There’s a reason names like Jamtara and Nuh in India, Sihanoukville in Cambodia, and various cities in Nigeria have become infamous. The sheer scale of damage these networks of cybercrime have systematically inflicted is staggering. Their almost military precision and industrialization of fraud have led to the alarming rise of "Fraud as a Service" (FaaS).

This model, similar to legitimate software-as-a-service (SaaS) platforms, allows cybercriminals to purchase and deploy fraudulent tools (or entire toolkits!) with ease.

As this underground economy grows, understanding FaaS is crucial for businesses looking to protect themselves from ever-increasing cyber threats.

What is Fraud as a Service?

Fraud as a Service (FaaS) is basically cybercrime turned into a business. It works like an underground marketplace where criminals sell tools and services to help others commit fraud—even people with little to no technical skills. These "services" include phishing kits, malware, stolen identities, and credit card details, often sold on the dark web or hidden online forums.

Think of it like a scam call center, but on a massive scale. Picture a room with 100 people, each given a list of personal details—names, phone numbers, bank info. Their job? Call thousands of people, pretending to be from a bank or government agency, and trick them into handing over money or sensitive data. And just like a real business, these fraud networks offer customer support, software updates, and even “refund policies” if their scam tools don’t work.

Here is a look inside a "scamming" call center: 

‍

‍

Why is 'Fraud as a Service' dangerous?

The commercialization of cybercrime has made fraud more accessible, scalable, and lucrative than ever before. What was once the domain of skilled hackers is now a fully operational underground industry, offering fraud tools and services to anyone willing to pay. This shift has led to a surge in cybercrime, affecting individuals, businesses, and entire industries.

Lower barrier to entry

Fraud as a Service (FaaS) thrives on intelligence sharing. Fraudsters exchange exploit guides, scam scripts, and security loopholes in dark web forums and encrypted chat groups.

Pre-packaged fraud kits—complete with malware, phishing templates, and automated attack tools—are readily available. With little more than a computer and an internet connection, even those with no technical expertise can execute sophisticated fraud schemes. As internet access expands into the most remote regions, the global pool of cybercriminals only grows larger.

Fraud at scale

The biggest threat of FaaS isn’t just accessibility—it’s scale. Cybercriminals no longer target a handful of victims; they deploy scams across thousands, even millions, at once. Automated tools allow fraudsters to overwhelm security systems, hitting multiple industries simultaneously.

Financial institutions bear the brunt of these attacks, but they are not the only targets. eCommerce platforms, ride-hailing services, and food delivery apps are also suffering, with promo abuse, account takeovers, and synthetic identity fraud bleeding companies dry.

Economies of scale at play

By making fraud cheap to execute and easy to scale, FaaS has turned cybercrime into a high-reward, low-risk business. Criminals operate with near impunity, raking in profits while businesses struggle to keep up.

The result is an arms race. Companies invest millions in security, while fraudsters continue to refine their tactics. As long as FaaS exists, cybercrime will remain a growing and evolving threat, eroding trust in digital systems and financial institutions worldwide.

FaaS: Methods of operations

FaaS has evolved into a complex industry with various business models. Let's explore some of the most common ones:

• Product-based: This is the most traditional model where FaaS providers develop and sell tools, malware, or exploit kits. These products are often categorized by their functionality, such as phishing kits, carding tools, or ransomware. These tools allow fraudsters to conduct mass phishing attacks, create websites that send bulk emails to victims or even scraping and harvesting personal information at scale.

Cybersecurity firm Resecurity reported the sale of hundreds of stolen digital identities of Singaporeans on the Dark Web with prices starting at $8.

‍

• Rental Services: Instead of outright selling, FaaS providers offer their tools on a rental basis. This model is often used for more sophisticated tools or access to botnets.
• Affiliate Marketing: In this model, FaaS providers recruit affiliates to promote their services. Affiliates earn a commission for each customer they bring in.
• Subscription-based: Similar to legitimate SaaS platforms, FaaS providers offer subscription packages with varying levels of access and support.
• Custom Development: High-end FaaS providers offer custom-built tools tailored to specific client needs, often targeting high-value targets.

Key players in the FaaS ecosystem

• FaaS Providers – The masterminds behind the operation. They create and sell scam tools like phishing kits, malware, fake banking websites, and even AI-powered deepfake technology.
• Carders – Use stolen credit card details to make fraudulent purchases or resell them in bulk to other criminals.
• Money Mules – Help move stolen money around by withdrawing cash, transferring funds, or using crypto to cover tracks.
• Botnet Operators – Rent out networks of infected devices for large-scale attacks, spam campaigns, or fake website traffic.
• Hacktivists – May use FaaS tools to push political or social agendas through hacking campaigns.
• Cyber Espionage Groups – Use FaaS services to steal sensitive information, often for governments or corporations.

The tools that power FaaS

• APK Malware Kits – Ready-made Android malware that lets fraudsters take control of victims' phones, steal banking details, or intercept OTPs

• Bulk SIM Cards & Devices – Used to create fake identities, register fraudulent accounts, and bypass security measures like OTP verification.
• Sophisticated Dashboards – Fraudsters don’t work blindly—they have dashboards that track stolen data, active scams, and real-time victim interactions, making it easy to manage large-scale fraud.
• AI Chatbots & Deepfake Tools – Automate scams with lifelike voices and videos, fooling victims into believing they are speaking to real officials.
• Dark Web Marketplaces – Where everything from stolen bank credentials to hacking tools is bought and sold, often with ratings and reviews like a legitimate business.

This division of labor and advanced tooling has made cybercrime more scalable than ever, allowing even small-time criminals to operate like professionals.

FaaS operates on a business model similar to that of SaaS companies:

• Subscription Models: Fraudsters can subscribe to different levels of service, from basic packages that offer simple tools to premium packages that include advanced capabilities and ongoing support.
• Customization: FaaS providers often offer customization options, allowing fraudsters to tailor their attacks to specific targets. This makes each attack unique, which, in turn, makes detection and prevention more difficult.
• Support and Updates: Just like legitimate SaaS providers, FaaS vendors offer ongoing support and regular updates to their tools, ensuring that their customers can continue to evade detection by security systems.

Bureau: Offering 'Fraud Prevention as a Service'

As fraudsters become more sophisticated, the need for advanced fraud prevention solutions has never been greater. Bureau steps up to this challenge by offering Fraud Prevention as a Service (FPaaS), designed to combat the ever-evolving threats posed by FaaS.

Bureau’s FPaaS leverages cutting-edge technology, including device intelligence, behavioral biometrics, and alternate data sources, to identify and neutralize fraudulent activities before they can cause harm.

Our solutions are designed to be adaptive, learning from each interaction to improve detection accuracy continuously. By analyzing a combination of hardware, software, and network data, Bureau can spot anomalies that signal potential fraud, ensuring that genuine users are protected while fraudulent activities are stopped in their tracks.

‍