Fraud-as-a-Service (FaaS): The Underground Industry Powering Modern Scams
Fraud is no longer the work of lone hackers. Today, entire fraud operations can be purchased online through underground markets that sell phishing kits, stolen identities and money-laundering networks. This emerging model, known as Fraud-as-a-Service, has transformed cybercrime into a global industry.
For a long time, fraud was commonly associated with highly skilled hackers who possessed deep technical knowledge and operated independently. That image still exists in popular culture, but the structure of modern fraud has changed dramatically. Increasingly, large-scale scams are not executed by lone experts but by individuals who purchase ready-made fraud infrastructure from specialised vendors operating within underground digital markets.
This shift has given rise to what investigators now describe as Fraud-as-a-Service (FaaS). Much like legitimate Software-as-a-Service platforms allow businesses to subscribe to cloud-based tools instead of building systems themselves, Fraud-as-a-Service allows criminals to purchase the technical capabilities required to execute scams without possessing the underlying expertise. In this model, fraud becomes an organised ecosystem where tools, stolen data, operational guidance and laundering networks are sold to customers seeking to run fraud schemes at scale.
The result is the industrialisation of fraud, where cybercrime increasingly resembles a structured digital economy rather than isolated criminal acts.
The Underground Markets That Enable Fraud
The Fraud-as-a-Service ecosystem operates primarily through encrypted communication platforms such as Telegram, Discord, and specialised dark-web marketplaces accessible via anonymising networks like Tor. Within these environments, vendors advertise services and tools that can be used to conduct financial fraud, identity theft, phishing campaigns and account takeovers.
One of the most common commodities sold within these markets is stolen identity data, often referred to as “fullz.” A fullz dataset typically contains a victim’s full name, identity number, physical address, contact details, employment information and sometimes banking credentials. Such data frequently originates from large-scale breaches affecting financial institutions, retailers, telecommunications providers or government databases.
mule accounts
digital fraud
south africa fraud
fraud awareness
Once identity data is obtained, fraudsters can combine it with other tools purchased through underground markets to launch sophisticated scams. According to cybersecurity researchers, identity datasets are often bundled with tutorials explaining how to exploit them for specific fraud schemes, such as account takeover, credit application fraud or SIM-swap attacks (Europol, 2022).
Fraud Toolkits: The Infrastructure Behind Modern Scams
Fraud-as-a-Service vendors frequently sell complete operational toolkits designed to simplify the execution of scams. These toolkits often include phishing kits, automated messaging tools, spoofing services and credential harvesting platforms.
A phishing kit, for example, is a pre-built package that contains cloned versions of legitimate websites such as banking portals, payment platforms or delivery services. When victims access these pages, they appear identical to the real platforms they trust. Any login credentials entered are captured and transmitted directly to the fraudster’s command interface.
These kits often include administrative dashboards where attackers can monitor incoming credentials in real time. Some systems even provide built-in filters that highlight accounts belonging to high-value targets, allowing criminals to prioritise victims with larger balances or higher credit limits.
In addition to phishing infrastructure, fraud marketplaces also offer SMS spoofing services, allowing criminals to send messages that appear to originate from legitimate organisations such as banks or courier companies. Because these messages often appear within the same conversation threads as legitimate communications from the institution, victims may not realise they are interacting with a fraudulent message.
Another widely used tool is the OTP interception system, sometimes referred to as an OTP bot. These automated systems call victims while impersonating bank security departments. When the victim receives a one-time password from their bank, the automated caller convinces them to read the code aloud under the pretext of verifying suspicious activity. Once the code is obtained, the fraudster can authorise transactions or change account settings.
The Operational Flow of a Fraud-as-a-Service Scam
Although fraud operations can vary significantly depending on the scheme, many follow a structured sequence.
The process often begins with the acquisition of identity data from underground markets. Fraudsters then deploy phishing campaigns targeting individuals within those datasets. Messages designed to create urgency are distributed through SMS, email or messaging platforms. These messages may warn of suspicious bank activity, unpaid deliveries or expiring accounts.
Victims who click the link are redirected to a cloned website where they unknowingly provide their login credentials. Once those credentials are captured, the attacker attempts to access the victim’s account. If a one-time password is required, the fraudster deploys the OTP interception system described earlier.
Once access to the account is obtained, the attacker initiates transfers or purchases. However, stolen funds cannot remain within the attacker’s possession without raising suspicion. The funds must therefore be quickly moved through intermediary accounts.
The Mule Economy
This is where mule networks become essential. Mule accounts are bank accounts controlled by individuals who agree to receive and transfer stolen funds in exchange for a commission.
Recruitment of mule accounts has become increasingly common in South Africa. Advertisements offering “easy money” in exchange for the use of bank accounts circulate widely on social media platforms. Individuals who respond to these advertisements may be instructed to open new accounts or provide access to existing ones.
Once funds are transferred into these accounts, they are rapidly withdrawn or transferred through multiple transactions designed to obscure the financial trail. In many cases, funds are moved into cryptocurrency exchanges, gambling platforms or international transfer services before investigators can intervene.
From a legal perspective, this activity carries serious consequences. Under the Prevention of Organised Crime Act (POCA), knowingly handling the proceeds of unlawful activity constitutes money laundering, and individuals involved in such schemes can face criminal prosecution (Republic of South Africa, 1998).
Fraud as a Global Supply Chain
One of the defining characteristics of the Fraud-as-a-Service ecosystem is the division of labour among participants.
Rather than a single criminal performing every step of the fraud, different actors specialise in specific roles. Some groups focus on stealing identity databases through hacking or insider access. Others specialise in building phishing infrastructure or developing malware. Separate actors recruit mule networks, while others focus exclusively on laundering stolen funds.
This structure allows fraud operations to scale rapidly and operate across international borders. According to Europol, cybercrime groups increasingly resemble organised business structures where participants collaborate through digital marketplaces rather than traditional criminal hierarchies (Europol, 2022).
The South African Context
South Africa’s rapidly expanding digital economy has created both opportunities and vulnerabilities. The widespread adoption of online banking, mobile payments and digital identity verification systems has increased the potential attack surface for fraudsters.
According to the South African Banking Risk Information Centre (SABRIC), digital banking fraud and card-not-present fraud have increased significantly in recent years as criminals adapt to evolving financial systems (SABRIC, 2023). Many of these incidents involve social engineering tactics combined with technical tools sourced from international fraud marketplaces.
Investigations by the Hawks and the South African Police Service have revealed that fraud syndicates operating locally often rely on infrastructure developed and distributed through global cybercrime communities.
The Psychology Behind Successful Fraud
Despite the technological sophistication of Fraud-as-a-Service infrastructure, many scams still rely on basic psychological manipulation.
Fraudsters frequently create urgency and fear to pressure victims into acting quickly. Messages warning that an account will be frozen, a payment is overdue or a delivery cannot proceed are designed to trigger emotional reactions that override careful evaluation.
Understanding these behavioural tactics is critical in reducing fraud risk. Research in behavioural economics suggests that individuals under time pressure are significantly more likely to make decisions without verifying information, making them more vulnerable to social engineering attacks (Cialdini, 2009).
What Consumers Can Do
Although the scale of the fraud ecosystem may appear overwhelming, simple precautions remain highly effective.
Consumers should never share passwords or one-time passwords with anyone claiming to represent a financial institution. Unsolicited messages requesting login verification or urgent payments should be treated with suspicion, particularly when they contain links directing users to external websites.
When in doubt, contacting the institution directly through official channels remains the safest course of action.
What Organisations Should Be Thinking About
For organisations, the rise of Fraud-as-a-Service represents a structural shift in the fraud landscape. Companies are no longer defending themselves against isolated attackers but against organised networks equipped with specialised tools and shared infrastructure.
Effective fraud risk management increasingly requires proactive strategy rather than reactive investigation. This includes stronger identity verification processes, enhanced transaction monitoring, intelligence sharing across industries and the continuous assessment of emerging fraud threats.
At MK Fraud Insights, we work with organisations to help them understand these evolving fraud ecosystems and assess whether their current controls are equipped to respond effectively. Through fraud readiness assessments, fraud strategy development and operational advisory, our goal is to help organisations move beyond reactive fraud detection toward more resilient fraud prevention frameworks.
Understanding the Fraud Economy
Fraud has evolved into a complex digital industry where tools, services and stolen data are traded openly within criminal marketplaces. The scams encountered daily by consumers are often only the visible surface of a much larger system operating behind the scenes.
Understanding how this system functions is a crucial step in disrupting it. Because modern fraud is rarely random. It is part of a global criminal economy.
References
*Cialdini, R. B. (2009). Influence: Science and practice (5th ed.). Pearson.
Europol. (2022). Internet organised crime threat assessment (IOCTA). Europol.
Republic of South Africa. (1998). Prevention of Organised Crime Act 121 of 1998.
South African Banking Risk Information Centre. (2023). Annual crime statistics.
Verizon. (2024). Data breach investigations report. Verizon Enterprise.*