Definitive A to Z guide to fraud and scams

Listen to The Definitive A to Z Guide to Fraud and Scams (14 min, 30 seconds):

How well do you know fraud? As it turns out, we’re all learning new things about it every day. Read the following A to Z fraud guide to learn the major types of threats to worry about.

What’s the difference between frauds and scams?

Before we dive into the A to Z guide, it’s essential to make an important distinction between frauds and scams. While they are often used interchangeably, often go hand-in-hand and are both tactics of fraudsters, they are actually different concepts. 

The key differentiator is their purpose. A scam is actually an attempt to deceive or steal sensitive information from a victim, such as their mobile phone number, email address, Social Security numbers, or passwords. Scam tactics can include phishing emails, text messages, or websites that trick victims into sharing their information. 

Fraud attacks, on the other hand, are often the next logical step following a scam. Once a victim has unintentionally revealed their personal information (via a scam), the fraudster will use that information to commit an act of fraud, such as an account takeover attack or push payment fraud. In other words, the fraud stage is where bad actors benefit financially from their actions.

An A to Z Guide to Fraud and Scams

The following A to Z guide breaks down some of the most common types of fraud and scams and distinguishes between the two categories.

A is for Account Takeover

In an account takeover (ATO) fraud attack, fraudsters use a legitimate customer’s credentials to access the victim’s bank or eCommerce account. The fraudsters will then either transfer money to another account they control or make purchases with the victims’ payment information. 

B is for Bot Attack

In a bot attack – sometimes known as a botnet attack – fraudsters use a coordinated network of devices and programs to automatically send numerous and simultaneous digital requests, resulting in dedicated denial of services (DDoS). They can also be used to launch large-scale spam campaigns designed to scam sensitive information for large groups of unsuspecting victims and to commit multiple eCommerce transactions using a legitimate customer’s online profile and payment information. 

C is for Card Cloning

Card cloning fraud – also known as card skimming – is when fraudsters use card skimming technology to duplicate a legitimate credit card. Fraudsters can clone any type of card – debit, credit, and gift cards – and make physical and digital copies.

D is for Dating & Romance Scams

In a dating or romance scam, a bad actor (and that’s the keyword here!) will pretend to be romantically interested in a victim. After scamming the victim into believing the fake relationship is real – often using digital dating services or apps –  they manipulate their victim into sending them money or gifting valuable items. This type of scam is also known as catfishing. 

E is for Employee Fraud

Employee fraud is when an employee steals from their employer. This involves tactics like removing physical items from a business or pocketing money instead of depositing it in the employer’s account. More sophisticated employee fraud operations involve insiders creating fake clients or even fake workers and having funds (like B2B payments or salaries) sent to accounts they control. 

F is for Fake Investment Fraud

In a fake investment fraud, a fraudster promises their victim a low-risk venture with a considerable return on investment in products like gold, stocks, or cryptocurrency. However, the investment either doesn’t exist or is not nearly as profitable as promised. 

G is for Grandparent or Grandchild Scam

A Grandparent scam is a type of scam that preys on elderly people’s fears that a loved one is in trouble. Fraudsters will first use tactics like phishing, malware, or spam to access a grandparent’s phone number. Next, they send a message to the victim claiming to be their grandchild who is injured or stuck overseas and ask for financial help. 

H is for Helpdesk Scams

In a helpdesk scam, fraudsters contact victims pretending to be IT specialists from high-profile tech companies (like Apple or Microsoft). They’ll claim a suspicious program has been detected on the victims’ computer and persuade them to give the fraudster remote access. If the scam is successful, fraudsters access the victim’s sensitive information or install malware.

I is for Impersonation Fraud

To pull off an impersonation fraud, a fraudster pretends to be a trustworthy figure such as a police officer or a bank employee. They convince victims their bank account has been compromised and urge them to transfer money to a different account – one the fraudster controls. Fraudsters can also impersonate a victim’s boss and urge them to approve payment for a fake invoice. 

J is for Jury Duty Scam

Jury duty scams are specific to regions where citizens serve as jurors. Like impersonation scams, fraudsters tell victims they missed their jury duty appointment and will face heavy fines. They convince victims to share their payment information or transfer funds to the fraudster’s account.   

K is for Kidnapping Scam

In a kidnapping scam, a fraudster claims to have a loved one captive and demands a ransom as payment. Fraudsters might steal the loved one’s phone or contact the victim if they know their “kidnapping victim” is on an airplane and unable to call them to confirm they are safe.

L is for Loan Repayment Fraud

A loan repayment scam targets homeowners who have taken out a mortgage. Fraudsters contact the borrower pretending to be a representative of the lending institution and tell their victim they missed a payment and could risk foreclosure unless they transfer money to an account the fraudster controls.

M is for Malware

Malware is critical to many fraudsters’ criminal activities. A malware scam is when fraudsters deceive victims into installing malware onto their computers or mobile devices. Once installed, the malware collects sensitive information and shares it with the fraudster – often without the victim realizing what’s happening behind the scenes.

N is for New Account Fraud

In a new account fraud, a fraudster opens a new account with a bank, sometimes using a synthetic identity. After opening the account, they arrange to have a money mule deposit money to the account. Fraudsters could also apply for loans or credit cards and then max out the credit with no intention of paying it back.

O is for Online Shopping Fraud

Online shopping fraud (also known as purchase fraud) involves selling fake products online. Victims shop online, but their purchases never arrive. This type of fraud is prevalent during times of extreme demand such as when consumers needed masks and rubber gloves at the start of the pandemic.

P is for Phishing Scams

Phishing is an email scam tactic to deceive victims into revealing their personal information. Fraudsters email victims and direct them to fake websites where they are prompted to submit their bank account details or credit card numbers. In other variations of this scam, fraudsters use SMS or text messaging (called smishing) or voicemail messages (called vishing).

Q is for Quiz Scams

Anyone who has ever used social media has encountered an online quiz that seems too fun or enticing to pass up. Many promise a high-value prize like an expensive vacation if you win. In reality, many online quizzes are often phishing scams. After the quiz is complete, users are directed to submit their personal information in order to claim their “prize” which never materializes.

R is for Recruitment Scams

A recruitment scam involves a fraudster convincing a victim that they have a job opportunity (often working from home) that pays a generous salary. However, the reality is these “job applicants” have been recruited into money mule schemes. Upon getting hired, the victim’s new “employer” tells them they will receive ACH transfers or wire payments directly into their personal bank accounts and to move the money to prepaid cards or a different account. Some victims are told to receive packages and redirect them to new recipients. 

S is for Synthetic ID Fraud

In a synthetic identity (or synthetic ID) fraud, fraudsters will build a fake identity by using a real person’s (or several people’s) personal identifiable information (PII), sometimes by slightly changing the real person’s name (like switching from Bob to Robert). They can open new credit cards or bank accounts in their victim’s name.

T is for Travel Scams

Travel scams take many forms. In a travel scam, fraudsters sometimes offer to sell victims airline tickets at a discounted price but never deliver them. Other travel scams offer to convert different currencies at a higher exchange rate or sell victims fake vaccine passports. These types of scams are on track to surge as people get ready to take vacations again. 

U is for Unemployment Fraud

Unemployment fraud recently surged following pandemic-driven economic shutdowns worldwide. In these scams, fraudsters use stolen credentials to file a fake unemployment claim using a real person’s name. These scams can have serious financial consequences for the people unemployment assistance is intended to benefit.

V is for Virtual Card Fraud

Virtual cards are digital cards that only exist online, sometimes in a user’s banking app. Fraudsters use account takeover attacks to gain control over a user’s account and use the virtual card for their own ends. Sometimes fraudsters work to clone the virtual cards and make purchases, ultimately leaving the real user footing the bill.

W is for W-2 Phishing Scams

A W-2 phishing scam is a form of business email compromise (BEC) that relies on impersonation. Fraudsters will pretend to be a company insider – either someone in HR or even the CEO – and request W-2 tax forms belonging to other employees. Once the forms are delivered, fraudsters have access to a wide range of personal information, including names, addresses, social security numbers, income, and more.

X is for X-Border Payment Fraud

Cross-border fraud (or x-border fraud) involves purchasing goods or services from an overseas vendor and often carries risks. Fraudsters list fake goods online or wait for a supplier to ship the merchandise and then never deliver on their end of the agreement. 

Y is for Yahoo Data Breach

The Yahoo Data Breach of 2014 is one of the most severe data breaches in history. An estimated 500 million user accounts were compromised in the attack. This large-scale breach – along with many others – has given fraudsters large volumes of PII to commit new fraud attacks. Some online websites saw a 30% increase in chargebacks stemming from fraud based on this breach.

Z is for Zombie Bot

A zombie bot is a type of malicious program that fraudsters use to gain control of a device remotely. Once they are infected the machines act as “zombies,” allowing bad actors to launch cyberattacks against their targets. These include botnet or DDoS attacks. 

Of course, these are only a few of the numerous examples of frauds and scams that exist. Sadly, bad actors continue to invent new tactics that are still being understood. That’s why it’s important for both banks and customers to be aware of the different fraud and scam threats that currently exist – and prepare for new ones that will inevitably emerge.