Fraud as a Service - What it is, how it works, and how to spot it

Fraud as a Service (FaaS)

What it is

Fraud as a Service is the crimeware gig economy. Instead of building scams from scratch, criminals rent or buy ready-made tools - phishing kits, malware droppers, spoofed sites, call-center scripts, money-mule networks - often with dashboards, tutorials, and “customer support.” The result: faster, cheaper, and more professional scams at scale.

How it works 

  • Plug-and-play kits - hosted pages, email templates, and automation to harvest credentials or payments

  • Subscription or revenue share - pay monthly or split profits with the kit author

  • Bundled services - bulletproof hosting, SMS/email blasting, laundering paths, fake KYC docs

  • Support channels - forums and chat rooms that fix errors and share updates

What you might see

  • Waves of look-alike phishing sites spinning up daily

  • The same email template with different brands swapped in

  • “Callback” scams with scripted agents and ticket numbers

  • Reused payment wallets, phone numbers, or inboxes across campaigns

If you were targeted

  • Don’t pay or reply. Save evidence - screenshots, email headers, URLs.

  • If you entered credentials or paid, freeze cards, change passwords, and enable MFA from a clean device.

  • Report to the platform, your bank, and local cybercrime channels so takedowns move faster.

Reduce the risk

  • MFA everywhere - stolen passwords are worth less.

  • Use a password manager and unique passwords.

  • Verify money or account changes out of band - call a known number, not the one in the email.

  • For organizations: enforce DMARC/DKIM/SPF, monitor for look-alike domains, set up quick takedown and blocklists, and train staff to spot urgent payment fraud.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Phishing

        What it is Phishing is a scam where someone pretends to be a trusted person or service to trick you into giving up passwords, card numbers, or other sensitive data. It shows up in email, texts, social DMs, and look-alike websites. For a quick ...

      • Social Engineering

        What it is Social engineering is tricking people into doing something they shouldn’t - like clicking a link, sharing a code, or paying a fake invoice. Instead of hacking computers, attackers hack trust with stories that feel urgent, helpful, or ...

      • Cybercriminal

        What it is A cybercriminal is someone who commits crimes using computers or the internet—either as the weapon, the target, or both. Think data theft, online scams, and break-ins that happen through screens instead of doors. What they do (common ...

      • Baiting

        What it is Baiting is a social-engineering trick: attackers dangle something tempting—an “urgent” work file, free software, a giveaway—to make you install malware yourself. The lure feels legit; the payload hides in the download. How it works A ...

      • Malware

        What it is Malware is any software made to harm your device or data. It can steal passwords, lock your files, spy on activity, or hijack your browser. For a quick primer and examples, see our malware explainer. How it spreads Phishing emails and fake ...