How Organized Fraudsters Run Their Operations Like a Business (And How Fraud Fighters Can Use That Against Them)

What do you picture when you think about a fraudster? Maybe it’s someone wearing a hoodie, sitting alone in a basement in front of a computer. Maybe it’s a lone wolf forging checks or calling people on the phone, pretending to be their bank, and asking for their credentials. While these types of fraudsters certainly exist, fraud isn’t always such a lonely profession. Oftentimes, fraudsters work together, or even hire employees to help them expand their operations.

In a lot of ways, organized fraudsters treat their operation like a business. They think about return on investment, they hire help, they invest in technology and tools to expand their practice, and so on. Organized fraud is also where even simple policy abuses can scale enough to have a serious impact on a platform’s margins.

Fraudsters are powerful in numbers, but they’re also motivated by fast, easy money—the most bang for the least buck. As a fraud fighter, you can use this profit-driven business mentality against them.

Using promotion abuse as a case study

At its core, promo abuse happens when someone uses a platform’s promotional campaign in a way that goes against that platform’s terms & conditions and the intentions of the campaign. For example, if a platform runs a campaign that offers 40% to new users, and someone signs up and claims that discount, once, that’s great! That’s how the promotion was intended to be used. But if that same user made additional accounts to claim that discount again and again, that’s abuse.

Promo abuse works well as an example of the business-like operation of some fraud schemes because it’s the type of fraud action that only makes money when it’s done at scale—and that’s exactly how fraudsters do it.

Investment: what it takes to run a promo abuse scheme

What does it take to get this kind of thing off the ground? Not much. A fraudster’s initial investment is small: a device, maybe some app tampering or cloning tools, a couple dozen email addresses, and time on their hands. No expensive equipment or in-depth technical knowledge is necessary.

From an ROI standpoint, promo abuse is an attractive fraud lever to pull: it has a low investment floor and a high profit ceiling. But how do promo abusers make that profit? How do you turn 300 user accounts with a $10 ride credit waiting for them into cash that you can move and spend elsewhere?

Reselling: how do they turn promo abuse into profit?

Okay, so you have hundreds of accounts with new user promotions and other claimable promo campaigns ready to go. As an individual, though, there’s only so far free rides or discount food deliveries can take you. You need a way to turn these hundreds of discounts into actual profits. That’s where reselling comes into play.

Say that a ride-share platform runs a new user promotion for 50% off a user’s first ride. A promo abuser might make hundreds of accounts that are all eligible for that 50%, and then they’ll go to the Internet (Telegram channels, Reddit threads, Discord servers, and hacker forum posts are all popular destinations) and resell that same ride to someone else for only 30% off. It’s still a pretty good bargain for their customer, but the fraudster also gets to pocket that 20% difference.

This same reselling scheme exists on the food delivery side, where vendors call it a “B4U” or “buy for you” service, so called because the fraudster orders the food for you using one of their many accounts.

In a webinar with the Merchant Risk Council, Jaanus of food delivery platform Bolt pointed out that, for food and grocery delivery, product discounts are also a factor.

“The food [delivery] example where you get 30 percent off. That means that you're actually getting the products at a discount. If you order something which has a higher resale value, like alcohol, for example, you can easily resell it, so they have a very big motivation to do it over and over again.”

Scale: fraud farms and multi-accounting

Now that we understand how they make any money, how do they make a lot of money? Enough money to make the whole process worth it? After all, it takes time and effort to make hundreds of email accounts, and then hundreds of accounts based on those email addresses, switching between devices or operating anti-fingerprinting tools to access them.

The answer is in the scale of the operation. The more accounts a fraudster can create, the more promotions they can claim, the more resales they can make, the wider their profit margin gets. Here, we see that a business-like attitude emerges again with the principle of expansion. Once a fraudster has a decent customer base going for their promo abuse scheme, they might invest in additional devices to control even more accounts, and employees to control those devices.

This can turn into what we call a “fraud farm,” or a location where multiple fraudsters work on dozens or more devices to control hundreds or even thousands of accounts. These fraud farms aren’t always for just promo abuse—refund abuse schemes, “click farming,” collusion on iGaming platforms, and phishing operations are some other uses for fraud farming. If their profits expand enough, fraudsters might even branch out to commit other abuses in addition to stealing promotion credits.

Effective fraud fighting ruins a fraudster’s ROI

Organized fraudsters are running their operations like a business, but how does that knowledge help fraud fighters? It comes down to return on investment—ROI.

As a fraud prevention professional, there are a few things you can do to make life harder (and more expensive) for organized fraudsters. For example, more thorough user verification at onboarding can tip the scales by requiring more resources than each fake account is worth: aged email accounts and new phone numbers are harder to get than new email addresses alone, and that eats into a fraudster’s time and resources.

Unfortunately, more stringent verification can be a headache for good users, too, by increasing friction. Because the whole point of marketing tactics like promo campaigns is to invite people in, it isn’t always the best strategy to fight abuse by putting up more obstacles. 

This is why passive signals can be particularly powerful for throwing off a fraudster’s ROI and protecting a platform. For instance, device fingerprinting is a passive signal that can recognize when the same device comes back to create or login to another account—activities that can indicate fraud. Fraudsters know about device fingerprinting and will try to get around by factory resetting devices or using app tampering tools, but combining device signals with other passive signals, like location intelligence, can make device fingerprinting more tamper-resistant.

They wouldn’t profit this way, though, so the average fraudster is much more likely to go find a less secure app to exploit than to buy hundreds of phones.

As Kyle Griffin, Senior Account Executive at Incognia, put it in the MRC webinar:

“I think a lot of this comes down to the strength of your ability to re-identify a device and an account, because if you can confidently say, ‘Hey, I recognize who this person is, we've seen them before. They've already used this promotional coupon,’ or whatever it is, then you can take the appropriate action to stop this from happening.”

It can be easy to dismiss fraudsters because of the nature of the job they do, but it’s important to remember that many fraudsters do treat what they do as a job. When we remember that fraudsters are operating off some of the same business principles that drive our own leadership teams, we gain valuable insights into ways to de-incentivize fraud and abuse.