What is Fraud as a Service?Heard About SaaS? Well, How About FaaS?
What is Fraud as a Service? Definitions & Overview
If you’re using Microsoft Office or Quickbooks, you know that these solutions don’t come with installation disks anymore. Most popular softwares these days are sold as a service on a subscription basis.
This model, known as software as a service (SaaS), provides access to software through the internet. It was popularized in the 1990s as a more efficient way to deliver the product. From a customer perspective, it saves IT departments the time and hassle of new installations and setups, constant maintenance, and ongoing upgrades. It also ensures that users are always working with the most up-to-date features and security patches.
Alarmingly, fraud appears to be heading in a similar direction. Rather than carrying out fraudulent schemes themselves, bad actors world-wide can now purchase fraud-enabling tools, data, or services from professional, organized criminal rings. Anything from account takeover kits and synthetic identities to stolen card numbers to denial-of-service capabilities purchased and used by third party fraudsers, with no need for advanced technological savvy.
In this article, we take a closer look at Fraud as a Service (FaaS), why it’s popular, how it’s used, and why it spells trouble for its victims.
Fraud as a Service (FaaS)
Similar to software as a service (SaaS), buyers who purchase Fraud as a Service (FaaS) products don’t need to understand the inner workings of program how to carry out the fraud themselves. That’s a big problem for legitimate merchants and consumers: it means that even the least sophisticated bad actors can launch complex and large-scale attacks with nothing more than an internet connection.
What is Fraud as a Service?
- Fraud as a Service
Fraud as a Service is a process by which an individual bad actor provides tools and services to others to facilitate their commission of fraudulent online activity. FaaS can involve diverse tactics for perpetrating fraud.
[noun]/frôd • əz • ā • sərvəs/
In contrast to standalone fraud tactics like chargeback fraud, identity theft, SIM swapping, or account takeover fraud, fraud as a service (FaaS) involves scams carried out by professional fraudsters on behalf of paying clients.
Essentially, picture an underground version of software as a service (SaaS). But, rather than selling project management, time tracking, or sales enablement software, criminal FaaS enterprises sell prepackaged fraud or fraud kits like stolen payment information, social security numbers, business email compromise tools, and phishing scripts.
FaaS vendors will carry out scams on behalf of customers that don’t have the skills or infrastructure to do them on their own. I’ll highlight a few of the most common illicit services below.
Where Are FaaS Services Sold?
Fraud as a Service is sold like legit B2B software, complete with pricing tiers, support, and guarantees. It can be purchased across dark web marketplaces, encrypted platforms like Telegram and Discord, and even surface-web forums disguised as legitimate tools.
As the fraud economy became more professionalized, fraud services grew beyond back-alley operations into a streamlined, corporate-style marketplace.
FaaS providers market and deliver their “products” with the same vigor as legitimate B2B companies. Some, for instance, may offer tiered pricing models, discounts, and technical support. Other established FaaS providers may even use customer review systems and performance guarantees to build trust with customers. Services can be easily purchased on both the hidden and visible web.
Distribution channels include:
Who Uses Fraud as a Service?
From unsophisticated novices to global fraud rings, anyone with an internet connection can theoretically purchase, use, and launch FaaS-enabled attacks.
FaaS has effectively democratized cybercrime by removing many of the technical barriers. The technical execution, previously requiring the hands of elite hackers, are now more commonly available to anyone with criminal intent.
Put another way, FaaS customers don’t actually need the skills to design and launch an attack themselves. Now, they can outsource all of that to specialized providers. All it takes to become a fraudster is a modest budget, a basic internet connection, and the ability to purchase FaaS.
That helps big-time crooks, of course, but it also means that your neighbor, your co-worker, or even you can become a professional fraudster. You end up with a much wider pool of participants and exponentially increase overall fraud volume.
So who is actually turning to FaaS? Here are some common examples:
The Opportunistic Amateur
Individuals who possess little to no technical skill use plug-and-play FaaS kits to launch professional-grade phishing or carding attacks. By simply renting a pre-configured infrastructure, they become significant threats to eCommerce merchants overnight.
Organized Crime Syndicates
FaaS enables global criminal enterprises to scale operations without the overhead of an in-house R&D department. Crooks focus on high-level laundering and resource extraction while outsourcing labor-intensive tasks like botnet management or data harvesting.
Cyber Shoplifters
“Chargeback as a Service” platforms also exist, and can be used to automate the dispute filing process. The crooks obtain goods and services from legitimate merchants using FaaS tools to hack promos and coupons, bypass merchant return policies, or force refunds through professionalized dispute manipulation.
