Fraud has become a pervasive part of the discussion around cybersecurity. In part, this reflects a change in attacker motives, as cyber-attacks were not always as vicious as they are now. From the 1980s into the early 2000s, hacking was not really about profit. It was primarily about achieving fame in the hacker community by demonstrating knowledge and insight about information systems, while also having a bit of fun. While many of the early high-profile hacks were indeed illegal and were prosecuted as such, they were also comparatively whimsical and harmless, except to the IT staff who had to clean up the networks afterward.

By comparison, the present threat landscape is broken down into two significant approaches. Although other kinds of attackers exist, most significant attacks fall into one of two categories. One is nation-state actors, whose motivations primarily make up the espionage and (cyber)warfare portions of the CHEW model of attacker motives. However, North Korean advanced attackers such as APT38 have notably included cybercrime in their repertoire to generate liquid funds for the heavily sanctioned and internationally isolated North Korean regime. The other mode is crime, which is incorporating an increasingly diverse set of fraud strategies into the cybercrime toolbox.

Fraud is, accordingly, on everyone’s lips, but some misunderstandings about it threaten to blur the concept, which can make fraud look—erroneously—like a vague synonym for cybercrime itself. This does us no good, for two reasons: it overlooks the experience and knowledge in detecting and preventing fraud that other parties—law enforcement, financial institutions, and governments—have, and it makes it unclear exactly how to fight it.

This article is an attempt to clarify what forms digital fraud takes and to differentiate it from other attacker behaviors that are often related or adjacent to fraud. The goal here is to help security practitioners understand where antifraud efforts and security converge and where they diverge. So, no matter how any particular organization is structured, fraud teams and security teams can better understand their respective responsibilities, strengths, and weaknesses.

Defining Fraud

We start with the FBI’s definition of fraud, because it contains the key element we need to understand when a cyberattack is, or includes, fraud. The FBI defines fraud as:

The intentional perversion of the truth for the purpose of inducing another person or other entity in reliance upon it to part with something of value or to surrender a legal right. Fraudulent conversion and obtaining of money or property by false pretenses.

Leaving aside the fact that the word fraudulent is part of the definition of fraud, this definition helps us because it emphasizes that fraud is a financial crime that hinges on a lie. Successful lying requires some kind of contact, some social interaction, even if the contact is abstract and digital in form.

This observation is key because it lets us quickly eliminate several things that are often fraud-adjacent and part of mitigating fraud but aren’t really fraud. Theft is chief among them. Stealing something usually means avoiding direct contact with your target; if there is no contact, there can’t really be a lie. This means that most credential theft, whether it takes the form of keylogger malware or exfiltrating hashed passwords, can’t be fraud, even though it is a precursor to fraud and part of the antifraud umbra. The same goes for most account takeover (ATO) attacks, although that is a gray area which we’ll touch on later. Enrichment of stolen data, such as cracking hashed passwords, is also fraud-adjacent but not fraud. Those passwords might be used for fraud in the future, but because they don’t involve any deception, they don’t fit our criteria.

These distinctions also illuminate some critical differences between cybercrime and real-world crime: in the real world, theft immediately results in a loss to the victim, even if an attacker hasn’t had time to monetize the theft. In the case of digital theft, the loss is not immediately apparent (even if the victim immediately knows the theft occurred, which is rare) and only materializes when fraud occurs. This distinction works in converse as well—not all digital theft is in pursuit of fraud. In the case of piracy or intellectual property theft, the path to extracting value from the stolen goods involves no contact at all. This distinction is part of the reason why understanding digital fraud is not intuitive.

Flavors of Untruth

Traditionally, when the world was a little smaller, and checking people’s stories was harder, fraud often hinged on fabricating a background, therefore misrepresenting the implicit financial risk of working with the fraudster. Even though the story is contemporary, fraudster Anna Sorokin’s success in impersonating a wealthy heiress in order to obtain lines of credit, both official and unofficial, is a surprisingly successful example. In contrast, most digital fraud is about impersonating another identity completely, not just fabricating a background. This takes the form of asserting that you are indeed the person whose name is on that payment card or who earned those air miles.

Although many subtypes of fraudulent attacks exist, and the following is not an exhaustive list, the lying that underpins fraud really has only three kinds of targets: customers (meaning the public), private organizations, and public organizations.

Lying to the Public

Fraud cases like these don’t refer to an event in which someone’s credit card number is used for a fraudulent transaction because, while the citizen is a victim of a crime, they aren’t the target for the lie. Fraud against regular people is really about things like:

• Dating fraud: This type of fraud tends to take one of two forms. One is the appearance of a young woman looking for a man who can transfer some funds to her, after which romance will, we are told, abound. The other form is fraudsters looking for “romantic partners” who don’t mind handing off a package to someone, that is, looking for mules. In both cases, a fraud ecosystem is built around identifying likely targets, preparing plausible-looking bank accounts to accept funds, and collecting dossiers of believable information, such as photographs (usually of young women), that can be used as bait.
• Wire fraud: This type straddles the line between defrauding the customer and defrauding the bank, but it is incumbent on the banking customer to confirm the wire instructions with the appropriate account and routing numbers; the bank’s ability to intervene is limited. The lie here is really about the validity of the financial account information, which is usually delivered in a spoofed email purporting to be from the receiving bank.

Lying to Private Organizations

These are fraud cases where an organization is defrauded, which means there is either a higher value to a singular fraud attempt or multiple, smaller on-going fraud attempts happening.

• Bank fraud: A lot of the fraud that happens around financial institutions is actually better understood as fraud against banking customers (discussed under “Wire fraud”) or fraud against retail organizations (more on that later). However, application fraud, in which attackers use stolen or spoofed personal information to open an account in a victim’s name, is an interesting example. Fraudulent bank accounts are used as logistical support for other criminal activities, such as money laundering or providing a landing place for funds from a dating fraud, as detailed earlier. Figure 1 shows a cybercriminal advertisement for bank fraud services for stolen banking information.