Blog

15 Common Types of Business Fraud

by | Jul 21, 2023 | Blog, Trust and Safety

Fraud is a constant thorn in the side of many enterprises. It affects not only their operations and their revenue. Fraud schemes compromise their employees and their customers.

We have seen multiple versions of these fraudulent activities in our analyst-led threat intelligence investigations. To proactively defend your platforms, people, and property – education is the first step.

Here are some of the most common fraudulent activities perpetrated against businesses.

Financial Fraud

 

1. Credit Card Fraud:

Credit card fraud involves hackers fraudulently acquiring people’s credit or debit card details in an attempt to steal money or make purchases. To obtain these details, internet fraudsters often use credit cards or bank loan deals to lure victims. For example, a victim might receive a message from “their bank” telling them they are eligible for a special loan deal or a vast amount of money has been made available to them as a loan. 

These scams continue to trick people despite widespread awareness that such offers are too good to be true for a reason. Unfortunately, there are multiple victims of this fraud – the consumer who may become the victim of theft, and the business who loses the faith of the consumer.

 

2. Chargeback Fraud:

Chargeback fraud, often called friendly fraud, is when bad actors fraudulently attempt to secure a refund using the chargeback process. Instead of contacting the merchant directly for a refund, they will dispute the transaction with their bank and this will begin the chargeback process.

Bad actors may also falsely complain that a product they ordered was never delivered or that it was delivered broken. Or they may allege that they never authorized a transaction or that the merchant failed to cancel a recurring transaction. This type of fraud directly impacts enterprises that must pay for costly customer support, inventory management, as well as financial institutions that are trying to err on the side of the customer being right.

Operational Control Fraud

 

 

3. SIM Swap Scam:

SIM swap scams are a type of account takeover fraud. Known also as SIM splitting, smishing, simjacking, SIM swapping, or a port-out scam – this operational control fraud is used to target users with weak multi-factor authentication. Typically the second factor is a text message or a call placed to a mobile device.

What happens is a bad actor uses a phone service provider’s power and control over devices on their network to seamlessly port a phone number to a new device containing a different SIM card. 

The scam begins with a bad actor gathering personal details about an individual. Then, they use social engineering to manipulate the mobile carrier and convince them to port the victim’s phone number to the fraudster’s SIM. Once the port has been completed, the victim’s phone will lose connection to their network. Next, the bad actor will use their newly established control to take phone calls and receive text messages on behalf of the victim. 

This is especially detrimental when they are intercepting passcodes and resets. It is part of a financial crime that can be used to transfer victims’ funds from bank accounts and more.

 

4. Identity Theft and Account Takeover:

Identity threat is a common type of fraud people unknowingly fall victim to. This happens when someone’s personal information is stolen by scammers so they can open a new bank account or apply for a loan or credit card.

This impacts both consumers and businesses as both become victims, but businesses will typically prevail upon “the customer” to “repay” the debts created, regardless of the creator of the debt.

A subtype of account takeovers is account farming, which involves the creation, development, and maturing of financial accounts. These account abusers may be focused on running disinformation campaigns or conducting social engineering.

 

5. Tech Support Fake Virus Warning Scams:

Fake virus warning scams are a type of tech support fraud that occurs when a scammer emails or calls a consumer with a “warning notice”. This scam is operational control and consumer manipulation. 

These tech support scams can also start by a pop up that indicates the computer has been compromised. Once the notice has been deployed and the consumer has requested support from the scammer, the scammer remotely instructs the consumer to download an actual virus or other type of malware. 

Confirming then that there is an issue, the fraudster indicates that resolution can only be possible once they agree to pay a fee. This type of fraud causes extra work on the part of businesses to communicate with consumers the ways and contact methods that they will use to engage their consumer. You’ve surely seen notices from your bank telling you that they will never ask you for your PIN.

Employee-Targeted Fraud

 

 

6. Phishing and Spoofing:

When email and online messaging services are used to mislead people into sharing sensitive information, such as personal data, login credentials, and financial information. 

One approach is when a hacker compromises a legitimate business website or creates a fake website. After acquiring a list of email addresses, they send out a campaign that dupes people into clicking on a malicious link. When that person is taken to the fake website they are prompted to insert their login credentials. This valid data is then used by the hacker to access the user’s real online accounts.

 

7. Work from Home Fraud:

Work from home fraud is a growing concern for many seeking employment. This type of fraud can take many forms, but one of the most prevalent ways that it occurs is when scammers target employment seekers and ask them to deposit funds for a job kit.

This kit is supposed to be useful for the work they are seeking. However, after the money is deposited, there will be no track of the employer. In this type of work from home fraud, they often target customer service support or call center positions.

Another type of work from home fraud is when fraudsters take personal information stolen from other people to apply for jobs at IT, programming, database, and software firms. These positions may have access to sensitive customer data along with financial and proprietary company info which suggests they could be intending to steal sensitive information as well as collect fraudulent paychecks.

These applicants may use a variety of techniques, including voice spoofing during an interview or online video call, to appear more genuine which can make them more difficult to detect.

 

8. Business Email Compromise (BEC):

BEC attacks have become increasingly common in recent years.  This type of attack targets businesses that frequently make wire payments, and involves compromising legitimate email accounts through social engineering techniques in order to submit unauthorized payments.

Consumer-Targeted Fraud

 

 

9. Online Shopping Fraud:

There are a lot of great deals that can be found when you shop online. However, there are also dangers that can be found when shopping online. 

Scammers will set up an online storefront and display quality or highly sought-after merchandise, and will list these products far below the normal asking rate, or will list them with steep discounts. Once an unknowing shopper makes a purchase from these kinds of retailers, they will either receive a fake, low-quality product, or nothing at all.

 

10. Rewards Point Fraud:

Credit card and retail companies are constantly looking for ways to increase the number of customers that sign up for and use their cards. One way they go about this is by providing rewards points that can be redeemed on various items or services. However, bad actors have taken note of this and utilize these reward points to get customer information and steal money or goods.

These scammers will target customers who have rewards points on their card, and call them claiming to be from the credit card company, informing them that they have rewards that they need to redeem before the points expire. The scammers will urge customers to redeem the points, and will ask them to provide their card details along with OTP. The scammers then collect this information, and use it to make fraudulent transactions.

 

11. Social Media Fraud:

As the number of people using social media grows, the amount of fraud committed through social media grows too. Cyberbullying is one of the most common and destructive types of social media fraud, affecting teenagers in particular. Through cyberbullying, fraudsters use social media sites to bully people and extort money from them. 

Some other ways fraud occurs through social media sites are:

  • Bulk fake account creation: This occurs when scammers create tools to create fake accounts in bulk that are usually sold for resale on the dark web or closed forums.
  • Token Abuse: App token abuse targeting social media companies using OAuth access.
  • Scaled Compromise: This occurs when scammers use scripted automated tools or malware to target social media companies and their entire user base. 
  • Hacked Accounts: This occurs when scammers hack into a user account and use the information obtained to trick friends of the user into giving them money. Often the scammer will  also use a link to get the friend’s information to hack into their account. 

 

 

12. Credential Stuffing from Data Breach:

Credential stuffing is a type of cyber attack where stolen usernames and passwords are used to gain access to accounts on other websites. Credential stuffing can occur after a data breach, where hackers obtain a large number of usernames and passwords. The hackers can then use automation tools to try these credentials on other websites. This type of attack is possible because many people use the same usernames and passwords for multiple accounts. 

Credential stuffing can be a serious problem for online retailers and other businesses. Hackers may use information gathered from one data breach to try to gain access to accounts on another site. They may also attempt to guess passwords and other profile credentials utilizing context clues found on public social media pages such as birthdays or anniversaries. This can lead to serious security problems for the companies involved and may even result in financial losses.

To protect against credential stuffing, companies should implement strong security measures such as two-factor authentication and frequent password changes. They should also monitor their systems closely for any suspicious activity.

 

13. Travel Scams:

When planning your next vacation, beware of scammers who may be lurking on social media sites. Travel scams often occur when scammers post enticing photos that trick even the savviest of travelers. The scammers post enticing photos for free trips or plane tickets, which lure people into clicking on them.

Once clicked, victims are either prompted to complete a survey that asks for personal information, or their computer is infected with malicious software. Scammers have also been selling phony COVID-19 travel insurance policies that claim to cover losses for any reason, at no extra cost.

Protect yourself from these scammers by being aware of their tactics and never clicking on links or giving out personal information unless you are absolutely sure it is safe to do so.

 

14. Money Mules:

When criminals need to launder money or product, they often recruit money mules to help. Money and product mules add layers of distance between crime victims and criminals, which makes it harder for law enforcement to accurately trace the money trail. Criminals may target unsuspecting individuals through job postings or online ads promising easy money. They may also approach people who have a history of financial problems or those who are in a vulnerable situation.

Once recruited, money mules may be asked to open bank accounts, receive and transfer money, or ship product. They may also be asked to provide personal information that can be used to commit identity theft. Money mules typically get a cut of the proceeds from the crime. However, they may also face legal penalties, including jail time.

3 Types of Money or Product Mules: 

  • Unwitting or Unknowing: Individuals unaware they are part of a larger scheme. 
  • Witting: Individuals who ignore obvious red flags or willingly act blind to their money or product movement activity.
  • Complicit: Individuals are aware of their role and activity participation.

 

 

 

15. Tax Scams:

Tax season is a time when many taxpayers eagerly await their tax refunds. Unfortunately, it is also a time when scammers attempt to take advantage of unsuspecting people with tax fraud scams. One common scam is sending fake refund notifications via SMS or email, claiming to be from the income tax department. These messages often contain requests for personal information such as login details for the IT Department website or bank account information.

By providing this sensitive information, scammers can gain access to people’s accounts and steal their hard-earned money. Taxpayers should be on the lookout for these scams and never provide personal information to anyone unless they are absolutely sure that it is safe to do so. If you have any doubts, it is always best to contact the relevant authorities directly to verify the authenticity of the message before taking any further action.

Conclusion

The hyper-scale nature of modern-day fraud makes fraud prevention difficult. While there are numerous technical solutions, most focus on one or two types of fraud and won’t be enough in the long run. Fraudsters can change their tactics quickly depending upon what they think will work best for them. So to prevent becoming a target, we need to continuously evolve to make it difficult and time-consuming to be a target, so the fraudster moves on. 

To really tackle these issues head on we need insight from managed intelligence providers who can help organizations and individuals make themselves harder targets so that criminals move on to another target.

About Nisos®

Nisos is The Managed Intelligence Company®. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.