The Fraudster's Playbook: How Fraudsters Defraud Your Platform Featured Image

The Fraudster's Playbook: How Fraudsters Defraud Your Platform

 At a fraud prevention job, you’re following a set of policies and procedures put in place to make your job easier and more efficient—but have you ever wondered if fraudsters do the same? Fraud is the end goal, not the first step. In this post, we’ll dive deeper into how fraudsters get started on a target platform, and what you can do to help stop it. 

October 11, 2024 by Danny Paulk

By the time you encounter a fraudster, they’ve already gone through a full range of steps that might be invisible to you as a fraud prevention expert. All you see is the end result: a policy violation that needs to be addressed. But how do fraudsters get started? How do they gain access to your platform? How do you ensure that the fraudster you’ve just banned doesn’t come back again? 

In this post, we’ll be diving into the playbook fraudsters use to infiltrate and exploit a platform for their own gain. Understanding how fraudsters move throughout their entire journey can give you the insights you need to block fraud out closer to the source—before it has a more significant impact on your app.

Key TakeAways

  • Career fraudsters calculate their ROI, keep up to date with anti-fraud tools, and collaborate with other fraudsters to share resources, tools, and information 
  • Fraudsters start with creating a pool of fake accounts, then move on to schemes like promo abuse, social engineering, or collusion 
  • Keeping up to date with the latest anti-fraud tools, including advanced device fingerprinting to stop multi-accounting, can help you stay a step ahead of bad actors 

Understanding the career fraudster mindset 

Bad actors do what they do for a reason. If we can understand their reasoning, we can gain unique insights into how fraudsters operate, why, and how we can use their motivations against them. 

With this in mind, there are a few safe assumptions we can make about the practices of “career fraudsters” (people who defraud platforms systematically).

Fraudsters calculate their return-on-investment

Personal gain—usually personal financial gain—is the “why” behind every dedicated fraudster. 

Fraudsters are constantly calculating their ROI and looking for ways to optimize it. That might mean investing in automation tools, subscribing to Fraud-as-a-Service products built by other fraudsters, or scaling up their operations. 

The most important thing to realize about fraudster ROI is this: Fraudsters’ concern over ROI can be used to drive them away from your platform. 

If defrauding your platform is doable, but costs the fraudster too much money, time, or work, they’re much more likely to take their game elsewhere. 

That means that one of our goals as fraud fighters is to make fraud as expensive as possible for fraudsters.

Fraudsters keep track of tools used by fraud fighters 

In the same way that we’re always gathering intelligence about the latest FaaS tools and fraudster tactics, so too are fraudsters paying attention to what we’re doing on the anti-fraud side. 

Many fraudsters have advanced knowledge of which tools and signals anti-fraud software uses to identify them, and they change their tactics accordingly. This is why constant solutions testing and evaluation is so critical to staying a step ahead of the opposition—along with continuous innovation.

Fraudsters collaborate with each other 

It may come as a surprise, but the fraudster side is actually more collaborative than the anti-fraud side. Fraudsters share tools, methods, workflows, tips, and other valuable resources in Telegram channels, on hacker forums, on the darknet, and elsewhere. 

This means that a small exploit doesn’t usually stay small for long—it’s only a matter of time before the information spreads, and losses can accelerate exponentially.

The fraudster’s journey through your platform

With the above assumptions in mind, we can look at an example path a fraudster might take to start defrauding a platform, whether that be marketplace, gig economy, or another type.

Phase 1: Multi-accounting with emulators and app cloners

Multi-accounting is the gas that drives the mobile fraud engine. Without having multiple accounts, fraudsters can’t evade bans, and they can’t scale up their operation to a profitable level. Many platforms have some form of device ID in place to try and prevent ban evasion or other types of account creation fraud. 

Unfortunately, legacy device ID solutions haven’t been a challenge for fraudsters in years. 

Nowadays fraudsters know that it’s usually possible to evade a device ID with something as simple as reinstalling the app or factory resetting the device. 

While this method of getting around device ID is easy and possible, it’s also time-consuming. Career fraudsters often use a combination of app cloners and emulators to help them grow and manage their bank of fake accounts as quickly as possible. 

In the clip below, Incognia’s Global Head of Industry for Ride-Hailing and Food Delivery, Eduardo Pires, explains how using these tools in combination can be a massive productivity booster for fraudsters:

Phase 2: Promo abuse, collusion, and other types of fraud

With a healthy bank of fake accounts to choose from, the fraudster’s next step is to start using those accounts to commit the fraud and policy abuses that actually make them money. 

Promo abuse, refund abuse, and collusion are some of the policy violations we see most commonly, but they’re far from the only ones. 

Here’s a brief review of how each type of abuse might monetize: 

    • Promo abuse—a fraudster uses multiple accounts to fraudulently claim single use promo codes or offers multiple times. They make money by buying discounted products and reselling them, or by reselling the service itself for less than its standard price.
  • Refund abuse—a fraudster pays for and receives a product or service, but then falsely claims problems with their order with the goal of getting a refund. The fraudster switches between accounts frequently to avoid getting caught for making systematic refund requests.
  • Collusion—In food delivery and ride-hailing, we’ve seen fraudsters use both a driver-side account and a customer-side account to order services from themselves, which they then pay for with stolen credit cards. In effect, they use both sides of the platform to “cash out” stolen funds. 

These are far from the only ways that fraudsters make money defrauding a platform, but these examples hopefully give you an idea of how fraudsters might create a money-making scheme at your platform’s expense.

Phase 3: Ban evasion 

Sometimes, fraudsters get caught. If you catch someone breaking your platform’s policies and causing losses, your next step might be to ban that user to protect the integrity of your platform.

That’s a good step, but it only works if the ban actually sticks. 

If your red-handed fraudster has a bank of backup accounts waiting for them, your single account ban is only a speeding ticket. They can log in on a different account and get right back to defrauding you, wasting your fraud team’s time and money. 

The account creation to fraud to ban evasion cycle will last indefinitely unless you find a way to detect and block repeat fraudsters persistently.

How to future-proof against fraud 

The most powerful tool someone who commits mobile fraud has is their ability to hide their identity. If a platform can’t tell that Fraudster A is actually the same person as User B, that fraudster can keep their schemes going indefinitely. 

Fraudsters are also constantly innovating new ways to get around fraud detection systems—as we mentioned above, they keep up-to-date with tools fraud fighters are using. 

One of the best ways to future-proof your fraud strategy right now is to rely on a multi-layered solution. 

If one signal is vulnerable, the other signals in the stack can fill in those gaps and still persistently stop the fraud attempt. 

In Incognia’s case, we use a combination of device intelligence, tamper detection, and precise location to help us create a risk assessment for onboardings and logins. Each signal plays a role in interrupting a part of the fraudster playbook. 

For example: 

  • Device intelligence — allows us to identify the same devices when they come back to a platform, helping stop multi-accounting and ban evasion 
  • Tamper detection — allows us to detect emulators, app tampering tools, app cloners, and other tools highly associated with fraud 
  • Precise location — acts as supporting signal that allows us to persistently ID a user, even if they switch devices or obfuscate their device ID

There’s no such thing as a set-it-and-forget-it solution in fraud prevention. The unofficial fourth phase of the fraudster’s playbook is innovating, evolving, and adapting.

That’s why, as fraud fighters, it’s crucial for us to stay on the cutting edge. We aren’t just solving for today’s fraud problems—we’re solving for tomorrow’s, too. 
Danny Paulk

Danny Paulk

Content Creator and Copywriter
Subscribe

Most recent

Featured image for The Fraud-as-a-Service Economy: How Fraudsters Make a Living Attacking Gig Economy Platforms resource

The Fraud-as-a-Service Economy: How Fraudsters Make a Living Attacking Gig Economy Platforms

Learn about the underground economy fueling fraud on gig economy platforms.
Featured image for Device ID Obfuscation: How Fraudsters Make 1 Device Look Like 300 resource

Device ID Obfuscation: How Fraudsters Make 1 Device Look Like 300

Learn about device ID obfuscation and how bad actors stop their device from being re-identified by a platform.
Featured image for 3 Fraud-as-a-Service Tools Every Food Delivery Platform Should Know About resource

3 Fraud-as-a-Service Tools Every Food Delivery Platform Should Know About

Learn about the Fraud-as-a-Service tools impacting food delivery platforms and they can be countered.