Fraud specialists have created a taxonomy of tactics used by fraudsters to make it easier to communicate about and understand how criminals steal money from banks and retailers.
The two new taxonomies, one from the banking industry and the other from retail, were announced recently during the RSAC Conference in San Francisco.
Experts from Barclays and Threat Fabric, as well as the National Retail Federation (NRF) and Target, introduced their respective efforts to develop so-called fraud "kill chains" to map and understand the structure of economic crimes.
The cyber kill chain
The concept of a fraud kill chain is adapted from the military concept of a kill chain, a deconstruction of an attack. Lockheed Martin applied the term to cybersecurity in 2011, and experts have since tweaked it.
A cybersecurity kill chain is a security defense model used to identify and stop sophisticated cyberattacks before they affect an organization. It breaks down the multiple stages of an attack, allowing security teams to recognize, intercept or prevent them. This approach aims to bolster defenses against threats such as malware, ransomware and phishing.
The traditional Lockheed Martin cyber kill chain model describes seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and action. Some experts advocate for an eighth stage: monetization, focusing specifically on the attacker's financial gain.
While influential, the traditional model has been critiqued for its focus primarily on malware and perimeter security, its linear structure which attackers don't always follow and its limitations against insider threats and newer attack techniques.
Alternatives to the cyber kill chain include Mitre Att&ck, which details tactics and techniques in a non-linear structure, and the unified kill chain, which combines elements of both. Organizations often use tools like SIEM (Security Information and Event Management) and XDR (Extended Detection and Response), along with threat intelligence, to detect and stop attacks across these stages.
Why fraud needs a kill chain
Recognizing the success of these structured approaches in cyber defense, speakers argued that a similar framework is needed for fraud, particularly as economic crime attacks become more complex and intertwined with cyber tactics.
Senan Moloney, global head of cybercrime and cyber fraud fusion at Barclays, highlighted the need for the fraud kill chain by using an example of a class of fraud that has started to plague banks and retailers recently:
About eight months ago, Barclays started to notice an uptick in fraud exploiting near-field communication (NFC), the technology that enables tap-to-pay using cards, phones, smart watches and other devices. The bank brought in fraud prevention company Threat Fabric and its vice president of fraud engineering, Edward Driehuis, to investigate.
The two companies initially focused strictly on how the NFC relay attacks themselves worked, gathering information and intelligence from other financial institutions, but they quickly realized that the tactic was just one in a larger chain of events leading to the new fraud methods.
"One of the things that was missing was a structured, consistent way to share that intelligence and use all of the snippets piece-by-piece, sequentially, to understand the chain of the entire economic crime attack," Moloney said. "Being from a cyber background, we immediately thought that, if this was in the cyber world, we would immediately leverage the cyber kill chain."
Fraud often blends online and physical elements and involves sophisticated social engineering, which can make it difficult for different teams within organizations to communicate about the schemes effectively.
"When talking to fraud teams or financial crime teams using phrases like 'lateral movement,' 'privilege escalation,' 'command and control,' it doesn't really mean a lot," Driehuis said, referring to common technical jargon used in the world of cybersecurity.
The fraud kill chain models discussed aim to break down attack types into smaller chunks that are easier to understand and discuss. Each of these chunks is a TTP: a tactic, technique or procedure. This model enabled Barclays to map and identify mitigation gaps and opportunities.
The fraud kill chain
The model from Barclays and Threat Fabric outlines 10 phases and is used to map attacks like digital wallet and NFC relay fraud: Reconnaissance, resource development, psychological manipulation, faux communications, credential compromise, account access, authorization compromise, fraud event, monetization and money laundering.
In a separate presentation, NRF and Target presented a retail fraud taxonomy that includes four categories: Pre-compromise, initial access, control and monetization.
Evan Gaustad, senior director of threat detection, fraud and abuse at Target, emphasized the value of a common vocabulary, noting that detailed schemes like gift card tampering involve multiple distinct roles and steps.
Gaustad recalled meetings with other retailers and the Department of Homeland Security, in which the parties tried to talk about whether the person in security footage was a gift card tamperer. That question is complicated, because gift card tampering involves multiple steps: Taking gift cards from stores, sending them to a central location, getting the access codes off the cards, repackaging them, and placing them back on store shelves.
"So, it's not one tamperer," Gaustad said. "There's actually like five different jobs in this scheme."
Both presentations also highlighted that many fraud attacks now involve exploiting human vulnerabilities, a factor not always covered in traditional cyber frameworks focused on technical exploits.
For example, a common digital wallet attack uses smishing or fake web shops to lure victims to compromise their card details and one-time passwords, which are then used by fraudsters to provision cards onto their own devices in real-time. NFC relay, or "ghost tap," attacks, enable fraudsters to make physical payments with a provisioned card from a distance by relaying the NFC signal.
Takeaways
A key takeaway from both presentations was the importance of "shifting left" or moving prevention and disruption efforts to earlier stages of the attack chain, rather than solely relying on downstream transaction monitoring.
This requires enhanced visibility and collaboration across different internal teams (threat intelligence, online fraud detection, fraud risk, AML). Furthermore, collaboration with external entities like telecommunications companies, social media platforms, big tech, and law enforcement is crucial, as fraudsters often leverage their services.
Specific mitigation strategies the presenters discussed included improving digital wallet provisioning journeys (e.g., only adding cards to digital wallets from banking apps rather than by inputting the card numbers and information through the digital wallet app), avoiding reliance on SMS for one-time passwords and enhancing data feeds for better detection rules based on factors like geographical location for point-of-service transactions.
Both initiatives are intended to be collaborative and open to the industry. The Barclays and Threat Fabric team has launched a website,
"You will see that on that website, there is no branding of Barclays or Threat Fabric or anybody else," Moloney said. "That's the way we want to keep it."
The taxonomy from NRF and Target is available publicly on
The presentations underscored that while progress is being made in understanding and combating fraud, significant work remains, and widespread adoption of common frameworks and increased collaboration are essential to keep pace with evolving threats.
