- Blog
- The Fraudster's Playbook: How Fraudsters Defraud Your Platform
The Fraudster's Playbook: How Fraudsters Defraud Your Platform
At a fraud prevention job, you’re following a set of policies and procedures put in place to make your job easier and more efficient—but have you ever wondered if fraudsters do the same? Fraud is the end goal, not the first step. In this post, we’ll dive deeper into how fraudsters get started on a target platform, and what you can do to help stop it.
Subscribe to the Incognia Newsletter
For those who prefer listening over reading, we've provided an audio transcription player below, allowing you to enjoy this post through your speakers or headphones.
By the time you encounter a fraudster, they’ve already gone through a full range of steps that might be invisible to you as a fraud prevention expert. All you see is the end result: a policy violation that needs to be addressed. But how do fraudsters get started? How do they gain access to your platform? How do you ensure that the fraudster you’ve just banned doesn’t come back again?
In this post, we’ll be diving into the playbook fraudsters use to infiltrate and exploit a platform for their own gain. Understanding how fraudsters move throughout their entire journey can give you the insights you need to block fraud out closer to the source—before it has a more significant impact on your app.
Key TakeAways
- Career fraudsters calculate their ROI, keep up to date with anti-fraud tools, and collaborate with other fraudsters to share resources, tools, and information
- Fraudsters start with creating a pool of fake accounts, then move on to schemes like promo abuse, social engineering, or collusion
- Keeping up to date with the latest anti-fraud tools, including advanced device fingerprinting to stop multi-accounting, can help you stay a step ahead of bad actors
Understanding the career fraudster mindset
Bad actors do what they do for a reason. If we can understand their reasoning, we can gain unique insights into how fraudsters operate, why, and how we can use their motivations against them.
With this in mind, there are a few safe assumptions we can make about the practices of “career fraudsters” (people who defraud platforms systematically).
Fraudsters calculate their return-on-investment
Personal gain—usually personal financial gain—is the “why” behind every dedicated fraudster.
Fraudsters are constantly calculating their ROI and looking for ways to optimize it. That might mean investing in automation tools, subscribing to Fraud-as-a-Service products built by other fraudsters, or scaling up their operations.
The most important thing to realize about fraudster ROI is this: Fraudsters’ concern over ROI can be used to drive them away from your platform.
If defrauding your platform is doable, but costs the fraudster too much money, time, or work, they’re much more likely to take their game elsewhere.
That means that one of our goals as fraud fighters is to make fraud as expensive as possible for fraudsters.
Fraudsters keep track of tools used by fraud fighters
In the same way that we’re always gathering intelligence about the latest FaaS tools and fraudster tactics, so too are fraudsters paying attention to what we’re doing on the anti-fraud side.
Many fraudsters have advanced knowledge of which tools and signals anti-fraud software uses to identify them, and they change their tactics accordingly. This is why constant solutions testing and evaluation is so critical to staying a step ahead of the opposition—along with continuous innovation.
Fraudsters collaborate with each other
It may come as a surprise, but the fraudster side is actually more collaborative than the anti-fraud side. Fraudsters share tools, methods, workflows, tips, and other valuable resources in Telegram channels, on hacker forums, on the darknet, and elsewhere.
This means that a small exploit doesn’t usually stay small for long—it’s only a matter of time before the information spreads, and losses can accelerate exponentially.
The fraudster’s journey through your platform
With the above assumptions in mind, we can look at an example path a fraudster might take to start defrauding a platform, whether that be marketplace, gig economy, or another type.
Phase 1: Multi-accounting with emulators and app cloners
Multi-accounting is the gas that drives the mobile fraud engine. Without having multiple accounts, fraudsters can’t evade bans, and they can’t scale up their operation to a profitable level. Many platforms have some form of device ID in place to try and prevent ban evasion or other types of account creation fraud.
Unfortunately, legacy device ID solutions haven’t been a challenge for fraudsters in years.
Nowadays fraudsters know that it’s usually possible to evade a device ID with something as simple as reinstalling the app or factory resetting the device.
While this method of getting around device ID is easy and possible, it’s also time-consuming. Career fraudsters often use a combination of app cloners and emulators to help them grow and manage their bank of fake accounts as quickly as possible.
In the clip below, Incognia’s Global Head of Industry for Ride-Hailing and Food Delivery, Eduardo Pires, explains how using these tools in combination can be a massive productivity booster for fraudsters:
Phase 2: Promo abuse, collusion, and other types of fraud
With a healthy bank of fake accounts to choose from, the fraudster’s next step is to start using those accounts to commit the fraud and policy abuses that actually make them money.
Promo abuse, refund abuse, and collusion are some of the policy violations we see most commonly, but they’re far from the only ones.
Here’s a brief review of how each type of abuse might monetize:
- Promo abuse—a fraudster uses multiple accounts to fraudulently claim single use promo codes or offers multiple times. They make money by buying discounted products and reselling them, or by reselling the service itself for less than its standard price.
- Refund abuse—a fraudster pays for and receives a product or service, but then falsely claims problems with their order with the goal of getting a refund. The fraudster switches between accounts frequently to avoid getting caught for making systematic refund requests.
- Collusion—In food delivery and ride-hailing, we’ve seen fraudsters use both a driver-side account and a customer-side account to order services from themselves, which they then pay for with stolen credit cards. In effect, they use both sides of the platform to “cash out” stolen funds.
These are far from the only ways that fraudsters make money defrauding a platform, but these examples hopefully give you an idea of how fraudsters might create a money-making scheme at your platform’s expense.
Phase 3: Ban evasion
Sometimes, fraudsters get caught. If you catch someone breaking your platform’s policies and causing losses, your next step might be to ban that user to protect the integrity of your platform.
That’s a good step, but it only works if the ban actually sticks.
If your red-handed fraudster has a bank of backup accounts waiting for them, your single account ban is only a speeding ticket. They can log in on a different account and get right back to defrauding you, wasting your fraud team’s time and money.
The account creation to fraud to ban evasion cycle will last indefinitely unless you find a way to detect and block repeat fraudsters persistently.
How to future-proof against fraud
The most powerful tool someone who commits mobile fraud has is their ability to hide their identity. If a platform can’t tell that Fraudster A is actually the same person as User B, that fraudster can keep their schemes going indefinitely.
Fraudsters are also constantly innovating new ways to get around fraud detection systems—as we mentioned above, they keep up-to-date with tools fraud fighters are using.
One of the best ways to future-proof your fraud strategy right now is to rely on a multi-layered solution.
If one signal is vulnerable, the other signals in the stack can fill in those gaps and still persistently stop the fraud attempt.
In Incognia’s case, we use a combination of device intelligence, tamper detection, and precise location to help us create a risk assessment for onboardings and logins. Each signal plays a role in interrupting a part of the fraudster playbook.
For example:
- Device intelligence — allows us to identify the same devices when they come back to a platform, helping stop multi-accounting and ban evasion
- Tamper detection — allows us to detect emulators, app tampering tools, app cloners, and other tools highly associated with fraud
- Precise location — acts as supporting signal that allows us to persistently ID a user, even if they switch devices or obfuscate their device ID
There’s no such thing as a set-it-and-forget-it solution in fraud prevention. The unofficial fourth phase of the fraudster’s playbook is innovating, evolving, and adapting.
That’s why, as fraud fighters, it’s crucial for us to stay on the cutting edge. We aren’t just solving for today’s fraud problems—we’re solving for tomorrow’s, too.