Establishing and Executing on a Fraud Intelligence Cycle

Establishing and Executing on a Fraud Intelligence Cycle
8 minute read

Digital fraud may be making a comeback, but intelligence services like ZeroFox are giving enterprise security teams the insights they need to fight back and prevent scammers from successfully targeting their employees and customers. Fraud intelligence is threat intelligence specifically geared towards detecting fraudsters and preventing fraud. But as many security practitioners know, cyber threats nearly always include some element of fraud - leading to significant overlap between “threat intelligence” and “fraud intelligence."

In this blog post, we explore the importance of fraud intelligence and reveal how ZeroFox executes on the fraud intelligence cycle to identify and defend against digital fraudsters.

What is Fraud Intelligence?

Fraud intelligence is a strategically-driven process of collecting and analyzing threat data from a variety of sources to:

    As with other types of threat intelligence, fraud intelligence must be evidence-based, actionable, and relevant to each organization’s unique circumstances and characteristics, and helpful to improving its security posture and outcomes. 

    What is Fraud?

    The United States criminal code defines fraud as an intentional act of deception for the purpose of financial or personal gain, or to knowingly deprive someone else of a legal right. Under this definition, any form of cyber crime or online scam that employs deceptive tactics in an attempt to steal data or wrongfully appropriate financial resources would qualify as fraud, including (but not limited to):

    An effective fraud intelligence program works by monitoring the public attack surface for indicators of these and other forms of digital fraud, processing the collected data into finished intelligence, and delivering actionable reports that can be leveraged to effectively counteract digital fraudsters.

    What are the Benefits of Fraud Intelligence?

    Preventing Data Theft

    Threat actors targeting enterprise organizations often attempt to steal data, especially personally identifying information (PII) and financial data that may be used to commit credit card fraud or identity theft. Techniques like email spoofing and executive impersonations may be used to manipulate employees into disclosing their access credentials for a secure enterprise database.

    Fraud intelligence helps security teams identify, detect, and dismantle fraudulent infrastructure, including spoofed domains, spoofed email addresses, and fake social profiles, before they can be used to commit data theft.

    Avoiding Financial Losses

    Digital fraudsters are increasingly succeeding at business email compromise and CEO impersonation attacks that manipulate employees of the targeted business into completing one or more fraudulent financial transactions, sometimes valued in the millions of dollars.

    Fraud intelligence helps security teams anticipate these attacks and avoid the pain of financial losses resulting from digital fraud.

    Mitigating Reputation Risk

    Enterprise organizations can see their public reputations harmed when they fall victim to a digital fraud attack that results in data theft or financial losses. By helping to prevent these attacks, enterprises maintain consumer trust and uphold their positive reputations for effectively safeguarding customer data.

    What is the Fraud Intelligence Cycle?

    The fraud intelligence cycle is an adaptation of the traditional intelligence cycle (sometimes known as the “intelligence process”) used by military intelligence agencies and law enforcement professionals to gather information and process it into relevant, actionable intelligence.

    But while the traditional intelligence cycle is focused on developing intelligence about wanted criminals or military adversaries, the fraud intelligence cycle focuses on developing intelligence about digital fraudsters specifically.

    The ZeroFox fraud intelligence cycle involves five distinct steps:

      Each step in the cycle feeds into the next, with the final output being actionable fraud intelligence that informs strategic decision-making and helps SecOps teams fight back against digital fraud.

      Executing on the Fraud Intelligence Cycle

      Before we get into the details, it’s worth mentioning that our model of the fraud intelligence cycle doesn’t quite reflect the full complexity of real-world operations.

      For example, the concept of a fraud intelligence cycle suggests that we must execute all five phases in sequence before repeating the first phase again. In reality, we’re simultaneously executing on every stage of the fraud intelligence cycle at once to ensure a continuous flow of actionable insights for the organizations who depend on us. Still, our model illustrates how we gather threat data and transform it into relevant and actionable intelligence.

      Planning and Direction

      In the first phase, our most important tasks are to:

        If we were managing the fraud intelligence cycle for a financial services company (“Company A”), we might start with an intelligence objective like “Help Company A prevent digital fraudsters from successfully targeting its employees and customers with scams”. This objective would generally align with the unique needs and circumstances of Finserv companies operating today.

        From there, we can define a set of intelligence requirements to help us achieve our objective. 

        Let’s start with three:

        • IR1: What are the identities of any digital fraudsters targeting Company A’s industry or other companies that are similar to Company A?
        • IR2: What TTPs are being used by digital fraudsters to target Company A’s employees and customers?
        • IR3: What indicators can we detect that a digital fraudster is attempting to scam Company A’s employees or customers?

        AI-Driven Data Collection and Analysis

        In this stage, the AI-powered platform is used to collect and analyze text, images, and video at scale from throughout the public attack surface, including the surface, deep and dark web, social media, eCommerce marketplaces, third-party app stores, email inboxes, business collaboration tools, and more.

        AI-powered analysis allows us to generate fraud intelligence at scale that can help address our customers' most important intelligence requirements:

        • IR1: ZeroFox AI discovers a conversation in a deep web hacker forum where a Korean-speaking threat group discusses a planned fraud attack against Company A and other same-sized Finserv companies.
        • IR2: ZeroFox AI scans a dark web marketplace and discovers for sale a phishing kit that would help digital fraudsters carry out scams against Company A.
        • IR3: ZeroFox AI detects a newly registered domain that appears to be impersonating Company A, including unauthorized use of its brand assets.

        Human Analysis, Production, and Reporting

        Once we’ve collected and analyzed threat data using AI, it’s time for our team of human threat intelligence experts to go to work.

        ZeroFox’s global team of world-class researchers, analysts, and threat experts works around the clock to evaluate and verify fraud data collected by AI, triage and prioritize the most important findings, alert our customers to potential attacks in progress, and produce finished intelligence reports with actionable recommendations for preventing fraud. 

        ZeroFox Dark Ops, a dedicated team of operatives embedded in digital adversary communities, can gather supplementary intelligence and to corroborate and verify AI findings.

        A finished intelligence report that addresses our intelligence requirements might read:

        • IR1: A threat group is engaged in orchestrated attempts to defraud the employees and customers of Company A.

        Recommendation: Scan networks for known Indicators of Compromise(IoCs).

        • IR2: This group may be using a domain spoofing kit to impersonate Company A’s website and target its employees or customers with spam.

        Recommendation: Educate employees about domain spoofing risks. Update website UI to render domain spoofing kit obsolete. Introduce multi-factor authentication.

        • IR3: A fraudulent domain has been detected in the deep web that is impersonating Company A’s website and making unauthorized use of its brand assets.

        Recommendation: Request a takedown of the fraudulent domain.

        Fraud Intelligence Distribution

        The fourth phase is the distribution phase. Here, we need to get actionable and relevant fraud intelligence into the hands of people who need it.

        Here’s how we do it:

        • Continuous Analysis - ZeroFox customers receive a continuous feed of curated fraud intelligence, enriched with priority alerts and recommendations from our expert analysts.
        • Strategic Finished Intelligence - ZeroFox regularly publishes strategic intelligence reports that cover a variety of digital adversaries and threats across industries. Readers can sort reports to zero in on the most contextually relevant strategic reports.
        • Weekly Threat Intelligence Reports - ZeroFox publishes weekly threat intelligence reports that summarize our most recent findings and provide actionable recommendations to help security teams bolster their security posture.
        • Quarterly Threat Landscape Reports - ZeroFox publishes a quarterly threat landscape report that details emerging digital threats and delivers actionable recommendations for dealing with them.

        Evaluation and Feedback

        Continuous improvement is embedded through the process of collecting feedback and evaluating our results. 

        As we continue to analyze threat data and make predictions that help our customers prevent fraud, our AI becomes increasingly sophisticated at detecting and identifying digital criminals and their fraudulent infrastructure across the public attack surface.

        And as the threat landscape continues to shift, ZeroFox can adjust its intelligence requirements and continue leveraging artificial intelligence and machine learning to generate relevant and actionable intelligence for our community.

        Fight Back and Get Results with ZeroFox Fraud Intelligence

        ZeroFox provides protection, threat intelligence, and disruption to dismantle external threats to brands, people, assets, and data across the public attack surface in one, comprehensive platform. 

        ZeroFox leverages artificial intelligence and machine learning technologies to execute on the fraud intelligence cycle at scale, empowering our customers with actionable recommendations to prevent and mitigate against digital fraud.

        Ready to learn more?

        Download our free threat report InfoSec Guide: Addressing the Rise in Phishing and Financial Fraud to learn why threat activity in Finserv is growing 48% YoY and how fraud intelligence can help security teams protect their organizations from fraudsters.

        See ZeroFox in action