Fraud as a service

Remember the days of dodgy salesmen trying to peddle merchandise in your local pub? Whether it was home electronics or perfume - the price was always a steal, but the wares most likely were as well.

Nowadays, shifty salesmen have moved from pubs to cyberspace. Largely inhabiting deep web messaging apps such as Discord or Telegram, they still purport to offer bargain prices for branded goods and services. Only now, it’s not what they’re selling that’s stolen – it’s the means they’re using to pay for it.

Theft of sensitive data is nothing new – it’s how and where these data are handled that is changing. Historically, compromised details of accounts or credit cards, for example, were bought and sold on the dark web. With crackdowns on such platforms increasing, however, scammers are turning to everyday messaging and social media apps to exploit stolen data – largely by duping consumers into using these data for their own needs. This is known as fraud as a service, and it’s increasing in popularity among the cyber-criminal community.

The most recent example of fraud as a service in action is in the online food delivery sector. Consumers are drawn in by a message or advert offering food from their local restaurant or takeaway for a fraction of the price. For a meagre £20 – paid directly to this third-party – customers can order around £100 worth of food. What they don’t realise, however, is that someone else is unknowingly paying for this food. In other words, scammers use a stolen credit card to pay for the food, get it delivered to your door, and pocket your payment in the process. This is discussed in greater detail in an article by Tech Crunch here.

What’s particularly surprising is the means that scammers are using to reach consumers. While deep web messaging apps like Telegram continue to be popular (largely because they are not indexed by search engines, thus providing scammers with a greater degree of anonymity), mainstream social media platforms such as Facebook and Instagram are also used. In these cases, fraudsters pose as the restaurant or delivery app, promoting discounted meals or local offers.

More sophisticated scammers may even go so far as to create a fake, branded web page of the restaurant, which can then double as a useful means of gathering more stolen data.

While greater awareness of this activity and education on safe internet purchasing can help, it’s undeniable that the cost-of-living crisis will make heavily discounted services like this even more attractive to cash-strapped consumers. Furthermore, as the methods scammers use to obtain sensitive data become ever more complex, businesses are also under pressure to demonstrate their ability to keep information secure and encrypted.

The exploitation of consumer spending habits is nothing new, but social media and online messaging are making it much easier for fraudsters to reach a wider audience. I’ve talked about the food delivery industry here, but other industries that deliver products and services online should also be aware of this problem, and start taking steps to protect consumers from fraud, whether it’s perpetrated directly or indirectly.

It’s an often used saying but it remains relevant: if something looks too good to be true, then it probably is.