The Lifecycle of a Fraud Attack

A fraud attack doesn’t just happen all at once. In fact, a single fraud event includes several stages, each of which deserves its own scrutiny and study. As fraud attacks and data breaches become increasingly common, it’s important for banks and merchants to understand the full lifecycle of a fraud attack in order to prevent and detect them more effectively at every stage. Download our infographic to understand each step of the fraud lifecycle.

Download the Lifecycle Fraud Infographic

Stage 1: Customer Access 

Gaining entry to an account is often the first thing a fraudster needs to do to commit fraud. This is typically achieved by breaching an account or by circumventing account security. 

Unfortunately, fraudsters have many options available to them to do just this. Numerous data breaches dating back years have compromised the credentials and personally identifiable information (PII) of millions of legitimate consumers. Fraudsters can access the credentials they need either by using phishing scams to trick users into revealing them or by purchasing them off the dark web. Once they have the information they need – email addresses, phone numbers, social security numbers, or passwords – they can pose as a legitimate customer and commit account takeover (ATO) fraud

Stage 2: Transaction 

Fraudsters have a wide range of avenues available to breach an account. Once successful, their next move is to transact in some way.

This could include making transfers from the legitimate customer’s account into another bank account that they control. If they breach a merchant account, they could purchase items using the customer’s payment information and have the ill-gotten goods delivered to a different address.

Alternatively, fraudsters could sidestep the steps to commit an ATO and simply apply pressure to the account holder directly. Instead of attempting to access the account themselves, they could use an authorized push payment (APP) scam to get the legitimate accountholder to send money to an account under their control. The fraudster could also pressure the customer (or even merchant employees)  to rack up a big shopping bill on their behalf and have the goods delivered to their preferred address.

Application fraud is another avenue that fraudsters can take. If they’re successful, they could open a bank account, get a credit card, or apply for a loan before a bank or financial institution has a chance to realize they aren’t who they claimed to be or realize they have no intention to repay the debts they have accrued.

Stage 3: Monetization

As we’ve said before, fraudsters have a for-profit mindset. The entire point of the fraud is for the bad actor to have some kind of tangible gain for their efforts. If they were successful in transferring money out of a legitimate customer’s account (or by tricking or pressuring the customer into making the transfer through APP fraud) they will need to legitimize the money in some way. 

How would they do this? Possible methods could include moving money between multiple accounts. Another option is to convert the money into another form like a digital wallet or withdraw the funds as cash. If they were successful in buying goods from a merchant using the customer’s name and credit card, the fraudster might attempt to sell the items online or on the black market. They could also exploit vulnerabilities in the merchant’s refund policies by returning the goods to the merchant who gives them cash.

Understanding the financial gain that fraudsters stand to make from fraud is just as important as understanding how it happened in the first place. If banks and merchants can realize how fraudsters are benefitting from their efforts, they can take more effective steps by preventing the monetization of fraud.

How banks and merchants can reduce fraud 

Fraud isn’t a single event. Fraudsters need to gain access to a legitimate customer’s account, find the most effective way to use that account, and ultimately turn a profit on their ill-gotten gains. Unfortunately, many organizations limit the focus of their anti-fraud efforts to the middle stage (Transactions) of the lifecycle without doing enough to look at the upstream or downstream stages of Customer Access and Monetization.

Successful banks and merchants should understand the different parts of the fraud lifecycle. Each stage requires its own defense layer. What’s more, these layers must interact and communicate with each other to be effective and can’t afford to be siloed. Banks and merchants need to understand how fraudsters were able to access a legitimate user’s account, how they were able to disguise themselves and transact using the legitimate account holder’s name, and, finally, what was the financial gain. 

A one-size-fits-all approach won’t successfully stop all fraud. That’s why having different solutions in place to address the different and unique stages of fraud is the best defense against fraud. Banks that implement agile, data-based strategies for the different stages of fraud will be in a better position to stop fraudsters and protect their customers.

Download the Lifecycle Fraud Infographic