With crime-as-a-service lowering the barrier to entry and prosecution lagging behind, enterprise security teams must rethink their strategies to detect and disrupt scams at scale.
Scams are no longer annoyances, tricking individuals but not damaging the economy. They have become big business, with Arkose Labs suggesting they could cost the global economy $1.03 trillion in 2024.
The reason for this growth is complex but not complicated. Crime pays consistently more than legitimate work, and scamming is easy with the rise of crime-as-a-service (CaaS). Moral humans are easily fooled by immoral humans, and the prosecution of cybercriminals is difficult given the global nature of the crime and the fractured nature of geopolitics.
The result is a huge threat ecosphere populated by both technically capable and technically naïve individuals (fed by CaaS), and major crime groups. Prosecutions are important, but unable to diminish the overall growth. The current defenses are to recognize a scam in progress and block it, and to disrupt the ecosphere of the major groups.
An example of the latter can be seen in Microsoft’s Arkose-assisted disruption of Storm-1152, a Vietnam-based cybercrime group. Storm-1152 had created 750 million fraudulent Microsoft accounts; and other groups (including Octo Tempest, Storm-0252, and Storm-0455) were using these accounts for ransomware, data theft and extortion.
Microsoft’s Digital Crime Unit succeeded in shutting down Storm-1152’s websites in December 2023, and followed up with a second lawsuit in July 2024 to shut down new infrastructure being built by the group. Storm-1152 was a cog in the CaaS marketplace supporting criminal activity with the proceeds of scamming. Other aspects of CaaS support individual scammers.
Veiled Marble, for example (belonging to the CaaS subset of phishing-as-a-service), provides a service for $400 per month. According to Arkose researchers (PDF), this kit enables scammers to “launch convincing reverse-proxy phishing attacks that compromise MFA by stealing session cookies through fake interactions with actual company websites.”
Greasy Opal is another CaaS service (reportedly also used by Storm-1152). “Groups like these,” say the researchers, “provide AI-built bots and tools with machine learning algorithms for CAPTCHA solving at scale.”
The combination of sophisticated tools and the profitability of crime are major factors in the growth of scamming. El Salvador provides an example. Scammers in El Salvador might make 20x more through attacking gaming companies, than by working as a software developer. With assistance from CaaS, they can do both jobs.
El Salvador offers further insights into the potential trajectory of scamming. Bitcoin became an official currency in 2021, making it easier for scammers to hide their proceeds – the acceptance of cryptocurrencies around the world is growing and facilitating a growth in scamming.
Arkose detected an increase in the volume of fraudulent traffic in El Salvador during Q4 of 2024. “Substantial shifts like this can sometimes be connected to pressures on a local level,” suggest the researchers. “For example, if a government is cracking down on cartel activity and crime on the streets, bad actors will pivot to online fraud, which has less harsh penalties if caught and is physically safer for the scammer.”
The combination of such factors is not limited to El Salvador. Governments are under constant pressure to tackle crime on the streets. Scamming, supported by CaaS is easy and profitable – and safer.
Social engineering skills are becoming more important to rank and file scammers than any deep technical skill – and easier to acquire. Social engineering is part of everyone’s psyche. We use it every day to get what we want in life from social relationships to success at work. It is something that needs to be honed rather than learned from scratch. Successful scammers have done this.
Pig butchering is an excellent example. While AI technology can be used in the initial stage of locating and profiling individual targets, the progress of the attack is almost entirely via social engineering. The target is selected and approached. It is especially suited to romance scams since victims using a dating site are literally asking to be approached.
Once a connection is established, it involves slowly building trust until something like a small investment opportunity can be introduced. If the target takes the bait, the opportunity can be gently increased by encouraging larger investments. The social engineering element may be demonstrated by showing small initial returns for the target for encouragement, and knowing when to withdraw. The aim for the attacker is to extract as much money as possible until either the victim recognizes the scam, or has no money left. This is pure social engineering skill.
It’s not clear whether scamming is a cause or effect of the shifting sands of cybercrime. A decade ago, we thought of techno geniuses breaking into computer systems, or organized hacking groups or nation-state hackers. These still exist, of course, but we have seen the evolution of a second group of criminals – the scammers. Bridging the gap is the continuously evolving and expanding crime-as-a-service grouping, with the technical geniuses developing tools to assist scammers – but then diverting the proceeds of scamming to assist the hacking groups.
There is little chance that we can stop the growth of scammers, but a greater chance that we can manage it, by detection and blocking before it causes its harm.
