arrow left facebook twitter linkedin medium menu play circle
July 30, 2024 - DataVisor

Fraud Rings: How They Work and Why Uncovering Them is a Challenge

Modern fraudsters often don’t act alone. They know it’s easier to scale their fraud attacks, target victims faster, and increase fraud profits by working with accomplices as part of a fraud ring.

Fraud rings today have evolved into sophisticated, well-coordinated, and in some cases global networks. These syndicates pose significant challenges for detection and prevention. Understanding how these rings operate is crucial to combating their illicit activities.

The key to unveiling these packs of fraudsters lies in identifying patterns and leveraging advanced detection techniques that disrupt their operations. In this blog post, we’ll explore:

  • How fraud rings function
  • The most prevalent crimes fraud rings commit
  • Telltale signs that indicate the presence of fraud rings
  • The best modern strategies to detect and dismantle fraud rings in 2024

How fraud rings operate in 2024

Members of fraud rings coordinate attacks and use sophisticated strategies and tools to carry them out. They can be as small as a few friends working together to commit scams. But modern fraud rings have become a large threat due to the sizes they can reach, which in some cases cross borders and even oceans.

The increased scale of these criminal groups leads to fraud losses on a much larger scale as well. In one recent case, a notable fraud ring from Southeast Asia executed one of the largest attacks on U.S. e-commerce platforms, getting away with a haul of goods valued at an estimated $660 million.

Fraud rings exploit vulnerabilities in institutions’ customer interfaces and fraud prevention platforms to withdraw funds, steal identities, and much more. They work like legitimate businesses with highly organized processes and roles. That structure enables them to operate efficiently and leave little trace of their activities.

Some fraud rings may specialize in one attack type that they’ve created a highly successful set of scams to perpetrate. Others, including many larger fraud rings, will engage in multiple types of fraud. They can take advantage of less secure payment methods like checks to commit check fraud. They might steal personally identifiable information (PII) to create synthetic identities, then commit application fraud, account takeovers, and more.

Most common fraud ring-related crimes

Fraud rings can specialize in various types of attacks or commit multiple attacks at the same time. Their most common fraud ring-related crimes include many of the most common and damaging frauds.

Identity theft

Fraudsters steal personal information to impersonate individuals and commit many types of bank frauds. This can involve taking out loans, opening credit accounts, or filing false tax returns in the victim’s name.

Check fraud

Fraud rings use stolen checks they’ve altered to withdraw funds illicitly. They may target specific banks with lax deposit policies, using money mules often termed “check walkers” to deposit the fraudulent checks. Then they quickly withdraw the funds before the fraud is detected, or move the funds around through paper hanging or check kiting.

Romance scams

These may perhaps be the most well-known fraud ring activity thanks to the infamous 419/Nigerian Prince scams. In romance scams, fraud rings follow the same idea—they target lonely victims through Facebook or other social media, create a fake backstory about who they are, and slowly convince the victim to give up more of the money they believe is going to help this fraudster get out of dangerous situations to visit them.

Card skimming

Fraudsters use devices attached to points of service to capture card details from unsuspecting victims. These details are then used to make unauthorized purchases or sold on the dark web. Fraud rings will work together to attach and operate these devices.

Phishing scams

Fraud rings mass send deceptive emails or messages to trick individuals into revealing login credentials or financial details. This information is then used to commit fraud or sold to other criminals.

Loan stacking

Fraudsters falsify information to obtain multiple loans that they have no intention of repaying.

Bust-out fraud

Fraud rings use either stolen credentials or qualifying fraud ring members’ own information to obtain legitimate loans or lines of credit. They operate as seemingly normal customers, making payments and avoiding suspicious activity. Then, all at once, the fraudsters will coordinate mass withdrawals of loans and credit accounts and then disappear without a trace in a “bust-out” attack.

Cryptocurrency scams

Many cryptocurrency scams are continuations of popular fraud ring activities like romance scams, phishing scams, and account takeovers. Fraud rings can be especially effective when operating investment scams, pump and dumps, and fake wallet scams. They use their numbers to artificially inflate coin values, feign consumer trust in fraudulent crypto exchanges and services, and take advantage of the loosely regulated crypto market.

Why fraud rings are hard to detect

The defining feature of fraud rings is their scale. This not only amplifies the potential financial losses but also poses a significant threat to the reputation of the targeted organizations. Their methods constantly evolve, shifting tactics to avoid detection, and employing a mix of stolen and fake identities for their activities.

Targeting high-risk payment methods

In one case, a fraud ring targeting a regional bank exploited its lax check deposit policy, altering stolen checks and using “mules” to deposit them. The quick withdrawal of funds before the fraud was detected showcases the operational sophistication of these rings. By the time the bank realized it was a victim of fraud, the perpetrators had already dispersed the funds and covered their tracks.

Hiding in plain sight

Fraud rings also employ advanced techniques to avoid detection, such as using virtual private networks (VPNs) to mask their IP addresses and employing various methods to spoof device identities. They may rotate their IP addresses frequently, making it difficult for detection systems to identify patterns. Additionally, fraudsters often use legitimate-looking but fake identities, making it challenging for systems to distinguish between genuine and fraudulent activities.

Needles in a haystack

The sheer volume of transactions processed by financial institutions (FIs) and e-commerce platforms makes it difficult to detect fraudulent activities amidst the noise of legitimate transactions. Fraud rings take advantage of this by conducting their activities in ways that blend in with normal transaction patterns. They may also use multiple accounts and devices to distribute their activities, further complicating detection efforts.

Detect Unknown Fraud and Attack Rings Early

Patterns that reveal fraud rings

Fraud rings often aim to either strike quickly and disappear or deceptively lay dormant while infiltrating an FI before busting out to commit mass fraud. But they are still fraudsters, and every fraudster will act suspiciously at some point.
Detecting the presence of those fraud rings involves identifying consistent patterns across fraudulent activities. There are a few areas within the data to look at that reveal these patterns.

Identity information

Fraudsters in general find ways to hide themselves from fraud detection tools by appearing as good users. But operating on a larger scale often means they are creating many fake profiles and attacking through various points.

Detecting patterns of identity that connect specific accounts is a highly effective way to unveil fraud rings. This identifiable information can include:

  • Geographic concentrations, i.e. mail thefts originating from specific neighborhoods.
  • Transaction histories, i.e. little to no transaction history before suspicious activity.
  • IP and device ID, which help device intelligence tools identify malware, bots, and cloners on a device.
  • Email domain, which can show mass creation of fake accounts when using the same root domain.
  • Employer, another key indicator if a group of accounts have the same one.
  • Income, often set at a specific amount to avoid fraud detection rules but can signify fraud ring activity when multiple accounts share the same amount.
  • VPNs and data centers, which fraudsters use to hide behind new accounts when their initial fake accounts are found and shut down.

Behavioral anomalies

Suspicious activity, especially when similar patterns happen across accounts, is a key way to connect fraud ring activity. Quick deposits and withdrawals of checks and rapid movement of funds are often red flags, as legitimate transactions typically do not exhibit such behavior.

Likewise, exclusively using mobile deposits can be a warning sign. Fraudsters may exploit vulnerabilities in mobile banking systems to deposit fraudulent checks without arousing suspicion.

Funds frequently transferred to similar beneficiaries indicate unusual account linkages and can help identify networks of fraudulent accounts.

At account creation, organizations should check where the applicant is located and compare it with the usual times customers apply for financial services. That location can reveal fraud ring activity, as fraudsters operating internationally may apply at unusual times.

Ways to detect fraud ring activity

Detecting fraud ring activity requires sophisticated detection capabilities, including:

  1. Data orchestration – Integrating diverse data sources to gain a 360-degree view of customer activity. This involves collecting data from transactions, account activities, and behavioral patterns, then analyzing it in real time to identify suspicious activities.
  2. Feature engineering – Transforming raw data into risk indicators for fraud detection. This process includes consolidating various data sources into a standardized format and developing new fraud signals that can enhance detection capabilities.
  3. Device intelligence – Using device fingerprinting, risk assessment, and behavior analytics to identify fraud patterns. Device intelligence platforms collect signals from devices to generate unique device IDs, detect sophisticated attack techniques, and analyze behavior signals to identify fraudulent activities.
  4. Linkage analysis – Visualizing connections between fraudulent activities using a knowledge graph. This tool allows fraud teams to analyze data, identify various types of activities, and link multiple transactions to specific device IDs or IPs, providing a comprehensive view of the entire fraud ring.

Real-world examples

One leading ecommerce company faced a critical challenge when a well-orchestrated fraud ring infiltrated its platform. Initially focusing on account takeovers, they utilized dark web data to access dormant user accounts before mass registering fake accounts to facilitate larger-scale financial fraud. Once the ecommerce company detected these patterns, they pieced together the fraud ring’s activities and took action against associated accounts.

In another case, an FI successfully exposed a sophisticated fraud ring by spotting similarities in a slate of credit card applications. A social media influencer was orchestrating webinars where participants were instructed on deceptive practices aimed at securing credit lines. Analysis revealed that 80% of the applications declared a monthly income of $6,833 and all used the @outlook.com domain for email addresses. By identifying those patterns, the institution was able to prevent further fraud and protect its customers.

Fighting fraud rings with AI

Traditional fraud prevention models often fall short when confronting complex fraud schemes orchestrated by coordinated groups. This gap is where Unsupervised Machine Learning (UML) technology excels. UML doesn’t depend on pre-existing knowledge of fraud patterns. Rather, it utilizes advanced correlation analysis and graph processing techniques to reveal connections between fraudulent account behaviors.

It can also analyze vast amounts of data in real time, identifying patterns and anomalies before more fraud attacks take place. AI can also adapt to evolving fraud tactics, continuously learning and updating its models to stay ahead of fraudsters.
Of course, high-quality, comprehensive data is essential for AI and UML tools to reach their fullest potential. That’s why DataVisor emphasizes a 360-degree holistic view of customer activity. This customer-centric approach results in a centralized intelligence platform that harnesses predictive power and provides actionable insights.

See DataVisor’s award-winning fraud ring-busting tools in action yourself by booking a demo with our team. To dive deeper into modern fraud rings, download our Fraud Ring Gallery Ebook.

about DataVisor
DataVisor is the world's leading AI-Powered Fraud and Risk Platform.