Is “Fraud as a Service” (or FaaS) the Next Big Threat Facing Your Business?
What comes to mind when you picture online fraud? Perhaps you envision customer-turned-scammers who file invalid chargebacks to get things for free.
Or, perhaps you imagine dozens of bad actors collaborating together to steal merchandise and card numbers from you and your customers, respectively. Or, maybe you picture cunning scammers who dropship items from legitimate businesses using stolen payment information.
Digital fraud is highly organized and sophisticated. While some scammers still act alone, the largest and most egregious frauds are perpetrated by organized criminal gangs who carry out fraud on behalf of others with professional scale and efficiency.
This threat, known as fraud as a service (FaaS), is a form of productized digital cybercrime in which criminal organizations sell and carry out prepackaged fraudulent attacks upon victims on behalf of paying customers.
Recommended reading
- The Top 10 Prepaid Card Scams to Watch Out For in 2025
- Credit Card Shimmers: Are You Prepared for “Skimming 2.0?”
- How do Banks Conduct Credit Card Fraud Investigations?
- How New Account Fraud Works: Red Flags & How to Prevent it
- Review Fraud: How it Works & How to Get Rid of Fake Reviews
- What are Straw Purchasers? Are They Legal? What Can You Do?
What is Fraud as a Service?
- Fraud as a Service
Fraud as a Service is a process by which an individual bad actor provides tools and services to others to facilitate their commission of fraudulent online activity. FaaS can involve diverse tactics for perpetrating fraud.
[noun]/frôd • əz • ā • sərvəs/
In contrast to standalone fraud tactics like chargeback fraud, identity theft, SIM swapping, or account takeover fraud, fraud as a service (FaaS) involves scams carried out by professional fraudsters on behalf of paying clients.
Essentially, picture an underground version of software as a service (SaaS). But, rather than selling project management, time tracking, or sales enablement software, criminal FaaS enterprises sell prepackaged fraud or fraud kits like stolen payment information, social security numbers, business email compromise tools, and phishing scripts.
FaaS vendors will carry out scams on behalf of customers that don’t have the skills or infrastructure to do them on their own. I’ll highlight a few of the most common illicit services below.
How Does FaaS Work?
Fraud as a service occurs on darkweb marketplaces where cybercriminals offer phishing kits, card testing, synthetic identity creation, and other tools and services on a subscription or pay-per-use basis.
Obviously, both FaaS providers and the clients that pay for them are committing illegal acts. So, most transactions occur on underground platforms and darknet marketplaces, where they can take advantage of the lack of oversight and scrutiny.
You’ve probably somewhat familiar with how the dark web works. Using anonymous network layers like I2P and the Tor browser, criminals can access illicit marketplaces to contract all manner of illegal activities. Bad actors can order assassinations, sell stolen information, ship drugs, and distribute illegal paraphernalia.
It’s on these underground marketplaces that FaaS providers find customers willing to buy and sell fraudulent services. And, they work in a manner that’s disturbingly similar to above-ground, legal businesses.
FaaS is insidious because it functions exactly like a legitimate business. The only real difference is that the services offered for sale are scams.
This setup enables “ordinary” criminal buyers to carry out sophisticated attacks against unsuspecting victims with the backing and support of expert scammers working for FaaS providers.
All these transactions take place on the dark web. This makes FaaS operations especially difficult to trace and disrupt. While you might be able to intercept an individual fraud attack, the service provider is still out there, offering the same tools and services to other fraudsters.
Key Components of FaaS
Most FaaS providers fit into one or more of the following categories:
What is it?
Online platforms, often within darknet or encrypted forums, that facilitate the buying and selling of compromised data.
Includes
- Credit card dumps
- Stolen personally identifying information
- Compromised login credentials
How Does it Work?
Data is obtained via malware infections, data breaches, phishing campaigns, and even insider threats.
Marketplaces may feature escrow systems, reputation ratings, and sometimes even "warranty" periods on data validity.
What is it?
Comprehensive tools and resources that allow unskilled bad actors to create and execute sophisticated phishing and social engineering campaigns.
Includes
- Ready-made templates
- Fake website generators
How Does it Work?
Pre-built email templates, realistic fake website replicas, malware payloads, and automated delivery systems allow buyers to launch streamlined attacks at scale.
Social engineering modules, meanwhile, will often incorporate psychological manipulation tactics and use social media platforms heavily.
What is it?
Software designed to automate and increase the throughput of brute-force scams.
Includes
- Credential stuffing
- Done-for-you account takeovers
- Card testing attacks
How Does it Work?
Botnets or cloud-based infrastructure are used to launch high-volume attacks.
Penetration techniques, API manipulation, and reverse engineering tactics are used to discover vulnerabilities and bypass CAPTCHAs, multi-factor authentication, and other security measures.
What is it?
Services that facilitate the concealment of illicitly obtained funds so that they appear legitimate.
Includes
- Cryptocurrency mixing
- Mule network
How Does it Work?
Money is “cleaned” by layering transactions through multiple accounts, exploiting mule networks (individuals who transfer funds on behalf of others), and via the use of cryptocurrency mixers (tumblers).
Also entails conversion to other forms of assets like equities, real estate, or art.
The Global Financial Impact of FaaS Attacks
The global financial impact of fraud as a service (FaaS) attacks is immense, costing businesses and financial institutions billions annually through fraudulent transactions, chargebacks, and identity theft.
Because FaaS is scalable, its effects can be wide-reaching. In 2024, a single Faas-enabled, large-scale attack spanning 4,800+ incidents disrupted businesses in three verticals (social media, crypto, and payments) on every continent except for Australia and Antarctica.
No longer are fraudsters working alone to exploit vulnerabilities and steal from clients. With the help of the dark web and anonymous payment methods like cryptocurrencies, scammers are working together, sharing knowledge, and transacting with each other.
No geographic location is immune from FaaS attacks. I mentioned a second ago that Australia was exempted from one high-profile attack. But, according to a 2023 survey by Ravelin, two-thirds of businesses in Australia said they have been victims of FaaS schemes at some point. This is compared to the global average of 56% of businesses.
of businesses say they've been victims of at least one FaaS scheme
Source: Ravelin
Like legitimate business ecosystems, which magnify supply-side activity, the underground platforms that allow FaaS providers to thrive are lowering the cost of scamming, increasing the prevalence of fraud, and lowering the barrier to entry for aspiring cybercriminals.
Examples of FaaS Attacks in Action
The clearnet — the legitimate, publicly-accessible web — is being ravaged by FaaS-enabled scams. Here are a few notable cases:
FaaS Cybercrimminals Steal 2 Million Card Numbers
Research published by Kaspersky Digital Footprint Intelligence revealed that FaaS “infostealers” injected malware into as many as 21 million devices between 2023 and 2024.
The outcome? Nearly 2 million primary card numbers were stolen from unsuspecting victims and dumped onto darknet marketplaces for sale. In fact, illegally-obtained payment information is so abundant that on underground marketplace B1ack’s Stash, FaaS scammers gave away 1 million debit and credit card numbers for free.
Any individual in possession of a leaked entry containing a card’s primary account number, expiration date, and CVV can use the information to carry out third-party fraud.
Need a Victim’s Health Records? That’ll Be a Hefty $1,000
Financial services firms are prime targets for hackers, accounting for 22% of all cyberattacks in 2024. But, there’s one industry that’s even more vulnerable to cybercrime: healthcare.
According to research from Kroll, healthcare providers suffered 23% of all data breaches last year, edging out financial industry firms by one percentage point.
The reason? Stolen health records are a cash cow for FaaS criminals. On the dark web, a single set of personal health records can fetch up to $1,000. By contrast, stolen card details sell for a mere $5 per set.
FaaS Criminals Sell Stolen Small Business For Just $600
Today, an estimated 16% of businesses are fully-remote. These digital-first businesses often take the form of eCommerce stores, consultancies, marketing agencies, development studios, and professional service firms.
Although these small and midsize businesses have few physical assets, they have plenty of data in the form of client lists, legal documents, employee social security numbers, payment card information, and bank account numbers.
For FaaS cybercriminals, these details are a digital treasure trove that can be stolen, exported, and resold to illegal buyers; sometimes for as little as $600.
Emerging Trends in FaaS
Emerging trends in FaaS, like the use of LLMs, deepfakes, and cryptocurrencies, will demand an aggressive, international strategy by law enforcement.
FaaS is not static. New technologies emerge constantly, and many are co-opted by FaaS criminals, either to enhance the effectiveness of their scam services or to make them more accessible or affordable for buyers. Here are a few trends to be on the lookout for:
AI-Powered Fraud
Deepfake and Voice Cloning
Cryptocurrencies
Ransomware-as-a-Service (RaaS)
The development of scam-enhancing technologies will almost certainly outpace regulators. Governments will need to play catch-up by enacting stricter laws targeting FaaS providers, their clients, and darknet transactions at large.
Law enforcement agencies, meanwhile, will need to invest heavily in specialized cybercrime units with expertise in cryptocurrency tracking, darknet investigations, and AI-driven threat detection.
Still, the internet’s borderless nature will render domestic regulation alone hopelessly ineffective. Instead, a coordinated global effort that involves intelligence sharing and joint investigations will become table stakes; anything less is unlikely to be sufficient.
Detecting & Preventing Fraud as a Service
The rapid expansion of organized, for-profit cybercrime is nothing short of a five-alarm fire for eCommerce merchants and other digitally-native businesses.
Luckily, while FaaS attacks can be more scalable than rogue threats perpetrated by ragtag groups of fraudsters, the strategies for deterring FaaS-enabled attacks are basically the same as deterring any fraud attack. Here are just a few ideas that can help:
Let the Fraud Experts Help
Fraud as a Service ultimately represents a paradigm shift in the cybercrime landscape. Like fragmented industries that gradually consolidate into multinational giants, scattered threats are coalescing into a highly organized and scalable — and wholly illegal — industry.
The takeaway? Ongoing vigilance and proactive action will be the bare minimum if you want to successfully keep emerging FaaS threats at bay.
But you don’t have to do it alone. At Chargebacks911®, our dual-layered, AI-enabled fraud prevention tools can help you safeguard your hard-earned revenue from FaaS and post-transaction scams. Get in touch with us for a free, no-obligation analysis today.
FAQs
What is fraud as a service (FaaS)?
Fraud as a Service is a process by which an individual bad actor provides tools and services to others to facilitate their commission of fraudulent online activity. FaaS can involve diverse tactics for perpetrating fraud.
How does fraud as a service work?
FaaS is not limited to a single tactic. For example, the perpetrator may conduct distributed denial of service (DDoS) attacks on behalf of their customers. They may also rent botnets to criminals, who can then use the rented tools to conduct their own botnet attacks.
FaaS providers may have access to stolen payment card information, healthcare records, or social media accounts. They can use this data to create fake users (which are then sold or rented to subscribers) or simply sell the raw data and let fraudsters create their own faux accounts.
What makes FaaS harder to identify?
Modern-day online criminals are smart and professionalized. They work with one another to brainstorm new tactics and refine their techniques. That’s bad news for you as a business because you face multiple different points of vulnerability.
The last decade has produced numerous high-profile data breaches involving still-unidentified criminals who compromised millions of customers’ records. If you find yourself a victim of this type of attack, it could have substantial ramifications for your reputation and customer confidence.
Is fraud as a service (FaaS) a growing threat?
FaaS is not only a growing threat, it’s likely going to be the next big fraud trend for the foreseeable future.
Frankly, the difference between lone-wolf cyber attacks and organized crime is glaring. A single criminal is concerning enough, but the average number of scams they can perpetrate on their own isn’t typically that high. However, when criminals team up and organize, the number of scams they can perpetrate increases exponentially.
How do I detect and prevent FaaS attacks?
Fraud prevention best practices include deploying velocity checks and other verification tools, as well as maximizing data analysis, avoiding false declines, and employing manual reviews for flagged transactions.
