Advancements in technology have come a long way to enable fraud teams, but cybercriminals are getting more skilled at weaponizing this technology to bypass business’ preventative measures. It’s easier now than ever for anyone with an internet connection to participate in malicious activity due to fraud tools and technology becoming more accessible.
The democratization of fraud refers to the increasing accessibility and ease with which anyone, regardless of technical experience, can engage in fraudulent activities. This can be attributed to various factors, including technology innovation, the availability of information, and the evolving nature of fraud.
Much of this occurs in the seedy underbelly of deep and dark web forums and marketplaces that sell fraud guides, sets of personally identifiable information (PII), “fraud-as-a-service” tools, and a variety of on-demand phishing services. The release of generative AI tools has also given rise to more advanced AI-enabled fraud. In this blog, we will explain these fraud risks and best practices for fraud detection.
The democratization of fraud meets fraud-as-a-service
The deep web features a growing number of on-demand tools and services that anyone can purchase in order to commit fraud. This trend, known as fraud-as-a-service (FaaS), includes how-to fraud tools, technology, and tactics that are packaged for sale to other fraudsters.
Typically found on easily-accessible deep web forums like Telegram, these schemes operate similarly to online marketplaces. Seasoned fraudsters sell on-demand services to other, sometimes inexperienced, bad actors.
One common example of this is cybercriminals taking to Telegram to steal from restaurants and food delivery services. Sift’s Trust and Safety Architects found that bad actors are advertising their services on Telegram forums in order to purchase food and beverage orders on behalf of customers at a reduced price, and using stolen payment information.
The democratization of first-party fraud
The acceleration of e-commerce in recent years has made it crucial for merchants to embrace digital experiences in order to stay competitive. Unfortunately, fraudsters have learned how to target online businesses through multiple forms of fraud that don’t require advanced fraud skills, including first-party fraud.
First-party fraud (also known as friendly fraud) is when an authorized cardholder makes a purchase with their credit card and later claims that the purchase was fraudulent or unauthorized. It’s a common form of fraud that’s becoming more widespread and easy to commit. According to Sift research, 23% of consumers who have disputed a purchase admit to participating in first-party fraud, during which they file a fraud dispute for a transaction they made even though there was nothing wrong with the purchase.
First-party fraud is a primary example of the democratization of fraud since it can be carried out directly by an individual with zero technical expertise required. A variety of deep and dark web forums provide guides for committing first-party fraud, making it easier for anyone to participate in.
The accessibility of “fullz” on the deep and dark web
There are many deep and dark web marketplaces that sell sets of valuable personally identifiable information (PII), called “fullz.” Fullz is criminal slang for the full set of PII needed to commit identity theft or payment fraud. For example, credit card fullz include full names, addresses, credit card numbers, credit card verification value (CVV) numbers, and expiration dates.
These credit card numbers and PII are most frequently stolen in data breaches, through the use of malware or via phishing campaigns. However, the availability of fullz on deep web marketplaces enables less technically savvy criminals to purchase credit card numbers and engage in payment fraud without having to steal this data themselves.
The democratization of phishing and account takeovers (ATOs)
Account takeovers (ATOs) are a type of fraud attack that results in the unauthorized access of an account, typically through the use of stolen credentials, which can be obtained through phishing or by purchasing from deep and dark web marketplaces.
Once an account has been compromised, it may be used to launch additional attacks, make fraudulent purchases or transactions, or steal valuable information. According to Sift’s Q2 2023 Digital Trust & Safety Index, account takeover increased 427% in Q1 2023—compared to the entirety of 2022.
Unfortunately, phishing campaigns and ATOs have become increasingly democratized through the use of phishing-as-a-service, one-time password (OTP) bots, and generative AI tools like Bard.
Criminals can purchase phishing kits and phishing-as-a-service tools from dark web marketplaces to conduct phishing campaigns without any technical knowledge. Many of these phishing kits include functionality to bypass multi-factor authentication (MFA). In other instances, fraudsters can purchase OTP bots that automate the process of bypassing MFA.
The most recent trend in the democratization of fraud is the use of AI tools to craft more convincing phishing emails and scams. According to Sift’s Q2 2023 Digital Trust & Safety Index, in the six months since ChatGPT was released in November 2022, nearly half of consumers admit to finding it more challenging to identify scams. Furthermore, 78% of consumers express concern about the use of AI to defraud them.
Preventing the downstream effects of the democratization of fraud
Businesses should expect that fraud will continue to evolve faster and present a greater threat. This is why it’s important for merchants to implement future-forward strategies and technology that’s capable of adapting with this changing landscape, such as the universal coverage of a real-time global network of fraud data. Machine learning provides the best approach by detecting patterns of abuse and signals from a diverse network.
From account defense to payment protection to dispute resolution, machine learning can detect account anomalies that are indicative of suspicious activity. Decision engines can apply custom rules based on risk scores, such as dynamic friction (i.e., enforcing MFA) or blocking risky transactions.
Tapping into the power of a global data network is critical for detecting these fraud signals. For example, Sift’s global data network ingests more than one trillion events per year, improving fraud detection accuracy by 40%.
Take our Digital Trust & Safety Assessment to see how Sift can help you solve your unique fraud challenges.