Although we tend to view fraud as one general activity, it’s a bit more complicated than that. Whether the endgame is stealing private information, money, or both, bad actors aren’t bound by a one-size-fits-all approach. They’re continually innovating ways to get what they want. Aided by technology, today’s fraudsters are more active — and more resourceful — than ever. And as fraud continues to become increasingly sophisticated, companies will need to develop better strategies to identify and stop the various types of fraud.
It’s especially important for businesses and financial institutions to understand how different kinds of fraud manifest in ordinary interactions. Having deep knowledge about fraud types and their potential impact will help institutions strengthen their security monitoring processes during onboarding and beyond. The ideal goal is to outsmart the fraudsters before they ever have a chance to strike.
In this guide, we’ll review the three main types of fraud — first-, second-, and third-party — and offer examples of each.
Learn all you need to know in our fraud types cheat sheet.
When we talk about how fraud happens, the terms we use to describe it can help us understand the means by which the fraud is carried out, impact, scale, and depth of planning. Here are some common terms that we use when we talk about fraud, and their definitions:
In this type of fraud, an individual misrepresents their own identity and/or financial situation for personal gain. Here are a few common examples of first-party fraud:
An individual makes purchases with a credit card and then disputes the charges through the issuing bank. Sometimes, the individual may knowingly dispute a charge they purchased to keep the product or receive the service and still get their money back. Other times, the individual may not recognize a charge on their statement, but actually, someone else in their household made the purchase without them knowing. According to a study by Sift, 26% of US consumers admitted to committing friendly or chargeback fraud. The numbers are higher for younger demographics, with 42% of Gen Z respondents reportedly committing this type of fraud.
First-party synthetic fraud is when a fraudster combines made-up credentials, such as a fake social security number (SSN), with their real name and date of birth (DOB) to manipulate their identity. The goal is to misrepresent their own personal finances and credit history.
For example, a person with a poor credit score might use their own name and address along with someone else’s SSN to open a credit card account. A study conducted by The Carnegie Mellon CyLab Security and Privacy Institute reported that the SSNs of children are 51 times more likely to be used in synthetic fraud. This spells trouble not only for the financial institutions that lose money to the fraudsters, but also for the individuals who will have to clean up the lingering mess of identity theft for years to come.
A fraudster might commit first-party check fraud using a valid check in their own name. They can do this by exploiting a financial institution’s “float” rates: After depositing a check, the fraudster makes quick withdrawals and takes off with the funds before the check has cleared.
While check fraud can be a form of first-party fraud, it is more commonly experienced as second- or third-party fraud. Between 2022 and 2023, authorities witnessed a 500% increase in sales of stolen checks on messaging apps. Black market activity involving the circulation of stolen checks has contributed to the $26.6 billion in total check fraud losses recorded in Nasdaq’s 2024 Global Financial Crime Report.
Also known as identity manipulation, second-party fraud involves one person exerting psychological control over another in order to commit fraud. Here are three common ways this can happen:
Working with a money laundering ring, a fraudster coerces a person into using their own PII (personal identifiable information) to apply for credit or transfer funds on behalf of the fraud operation. From there, the person becomes the fraud ring’s mule, transferring funds that have been acquired illegally.
While some mules are willing accomplices, many others have no idea they’re participating in a criminal enterprise. That’s because fraudsters will often target students and job seekers who are looking for stay-at-home income and have little reason to suspect they are actually participating in a calculated scheme.
In a romance scam, also known as catfishing, the fraudster assumes a fake online identity and ingratiates themself with an unsuspecting target. Pretending to care for their victim, the fraudster wins their trust by expressing love or even proposing marriage. Then, they manipulate the victim into giving them money, usually by concocting some hard-luck story. The FTC warns that romance scam artists like to troll online dating and social media sites in search of their next mark. In 2023, consumers lost nearly $1.2 billion dollars to romance scams, a median loss higher than any other imposter scam.
Third-party fraud refers to financial crimes that are committed while using someone else’s identity. The victim’s identity is appropriated, in part or in whole, through a number of methods, including:
APP fraud is when someone is tricked into authorizing a payment to an account controlled by a criminal. This type of fraud is particularly prevalent and difficult to control because it involves an instantaneous payment. APP fraud often happens alongside social engineering scams designed to fool the target.
With digital payments continuing to grow in use, APP fraud is also becoming more widespread. According to Alloy’s 2024 State of Fraud Benchmark Report, 22% of banks and fintechs see APP fraud as the most prevelent — and costly — type of fraud they experience.
Get more insights from our 2024 Fraud Benchmark Report
A fraudster impersonates a legitimate party and reaches out to a target through everyday social interaction. Examples include:
A “phishing” email sent by a fraudster pretending to be a legitimate charity asking for a donation
A “smishing” text message sent by a fraudster pretending to be the person’s bank and requesting they reset their passcode
A “vishing” phone call initiated by a fraudster pretending to be from the IRS
By earning the target’s trust, the fraudster is able to convince them to do their bidding, whether that means divulging PII, sharing an OTP (one-time password or pin), offering their credit card number, or wiring money to a mysterious account number.
One of the largest-ever social engineering scams was organized by a Lithuanian national, Evaldas Rimsauskas, whose team of fraudsters formed a fake company and sent phishing emails to employees at Google and Facebook. Rimsauskas and his associates scammed the tech titans out of more than $100 million before finally being caught.
Similar to first-party synthetic fraud, this type of fraud type involves a person using a made-up identity. In the third-party context, however, the fraudster’s entire identity—name, DOB, and SSN— is fabricated, and the fraudster is often involved in high-stakes organized crime.
One of the most common types of third-party fraud is an account takeover attack. In this type of fraud, a bad actor is able to wrest control of a target’s online accounts, often by stealing their credentials. The cybercriminal might then withdraw money from the target’s bank account, open a new account in the target’s name, commit credit card fraud, or even impersonate the target to redirect unemployment benefits. In a survey conducted in 2020, 38% of the respondents said they had been the victim of an account takeover within the past two years.
Pig butchering scams get their crude name from the way fraudsters "fatten up" their victims with false promises before ruthlessly scamming them out of their money. Through a drawn-out process of social engineering and manipulation, the scammer builds trust with the victim and convinces them to send funds — usually in the form of cryptocurrency. Pig butcherers commit this type of investment fraud scheme on social media platforms like Instagram, where they troll hashtags to identify individuals or businesses with exploitable intents, such as those looking to make investments, sell goods, find art buyers, or acquire donations. The prevalence of these costly schemes has increased pressure to implement Know Your Customer (KYC) regulations in the cryptocurrency space.
KYC, KYB, KY…what?! Learn the acronyms that will help you safeguard your bank or fintech
The most well-known type of third-party fraud, identity theft, occurs when a fraudster steals another person’s identity for personal gain. This includes opening new accounts in the target’s name without their knowledge. The identity thief will often steal someone’s financial information, especially their credit card account data, and then use it to purchase expensive goods, such as a TV or a computer. While identity thieves have been known to pick through someone’s trash in search of receipts, paid bills, and business mail, most fraud related to identity theft is committed digitally.
One of the most common types of fraud involves impersonating a false business identity. In 2023, $752 million was reportedly lost due to identity fraud that involved impersonating businesses.
There are many different kinds of fraud. And when you couple technological innovation, the fluid nature of fraud, and the dark side of human ingenuity, it’s impossible to overlook the fact that new types and examples of fraud will keep emerging. For now, here are some other fraud types we have our eyes on:
P2P payments platforms like Cash App, Zelle, and Venmo make it easier than ever before to transfer money to small businesses or your friends and family, but they’ve also introduced new avenues for bad actors to defraud individuals and financial institutions. One popular tactic for P2P payment fraud is when fraudsters posing as legitimate businesses request payment for a product or service through a P2P payment platform. Once they receive the money, they disappear without providing the goods or services. P2P payments accounts are also just as vulnerable to account takeovers as regular bank accounts. As P2P payments fraud becomes more common, it is a growing area of focus for regulators and financial institutions alike.
This type of fraud takes advantage of special referral incentives that brands use to win more customers. Posing as a legitimate customer, the scammer uses a financial institution’s referral program to receive or share rewards under false pretenses. There are four kinds of referral fraud: self-referral, exploitation, account cycling, and broadcasting.
Also known as insider fraud, this type of fraud is committed by a financial institution’s own employees. These employees are likely to be under considerable pressure and susceptible to fraudulent activities. Three factors, commonly referred to as the Fraud Triangle, can explain the psychology behind internal fraud: an employee is highly motivated by the promise of personal gain, sees a convenient opportunity and is able to rationalize their deceitful behavior. Although internal fraud is perpetrated by a relatively low percentage of employees, its impact can be severe, sometimes tracing back to amateur fraud rings.
This type of fraud involves an innocent shopper, a retailer, and a fraudster. The fraudster sets up operations on a website that allows third-party sellers, such as Amazon or eBay. An interested shopper places an order and presents their credit card information, believing that the operation is a legitimate digital store. The fraudster — who has no merchandise of their own — buys the item from a legitimate retailer using a stolen credit card and has it shipped to the shopper. When the item arrives, the shopper doesn’t think to question the purchase. They also have no clue their personal information is now part of an ongoing scam. Meanwhile, the owner of the first stolen credit card files a chargeback claim with the legitimate retailer after they spot fraudulent charges on their statement. The cycle then continues.
Phishing scams and other types of fraud on this list are still in vogue. But fortunately, as fraud has increased, so has law enforcement’s ability to seek justice. In February 2024, the UK’s National Crime Agency (NCA) partnered with the Federal Bureau of Investigation (FBI) as part of “Operation Cronos” to take out LockBit, a cybercrime organization responsible for 25% of ransomware attacks in the year prior. The operation has been called one of the most “significant disruptions” for fraudsters to date.
Educational campaigns, community outreach, government agencies offering legal advice, and even true crime shows have all helped consumers become savvier about fraud. Fed-up victims have even teamed up with authorities to help catch the fraudsters in some instances.
Today’s financial institutions need better strategies for fraud-proofing their operations. It’s not enough to know your customer; you also have to know your fraudster and anticipate their methods. The first step is to learn how to identify which type of fraud you might be facing. The second is understanding how to prevent it. You want to outwit the con artists and criminals before they act.
Fraud is unfortunately common in financial services. And while no two fraud attacks look the same, there are some standard processes that banks and fintechs should follow to effectively stop a fraud attack.
You don’t want to get caught in a fraud attack and then have to scramble to figure out how to respond, build new workflows and integrate with new data providers. We share some tips on how you can stay one step ahead of fraudsters.
Alloy surveyed more than 400 decision-makers in fraud-related roles at financial services companies in the US and UK to find out how fraud has impacted their business over the last twelve months, what they're doing to combat it, and their predictions for the year ahead.
Synthetic identity fraud is a growing problem. Fraudsters go to extreme lengths to craft identities—complete with social security numbers, names, addresses, and even loyalty program memberships—which they then use to carry out complex (and often costly) fraud schemes. In this post, we dive into the how, the why, and the what you can do about it.