Common Fraud Types: A Tour of the Landscape

1. The Story

Monday, 9:04 AM. James Chen stares at his case queue. It's his first week as a fraud analyst at a regional bank, and his supervisor just assigned him 47 cases to review.

The first case: a customer claims someone opened a credit card in her name. She's never heard of the account.

The second: a wire transfer to an overseas supplier that the business owner now says he never authorized.

The third: a retiree who wired $40,000 to someone she met online. She believed he was a US Army surgeon stuck overseas. He wasn't.

The fourth: twelve new accounts opened yesterday, all from the same device, all applying for credit cards.

The fifth: a merchant processed $200,000 in transactions last week after months of doing $3,000 a month. Chargebacks are starting to roll in.

James leans back in his chair. He's trained on fraud. He knows the basics. But every case looks completely different. A stolen identity. A hacked email. A romance con. A bot attack. A bust-out scheme.

How do all these fit together? Is there a pattern?

His supervisor walks by. "Overwhelmed?"

"They're all so different," James says.

She nods. "That's the job. Fraud is one word for a hundred different crimes. The faster you learn the landscape, the faster you'll know which questions to ask."

This story is fictional, but the patterns are real.

---

2. Why This Matters

In Fraud 101, you learned what fraud is: intentional deception for gain. You learned the difference between third-party and first-party fraud, and you saw how fraudsters range from opportunists to organized rings.

Now you need to understand what fraud looks like in practice. Not one type, but the full landscape.

Why does this matter?

Triage. When you're staring at a queue of cases, you need to recognize what you're looking at. A romance scam investigation requires different questions than a card-testing ring. Knowing the fraud type tells you where to look.

Patterns. Fraud types cluster. If you're seeing synthetic identity fraud at account opening, you might soon see bust-out fraud on those accounts. Understanding relationships between fraud types helps you anticipate what's coming.

---

3. The Fraud Landscape

Fraud types can be organized many ways. Here's one that works: group them by what the attacker is after and how they get it.

Payment Fraud

These attacks target the payment itself. Someone steals payment credentials and uses them.

Payment card fraud is the classic. Criminals obtain card numbers through data breaches, skimming devices (hardware that copies cards at ATMs or gas pumps), phishing, or dark web purchases. Then they use them.

Two flavors:

• Card-not-present (CNP): Online or phone transactions where the physical card isn't needed. Most e-commerce fraud is CNP.
• Card-present: Using counterfeit cards (cloned from stolen data) or stolen physical cards at retail locations.

You already learned about card testing in Fraud 101. That's often the first step: validate which stolen cards work, then use them for bigger purchases or sell them.

Check and ACH fraud is older but still common, especially in business contexts. Check washing alters legitimate checks (changing the payee or amount). Counterfeit checks use stolen account information. Check kiting exploits the float time between banks. ACH fraud involves unauthorized electronic debits from accounts.

Wire fraud targets high-value transfers. A single fraudulent wire can move millions. Criminals often use business email compromise (covered below) to redirect legitimate wires to accounts they control.

Identity Fraud

These attacks exploit identity itself. The attacker either steals an existing identity or creates a fake one.

Account takeover (ATO) means gaining control of someone else's existing account. Attackers use credential stuffing (testing leaked username/password combinations from data breaches), phishing (tricking users into entering credentials on fake sites), SIM swapping (convincing phone carriers to transfer a victim's number), or infostealer malware (software that captures credentials from infected devices).

Once inside, they change account details, make purchases, steal stored value, or use the account as a launching point for further attacks.

The Account Takeover module covers this in depth.

Synthetic identity fraud is different. Instead of stealing a real person's identity, criminals create a fake one. They combine real data (often Social Security numbers from children, elderly, or deceased individuals) with fabricated names and addresses.

These fake identities are "credit farmed" over months or years. Open a secured credit card. Make small payments on time. Build credit history. Eventually, the synthetic identity has enough credit to take out loans or open credit lines. Then the fraudster maxes everything out and disappears. This is called a bust-out.

Synthetic fraud is hard to detect because there's no real victim to report it. The SSN might belong to a child, a recently deceased person, or an elderly individual who rarely monitors their accounts. But the name, address, and other details are fabricated. Since credit bureaus don't verify that SSNs match real identities, the combination creates a new "person" in the system. The real SSN holder has no idea. The fabricated person doesn't exist to complain.

New account fraud uses stolen or synthetic identities to open accounts. The account itself is the target: access credit products, launder money, exploit sign-up bonuses, or establish infrastructure for future attacks.

Social Engineering

These attacks target human psychology rather than systems. The attacker manipulates the victim into taking action.

Business email compromise (BEC) targets organizations. Attackers compromise or spoof executive email accounts, then request urgent wire transfers, invoice payments, or sensitive data. The attacker often researches the company first, learning names, relationships, and processes to make the request believable.

Variations include vendor impersonation (fake invoices from spoofed supplier accounts) and payroll diversion (redirecting employee direct deposits).

The Email Security module covers BEC investigation in detail.

Romance scams build fake relationships over weeks or months. The scammer might pose as an attractive professional, a military officer stationed overseas, a successful entrepreneur, or any persona designed to appeal to the target. Stolen photos are common. Once emotional connection is established, the requests start. Money for an emergency. Help with a business opportunity. Funds to finally meet in person.

Victims often send money multiple times before realizing the relationship was fabricated.

Pig butchering combines romance and investment fraud. The scammer builds a relationship, then introduces a "great investment opportunity." This might be a fake cryptocurrency exchange, a fraudulent forex trading platform, or another investment scheme. Victims are encouraged to invest more and more. The platform shows impressive fake returns. When the victim tries to withdraw, the money is gone.

The name comes from the Chinese term for the scam: fatten the pig before slaughter.

Impersonation scams have the attacker pose as someone with authority. Government agencies demanding immediate tax payment. Tech support calling about a virus on your computer. A grandchild in trouble needing bail money. The hook varies, but the pattern is consistent: create urgency, establish authority, extract money or access.

Advance fee fraud promises a large payout after a small upfront payment. Lottery winnings, inheritance from a distant relative, business opportunity. The victim pays "fees" and "taxes" that escalate until they stop paying or run out of money.

Authorized Push Payment Fraud

This category deserves its own section because it's growing fast and works differently.

In authorized push payment (APP) fraud, the victim sends money voluntarily. They initiate the transfer themselves. They're deceived about who they're sending to or why, but technically, they authorized the transaction.

This makes recovery difficult. The victim can't claim "I didn't authorize this" because they did. They clicked send.

APP fraud includes:

• Invoice redirection (attacker intercepts legitimate invoices and changes payment details)
• Purchase scams (fake sellers who take payment and never ship)
• Impersonation (someone posing as your bank telling you to move money to a "safe account")

The line between APP fraud and traditional scams is blurry. What matters is understanding that the victim's own authorization is what moves the money.

Policy Abuse

These attacks exploit business policies rather than stealing identities or payments. Often committed by actual customers.

Refund and return abuse games return policies. Wardrobing means buying clothes, wearing them with tags tucked in, then returning them. Empty box returns claim refunds for items never actually sent back. Item-not-received (INR) claims say a delivered package never arrived.

Some of this is first-party fraud (the customer is lying). Some is organized (rings that systematically exploit return systems). The line between "policy abuse" and "fraud" can be legally fuzzy, but the losses are real.

Promo and loyalty abuse exploits marketing programs. Creating multiple accounts to claim sign-up bonuses repeatedly. Fake referral schemes. Exploiting coupon stacking or earning rules. Stealing accumulated points through account takeover.

Platform and Marketplace Fraud

Two-sided marketplaces create unique fraud opportunities because attackers can play either side.

Seller-side fraud: Fake listings for products that don't exist. Counterfeit goods sold as authentic. Taking payment and never shipping.

Buyer-side fraud: False claims that items weren't received. Returning different or damaged items. Chargeback abuse after receiving goods.

Triangulation fraud: A three-party scheme that deserves its own category. A fraudster sets up a storefront (often on a marketplace) selling popular items at attractive prices. When you order, they take your payment, then purchase the item from a legitimate retailer using a stolen credit card, shipping directly to you. You receive a real product. The fraudster keeps your money. The stolen card's owner eventually disputes the charge. The legitimate retailer eats the loss. Everyone except the fraudster is a victim. (For a deep dive into how this works in practice, see Nina Kollars' DEFCON talk Confessions of a Nespresso Money Mule↗.)

Collusion: Both buyer and seller are in on it. Fake transactions to launder money through the platform. Fake reviews for payment. Commission fraud in gig economy platforms.

Institutional Fraud

These target government programs and large institutions.

Insurance fraud ranges from individual exaggeration (soft fraud: claiming your slightly damaged car was totaled) to organized rings staging accidents (hard fraud). Healthcare fraud involves providers billing for services not rendered or upcoding procedures.

Tax and benefits fraud exploits government programs. Fraudulent unemployment claims filed with stolen identities spiked during pandemic relief programs. Tax refund fraud uses stolen SSNs to file fake returns and collect refunds. Benefits fraud targets food assistance, housing programs, and other social services.

API Abuse and Business Logic Attacks

These attacks exploit how software systems work rather than stealing credentials or tricking humans.

Business logic attacks find flaws in how applications handle transactions. A pricing bug that lets you buy a $500 item for $5. A coupon system that allows unlimited stacking. A referral program that pays out before verifying the referral was real. These aren't security vulnerabilities in the traditional sense. The code works exactly as written. It's just written wrong.

API abuse targets the interfaces applications use to communicate. Attackers might manipulate API requests to bypass validation, access data they shouldn't see, or automate attacks at scale. Rate limiting bypass, parameter tampering, and authentication flaws all fall here.

The API Abuse module covers these attacks in depth.

Cryptocurrency Fraud

Crypto creates unique fraud opportunities because transactions are irreversible and often pseudonymous.

Crypto scams include fake investment platforms, rug pulls (developers abandoning projects after collecting funds), pump-and-dump schemes, and fraudulent ICOs or token launches. Pig butchering scams (covered above) often use fake crypto exchanges as their endgame.

Crypto theft involves stealing cryptocurrency through wallet compromises, phishing for seed phrases, SIM swaps to bypass exchange 2FA, or exploiting smart contract vulnerabilities.

Crypto laundering uses mixing services, chain-hopping (moving between different blockchains), and decentralized exchanges to obscure the trail of stolen funds.

Agentic and AI-Driven Fraud

The newest category. As AI systems become more capable, they're being weaponized for fraud.

AI-generated content includes deepfake videos and audio for impersonation, AI-written phishing emails that can be personally tailored to each target, and synthetic identities with AI-generated faces that pass photo verification.

Automated fraud at scale uses AI to run thousands of simultaneous social engineering conversations, adapt to victim responses in real-time, and coordinate attacks across multiple channels (email, phone, text) with perfect consistency.

Agentic fraud systems are autonomous AI agents that can plan and execute entire fraud campaigns with minimal human oversight. They might research targets, craft personalized approaches, adapt to defenses, and cash out proceeds. This is the emerging frontier.

The Agentic Fraud module explores these threats.

---

4. How These Connect

Fraud types don't exist in isolation. They feed each other.

A data breach produces stolen credentials. Those credentials enable account takeover. Taken-over accounts are used for payment fraud. Payment fraud generates dirty money. Dirty money flows through money mules. Mules are recruited through job scams.

Synthetic identities open bank accounts. Those accounts receive funds from BEC attacks. The funds are wired overseas before anyone notices.

Understanding these connections helps you investigate. When you see one fraud type, ask: what came before this? What might come next?

---

5. Key Takeaways

• Fraud is a landscape, not a single crime. Payment fraud, identity fraud, social engineering, policy abuse, and platform fraud each require different investigation approaches.
• Know your fraud type to know your questions. A romance scam victim needs different help than a card-testing target.
• Fraud types feed each other. Data breaches enable ATO. ATO enables payment fraud. Payment fraud funds criminal organizations.
• This is your map. Each major fraud type gets deeper coverage in specialized modules.

Next up: SQL Crash Course gives you the technical skills to query transaction data and find fraud patterns.

---

6. Key Terms

---

Generated with AI assistance. Reviewed by humans for accuracy.