Merchants and financial institutions once faced isolated incidents and single-source attacks. Bad as that was, the modern trend is much more alarming.
Fraud is no longer a one-man job. Now, would-be fraudsters can hire someone (or a group of people) to do their dirty work for them. This is called “fraud as a service” (or “FaaS”), and it’s the next big thing in fraud.
What is Fraud as a Service?
Fraud as a service is a process by which an individual or group of bad actors provides tools and services to others to enable fraudulent online activity. FaaS can involve diverse tactics for perpetrating fraud.
Firstly, to differentiate FaaS from other acts of fraud, one must consider it an online business model rather than a specific tactic. With FaaS, all forms of fraud are on the table for prospective buyers and clients, from account takeover to return fraud.
Essentially, individual fraudsters can either hire out or rent software to hack into a business. They may also network with other fraudsters and band together to commit larger crimes, then divide the earnings. All of these crimes are plotted, enacted, and paid out over the dark web.
How Does FaaS Work?
Over the dark web, FaaS providers gain access to stolen payment card information, healthcare records, or social media accounts. They can leverage this data to create synthetic users or accounts (which are then sold or rented to subscribers). They could also simply sell the raw data and let their customers create their own synthetic accounts.
FaaS platforms aim to:
- Network with cybercriminals for collaboration
- Build and maintain FaaS-friendly dark web platforms
- Market FaaS as a viable product
- Convert stolen goods into cash
- Develop and maintain law enforcement avoidance software
Because FaaS is planned and transacted on the dark web, this makes it very hard to trace and prosecute offenders. While the dark web isn’t wholly intractable, it is a largely ungoverned and unenforceable international space that defies typical online detection and tracking methods. Unfortunately, as long as such a space exists, it will be utilized by fraudsters and other criminals for nefarious purposes.
FaaS is Becoming a Serious Concern
When criminals organize, they are capable of an exponential number of scams that might be out of reach for solo fraudsters. Our reliance on cloud-based platforms has helped many businesses and financial institutions reach levels of communicability they might never have managed without.
Yet, it is through this same technology that fraud as a service thrives. FaaS providers deploy tactics across every system that even nominally interacts with cloud-based software. Social media platforms, email hosting sites, online dating forums, content management systems: no platform is safe.
Financial institutions should consider it a responsibility to communicate these concerns to merchant clients. A few points to discuss with clients include:
- The state of fraud in 2023. Modern fraudsters are educated, informed, and sophisticated.
- Fraud represents a “demand culture,” which encourages supply. More opportunity will mean more attacks.
- The dark web is home to every stripe of fraud imaginable and is where the sale of credit card numbers, personal account information, and synthetic identities are transacted.
- FaaS forums are developed and maintained to resemble online marketplaces on the dark web, where it is incredibly difficult to track and prosecute.
To illustrate this: many fintech companies have developed software as a service (SaaS) solutions to identify, mitigate, and recover from fraud in response to market demand. FaaS communities have developed in tandem, and the problem isn’t going to go away.
So, how can FIs help merchants to meet the challenge posed by fraud as a service?
Deploying velocity checks is one excellent tactic to promote among merchant clients that limits exposure to FaaS fraud. Velocity checks limit the number of transactions that a user is allowed to attempt in a given timeframe. The software will decline any successive transactions that seem suspicious and flag that user or IP address for suspected fraudulent activity.
We also recommend that merchants diversify their verification tactics. Integrating customer authentication software with regular checkout processes can greatly reduce the risk of fraud. These include:
- Address Verification Service (AVS)
- CVV Verification
- 3-D Secure Technology 2.0
- IP Tracking
Fi911 is aware of the growing threat of FaaS scams and is here to help merchants and financial institutions prepare for, and mitigate, threats associated with organized fraud. We’ve developed practical fraud prevention and mitigation techniques that can be tailored to individual clients’ needs.