1 The Challenge

The most common types of fraud that organizations have to contend with are:

Account Takeover (ATO) fraud occurs when fraudsters use breached passwords and credential stuffing attacks to execute unauthorized transactions. Additional means for account takeover fraud are malware attacks (man in the middle and man in the browser) as well as the use of Remote Access Tools via Trojan or social engineering scams.

Account opening (AO) fraud, also called New Account Fraud or Synthetic Fraud, often happens as a result of using stolen identities or collections of personal information to create synthetic digital IDs. Such fraudulently created accounts can be more difficult to detect, which is an advantage for the attackers. This type involves gathering complete sets of or bits of PII (Personally Identifiable Information) on legitimate persons to construct illegitimate accounts. Educational, financial, government, employment, and medical records and social media can be sources of PII used for assembling fake accounts, which are then often used to abuse promotions and instant loans and/or used as mule accounts to move money around. Various financial regulations require validation of users at registration time for Anti-Money Laundering (AML), Know Your Customer (KYC), US Office of Foreign Asset Control (OFAC), Politically Exposed Persons (PEP) validation, Relative and Close Associates (RCA), and sanctions screening.

Credit card fraud is the improper or unauthorized use of credit cards. Common scenarios associated with credit card fraud are when Card-Not-Present (CNP) transactions are processed, or when cards are stolen or counterfeited.

Malicious bots are used to attempt many kinds of ecommerce fraud and website abuse, such as inventory hoarding, jingle bots (add to cart and abandon to tie-up inventory), API inventory checking for denial of service or for competitive price checking, posting fake reviews and comments, inserting malicious links and ads in comments/reviews/forums/etc., automated ad clicking and ad fraud, account creation, credential stuffing, file downloading, ticket scalping, gift card cracking, SEO poisoning, fake job postings, fake good on auction sites, etc. Bots and headless browsers can be used for Distributed Denial of Service (DDoS) attacks and harvesting email addresses.

Phishing/vishing/smishing are attacks on users via email, voice calls and voicemails, and SMS texts. These generally are attempts to get users to give over credentials, personal information, or make monetary transfers. Examples include shopping scams, fake investment opportunities, appeals for financial help, fake delivery notices, fake invoices, fake utility or other service cutoff notices, fake tax refunds, fake student loan notices, and so forth. Fraudsters are constantly varying their techniques and targets. Many are leveraging Artificial Intelligence (AI), specifically forms of AI based on Large Language Models (LLMs), to write more convincing messages to increase their chances of success. This makes it harder for individuals to discern whether these messages are real or malicious.