Ambitious Cybercriminals are Going Big with FaaS: Fraud as a Service
As tempting as it can be to imagine online fraudsters as maladjusted basement-dwellers who resort to a life of cybercrime due to a lack of any other marketable skills, this is simply not the case.
The fraudsters who are consistently finding hidden vulnerabilities, devising new scams, and stealing billions per year are smart, sophisticated, and organized. In fact, online fraud has become a thriving business model—“Fraud as a Service,” or FaaS. How does the FaaS work in practice, and what can merchants to do to defend themselves when fraudsters join forces to launch organized attacks?
Fraud remains one of the most persistent and damaging problems for ecommerce merchants, and the cost keeps going up: for every fraudulent dollar spent, the true cost to the merchant is more than three times as much, and for many merchants that ratio has increased by an average of 7% over last year. Meanwhile, fraud attempts and success rates are increasing as well.
One reason fraud is so costly is because it almost always results in chargebacks. When a fraudulent purchase is disputed and granted a chargeback, the merchant loses the cost of the goods, the transaction amount, the chargeback fees, and the time and labor they spent making the sale and dealing with the dispute. Worst of all, every chargeback counts against the merchant’s chargeback ratio—and an excessive chargeback ration can lead payment processors and acquirers to sever ties with the merchant, leaving them unable to accept card payments without agreeing to the exorbitant fees charged by “high-risk” payment processors.
Knowing that fraudsters are organizing and optimizing their schemes may make the problem seem even more daunting, but remember that knowledge is power—when you understand how fraudsters operate, you can strategize against them more effectively.
What is Fraud as a Service?
What a FaaS operation offers is essentially a fraudster-for-hire service. If a cybercriminal wants to take over an online account, access stolen credit card numbers, or launch a botnet attack, they don’t have to learn how to phish, hack, and program bots on their own. They can just contact a FaaS provider who will handle all the messy details for them.
Buying bots and stolen payment credentials from other cybercriminals is nothing new, but what makes FaaS different is that it is designed to run just like a legitimate business would.
FaaS organizations offer customer service and support, provide free trials and money-back guarantees, and engage in research, development, and training in new and more efficacious forms of fraud. FaaS providers are typically found on the dark web, operating out of countries and jurisdictions that are less likely to shut them down and prosecute them. Wherever the individuals behind them might happen to reside, their reach is global, and they often cooperate with each other to make it easier to convert stolen digital data into cold hard cash.
What Makes FaaS Different from Ordinary Fraud?
Merchants on the receiving end of fraud won’t always be able to tell whether they’ve been victimized by a lone wolf or a sophisticated FaaS organization. The methods and attacks they use aren’t different or unique—although FaaS groups are more likely to have access to the latest and most insidious methods and software.
The real danger of FaaS is that by providing organization, consistency, and accessibility to anyone unethical enough to hire them, it creates an infrastructure and culture that allows fraud to grow and become even more profitable.
It’s not hard to imagine a scenario where a small merchant with a unique, highly sought-after product suddenly becomes overwhelmed by FaaS attacks on a large scale.
The flip side of this is that many FaaS providers are clever and high-tech enough to choose their clients and targets carefully and cover their tracks well. In the vast majority of incidents, merchants will never have a good way to find out whether or not a FaaS group was behind any given instance of fraud.
How Can Merchants Protect Themselves from FaaS?
Because FaaS uses the same methods, tools, and tactics as ordinary fraud—albeit usually in a more efficient and organized manner—there aren’t any special tricks for fighting it. What merchants must do in the face of this new threat is use the same best practices for fraud prevention that have always been recommended, supplemented with anti-fraud tools chosen and calibrated to fit their business.
Here are some of the easy steps merchants can take to reduce fraud:
- Protect customer accounts by requiring strong passwords
- Don’t authorize payments without an AVS/CVV match
- Watch out for common fraud indicators (or use a tool that does this automatically) and manually review flagged orders before processing
- Keep your shopping cart software (and other programs that handle sensitive processes) updated and patched regularly
Once a fraudulent transaction is processed, the real cardholder is sure to file a chargeback once they realize what has happened. When fraud has truly occurred, the merchant has no standing to fight the chargeback and represent the transaction. The only way to avoid the chargeback and prevent the increase to your chargeback ratio is to prevent fraud from happening in the first place.
FaaS is yet another evolution in the ever-growing problem of ecommerce fraud. Every time merchants and cybersecurity firms learn how to patch up a vulnerability or identify a new fraud scheme, the fraudsters set to work figuring out how to circumvent the most up-to-date defenses or trip up consumers who have caught wise to the latest phishing scheme.
Fraud prevention is one of the cornerstones of any strong chargeback defense strategy. While many chargebacks are themselves fraudulent in nature and can be fought and beaten with the right evidence, true fraud chargebacks have a legitimate basis and merchants have to take a proactive stance toward warding them off. Reputable chargeback management firms will always work with merchants to evaluate their fraud risk profile and come up with recommendations for tools, prevention practices, and other solutions that can help them avoid becoming victims of run-of-the-mill fraudsters, sophisticated FaaS syndicates, and everything in between.