This fourth episode covers one of the most diverse scams: those offering an online investment opportunity. Criminals use a wide variety of methods suiting their logistical capabilities and skills. Some investment scams start as romance scams before turning to “investment”. The unflatteringly named “Pig Butchering” scams are an example of this. Others use some kind of “impersonation” of an official-sounding organisation. Many investment scams start as an advertisement or "clickbait article" on social media, with claims that seem too good to be true, such as "Let me tell you how I earn 20,000 dollars per month." Some professionals believe social media scams and investment scams are synonymous. This blog is part of a series that aims to provide tools to check your fraud detection capabilities for readiness against the most prolific fraud and scam types. From malware campaigns to scams, we'll analyze tactics, techniques, and procedures (TTPs), kill-chain mappings, and detection gaps. Investment scams are highly diverse and often begin with one of these methods: Scammers then guide the victim toward their true goal: a fake investment opportunity. This process can sometimes take weeks or even months. These "opportunities" typically involve: Our research indicates that 12 percent of scams can be classified as investment fraud. However, a significant number of social media and romance scams may also have an investment scam component. With the right tools, anti-fraud teams should be able to pick up the tell-tale signs of these attacks. The Fraud Kill-chain is a useful tool to identify detection opportunities and gaps. It allows anti-fraud teams to map capabilities to attacks and helps control various frauds and scams.
Many investment scams have few technical TTPs during the crucial phases of credential compromise, account access, and defense evasion. These phases typically offer the best opportunities for detection in online channels. Since these scams lack distinctive technical markers, behavioral models can be a highly effective alternative.
When criminals take control of an account, their behavior differs from the legitimate user’s. Behavioral biometrics can translate these behavioral TTPs (tactics, techniques, and procedures) into risk signals. It’s crucial to use multiple models to assess these signals: By correlating Device Risk and Behavioral Risk, you can correlate “on-call” with “active RAT” with “behavioral risk”. Your capabilities should include visibility on both web and mobile channels, as scams often move from one to the other during the attempt. As scammers rake in billions, anti-fraud teams should perform the following checks: ThreatFabric helps banks and financial institutions worldwide perform these analyses. If you’re interested in a detection readiness workshop, we're here to assist.The Problem
About the Fraud Kill Chain
Investment Scams vs Fraud Kill-Chain
Detection Gaps & Opportunities
Gap 1: Behavioral Biometrics
Gap 2: Multi-Channel and Correlation Conclusion & Takeaways
Detection Readiness Workshop