What comes to mind when you picture online fraud? Perhaps you envision customer-turned-scammers who file invalid chargebacks to get things for free.
Or, perhaps you imagine dozens of bad actors collaborating together to steal merchandise and card numbers from you and your customers, respectively. Or, maybe you picture cunning scammers who dropship items from legitimate businesses using stolen payment information.
Digital fraud is highly organized and sophisticated. While some scammers still act alone, the largest and most egregious frauds are perpetrated by organized criminal gangs who carry out fraud on behalf of others with professional scale and efficiency.
This threat, known as fraud as a service (FaaS), is a form of productized digital cybercrime in which criminal organizations sell and carry out prepackaged fraudulent attacks upon victims on behalf of paying customers.
Fraud as a Service (FaaS) is a modern cybercrime business model where criminals sell tools, infrastructure, or services that enable other criminals to commit fraud. Put simply, it turns fraud into a service you can buy – similar to legitimate software-as-a-service (SaaS), but illegal.
Using FaaS allows amateur fraudsters to launch even complex and targeted attacks from anywhere with an internet connection. Individuals and eCommerce merchants can become victims of attacks that the fraudster would not have been able to execute on their own.
Read MoreFaaS products can take a variety of forms. Phishing kits, for example, may provide pre-written prompts and replica websites. That gives even technologically inept fraudsters the means to launch social engineering, account takeover, or other attacks.
Or consider the crook who wants to launch botnet attacks and credential stuffing scams. These subscribers can “rent” access to automated bots, stolen credentials, and ready-made scripts from illegal data brokers on the dark web. Some FaaS providers even offer access to money mule networks, allowing criminals to move and launder stolen funds without directly exposing themselves.
Read MoreFaaS is a multi-billion dollar illegal industry that spans the globe. Today’s FaaS products allow buyers to launch coordinated, cross-border attacks that can compromise thousands of accounts at once, resulting in steep losses – and chargebacks – for dozens of different merchants at once.
As a merchant, you need to understand that even one single successful FaaS scheme can simultaneously cripple your operations and drive your chargeback ratio through the roof. It’s a nasty one-two punch that can lead to business disruption, lost revenue, and damaged acquirer relationships.
Read MoreThe average size of detected FaaS attacks doubled between 2023 and 2024, with an estimated 56% of all companies becoming victims of FaaS attacks. Heists can involve millions of compromised credit card numbers. Protected health information (PHI) can be purchased on the dark web for as little as $1,000. Any way you look at it, FaaS costs businesses and consumers money, data, and time.
That said, certain verticals, like subscription businesses, digital goods vendors, and luxury retailers, are especially vulnerable to FaaS. If that’s your business, you can expect more frequent attacks and steeper losses per incident.
Read MoreSince most FaaS are coordinated and scaled, identifying one requires a bird’s-eye view. You need the ability to recognize signs, like coordinated logins from devices bearing identical device fingerprints. Unlikely matches between geolocation and credit card address can also point to an FaaS attack.
Bot-like actions, like checkout attempts several milliseconds apart, or the lack of human-like browsing activity, are also characteristic of FaaS attacks. And, of course, a spike in orders (or return requests) using the same template or language can be a dead giveaway.
Read MoreIdentifying and responding to FaaS attacks necessitates a different approach than that used for standard fraud. Tactics for preventing FaaS attacks, however, are much the same as any other form of fraud.
Blocking high-risk IP addresses, deploying heightened verification procedures at signup and checkout, and using fraud detection machine learning can help merchants hold FaaS providers and their illegal customers at bay. Keeping human experts and legitimate customers in the loop is also important, as is filing timely and detailed criminal reports.
Read More
Fraud as a Service is a process by which an individual bad actor provides tools and services to others to facilitate their commission of fraudulent online activity. FaaS can involve diverse tactics for perpetrating fraud.
FaaS is not limited to a single tactic. For example, the perpetrator may conduct distributed denial of service (DDoS) attacks on behalf of their customers. They may also rent botnets to criminals, who can then use the rented tools to conduct their own botnet attacks.
FaaS providers may have access to stolen payment card information, healthcare records, or social media accounts. They can use this data to create fake users (which are then sold or rented to subscribers) or simply sell the raw data and let fraudsters create their own faux accounts.
Modern-day online criminals are smart and professionalized. They work with one another to brainstorm new tactics and refine their techniques. That’s bad news for you as a business because you face multiple different points of vulnerability.
The last decade has produced numerous high-profile data breaches involving still-unidentified criminals who compromised millions of customers’ records. If you find yourself a victim of this type of attack, it could have substantial ramifications for your reputation and customer confidence.
FaaS is not only a growing threat, it’s likely going to be the next big fraud trend for the foreseeable future.
Frankly, the difference between lone-wolf cyber attacks and organized crime is glaring. A single criminal is concerning enough, but the average number of scams they can perpetrate on their own isn’t typically that high. However, when criminals team up and organize, the number of scams they can perpetrate increases exponentially.
Fraud prevention best practices include deploying velocity checks and other verification tools, as well as maximizing data analysis, avoiding false declines, and employing manual reviews for flagged transactions.
