Financial institutions have been significantly impacted by multi-million-dollar fraud losses, and a new driving force has been Fraud-as-a-Service, a secretive industry in which cybercriminals offer tools, services, and support to fraudsters in exchange for payment
Financial institutions have been impacted by high-dollar fraud losses, as highlighted in a recent industry report that indicated that 11% of middle-market banks and credit unions had experienced fraud losses exceeding $5 million last year, with mid-market banks accounting for the highest share of losses between $5 million and $10 million.
To combat these threats, most financial institutions are now utilizing AI and machine learning in their fraud detection efforts, with almost three-quarters of organizations currently using AI for financial-crime detection (74%) and for fraud detection (73%). Further, 69% of organization leaders said they believe AI will lead to more revenue (through improved customer interactions, less time spent investigating false positives, etc.) than losses (through fraud, breaches, etc.).
These findings reflect the proactive measures financial institutions are taking to mitigate fraud risks. However, despite advancements in fraud prevention through AI, fraudsters are adapting quickly, using new tools and services that make fraudulent activities even more commonplace. One of the key drivers behind this surge in fraud is the rise of Fraud-as-a-Service (FaaS), an underground industry in which cybercriminals offer tools, services, and support to fraudsters in exchange for payment. FaaS is structured like a legitimate business, offering 24/7 customer support, fraud tutorials, and even service guarantees.
The rise of FaaS
This organized approach allows even the most inexperienced individuals to now commit fraud and execute their operations on a massive scale, which in turn contributes to the increase in fraud and cyber-attacks. Some of these services include phishing kits, credit card fraud services, account takeover services, business email compromise kits, money laundering, and mule account services.
FaaS providers leverage multiple platforms to promote and sell their services. This multi-channel approach assists with the continuous evasion of law enforcement while reaching potential clients.
Indeed, experts warn that we are now living in the golden age of fraud, in which technological advancements and the ease of access to fraud services have created a perfect storm to benefit the next generation of criminals. Financial institutions and businesses are struggling to keep up with the rapidly evolving tactics used by fraudsters such as FaaS, even with the investment in AI fraud prevention tools. Further, the accessibility and scalability of FaaS has dramatically contributed to the global rise in fraud, now evolving into a business in which even inexperienced young individuals can easily purchase tools to launch their own fraud operations.
Historically, fraud was most commonly perpetrated by individuals between the ages of 36 and 40, with similar rates among those aged 41 to 46; however, in recent years, specifically after the global pandemic, a shifting trend has emerged as teenagers and young adults are increasingly driving cybercrime and fraud, including an increasing number of high-profile data breaches, financial crimes, and distributed denial-of-service (DDoS) attacks. Indeed, in 2022, 47% of cybercrime cases involved a suspect aged 21 or younger, compared to just 33% in 2018, according to the 2023 Internet Crime Report.
Most financial institutions are now utilizing AI and machine learning in their fraud detection efforts, with almost three-quarters of organizations currently using AI for financial-crime detection and for fraud detection.
For example, the teen hacking group Scattered Spider (aka Oktapus) is accused of orchestrating the high-profile breaches of MGM Resorts and Caesars Entertainment in late-2023 through the assistance of FaaS. Also in January 2024, “King Bob,” a 19-year-old hacker from Florida (Noah Michael Urban), was indicted for wire fraud, aggravated identity theft, and his role in an $800,000 SIM-swapping cryptocurrency scam.
What makes young fraudsters particularly dangerous is their mindset and motivations. Younger fraudsters often see it as a game or a challenge to test their hacking skills, and may commit fraud just to receive bragging rights or even as a social activity — done with groups forming on forums and Discord servers — to attack corporate greed. In this way, fraudulent acts become a source of excitement, in which the risks and adrenaline make it more appealing than traditional crimes.
This reckless and impulsive approach from young fraudsters make them more unpredictable and more likely to take bold risks that seasoned fraudsters might avoid; this, coupled with younger fraudsters’ willingness to experiment, exploit new vulnerabilities, and engage in highly disruptive cyberattacks creates a larger, more volatile threat.
The urgent need for action
Recognizing this growing issue with young fraudster and FaaS, the U.S. Department of Homeland Security’s Cyber Safety Review Board recommended that Congress explore funding juvenile cybercrime prevention programs. This recommendation was made after an investigation into Lapsus$, another hacking group comprised of seven individuals between the ages of 16 and 21 that was notorious for attacks on Microsoft, Nvidia, and Rockstar Games in 2021 and 2022. However, as of press time, no action has been taken on this recommendation.
Meanwhile, FaaS continues to thrive, providing young fraudsters with the tools to scale their operations, evade detection, and pose an even greater threat to organizations and individuals. If this growing trend is ignored, we will see an escalation in cybercrime that goes beyond financial fraud to full-scale digital disruption. Now, more than ever, decisive action is needed to combat this alarming rise in youth-driven fraud and cybercrime.
In August 2024, the United Kingdom’s National Crime Agency (NCA) successfully dismantled a FaaS known as Russian Coms, which had facilitated financial losses amounting to tens of millions of pounds globally — specifically, about 170,000 individuals across the UK were believed to have been victims of fraud orchestrated through the Russian Coms platform.
What makes young fraudsters particularly dangerous is their mindset and motivations because they often see it as a game or a challenge to test their hacking skills, and may commit fraud just to receive bragging rights or even as a social activity.
Russian Coms provided criminals with tools and kits to impersonate financial institutions, telecommunications companies, and even law enforcement agencies. Through advanced spoofing kits, fraudsters were able to gain the trust of their victims and manipulate them into transferring money or handing over sensitive financial information. Between 2021 and 2024, more than 1.3 million fraudulent calls were made by Russian Coms users, targeting 500,000 unique phone numbers in the UK alone. Victims who reported their cases to UK authorities suffered average losses of £9,400 ($11,646.60 USD).
The takedown of Russian Coms led to a series fraudster being arrested — all between the ages of 17 and 28. UK Law enforcement officials have raised concerns about the growing number of young fraudsters lured into cybercrime under the illusion of easy money and anonymity. As Adrian Searle, director of the National Economic Crime Centre, warned, many FaaS platforms store detailed user data, making it possible for authorities to track and arrest those involved. Fraud now accounts for 40% of all crime against individuals in England and Wales, with more than 80% of those cases being linked to FaaS platforms.
The Russian Coms case highlights a disturbing reality, that the United States isn’t facing, which is that technology-enabled fraud is becoming more accessible, scalable, and appealing to younger individuals. The ease of access to FaaS tools, often promoted through social media, has enabled a new and more dangerous generation of cybercriminal to participate in sophisticated fraud schemes with minimal technical expertise.
Conclusion
The rise of FaaS is leading the world into an era in which fraud tools are more accessible, scalable, and lucrative than ever before — a Golden Age of Fraud defined not only by the volume of financial crimes but also by the alarming shift in demographics. Today, young, inexperienced criminals now have access to sophisticated fraud tools with minimal effort, and cases like Russian Coms demonstrate how fraud has evolved into a well-structured business model, exploiting technology and social media to attract new recruits.
Despite financial institutions investing heavily in AI-driven fraud prevention, fraudsters are adapting quicker and leveraging these FaaS platforms to beat fraud prevention measures. Without immediate and decisive action from policymakers, law enforcement, and fraud experts, this trend will continue to escalate, leading to greater financial losses and an increasingly unstable digital landscape.
You can learn more about how organizations can better detect and prevent fraud here
