financial information. They often use spear phishing that targets a specific executive, social engineering, and malware to achieve this. FaaS providers often offer expertise and tools to launch BEC campaigns.

7. Fake cryptocurrency trading platforms: cryptocurrency exchange is one of the more prevalent fraud methods today, where customers are victims of social engineering. Fraudsters quote outrageous returns on investment or encourage targets to invest in cryptocurrency on platforms that do not exist. FaaS providers today sell these trading platforms along with configurations and customisation options, enabling fraudsters to perpetrate the scam without having technical knowledge.

To combat FaaS, it is essential for individuals and organisations to fully understand risks and proactively take appropriate measures to protect themselves. This includes promoting subject matter awareness through education, keeping software updated, being cautious of responding to unsolicited emails and messages, and maintaining vigilance when providing personal information online. Additionally, organisations should invest in advanced security solutions, such as financial crime detection solutions, firewalls, intrusion detection systems, and anti-malware software, to protect against inevitable FaaS-related attacks.

FaaS is an emerging threat in the cyber landscape, enabling cybercriminals to provide fraud-related services, tools, and infrastructure to other, low-tech criminals. As the trend is growing at an alarming rate, we expect to see many more fraud-related attacks. It is vital that organisations and individuals are aware of the distinct types of fraud that can be committed using FaaS, and that they take appropriate measures to protect themselves and their customers.

About Chen Kirsch

Chen Ari Kirsch, a senior business consultant, is transforming fraud departments to be the best in class. Addressing all aspects of fraud prevention including strategy definition and execution, detection optimisation, operational investigation cost reduction, and end-customer journey improvements, Chen has 12 years of international fraud prevention experience at NICE Actimize. Supporting dozens of financial institutions servicing hundreds of millions of customers worldwide and with 15 years in the digital security industry, Chen holds an MBA and BSc in Information System Engineering from Be’er Sheva University, Israel. 

About NICE Actimize

NICE Actimize is the largest provider of financial crime, risk, and compliance solutions for financial institutions. The company offers real-time, cross-channel fraud prevention, anti-money laundering detection, and trading surveillance products that address payment fraud, cybercrime, sanctions monitoring, market abuse, customer due diligence, and insider trading. Find us at www.niceactimize.com.