Demystifying the Fraud Economy
Fraud-as-a-Service, or FaaS, operates like any legitimate subscription business, but its products are illegal. It's an underground marketplace where developers package and sell tools, services, and data to help others commit fraud, even those with minimal
technical skill. These platforms, often found on the dark web or private messaging groups, offer everything from phishing kits and malware to stolen credit card numbers and fake identity documents. This model turns complex cyberattacks into a simple purchase, dramatically lowering the barrier to entry and allowing criminal activity to scale at an alarming rate. For a monthly fee, anyone can get into the fraud business, no coding required.
The Anatomy of a Subscription Scam
One of the most common schemes enabled by this illicit economy is the subscription scam. These scams trick you into recurring payments through deceptive means. It might start with a tempting "free trial" for a product where shipping fees hide an auto-renewing membership, or a low-cost item that enrolls you in a pricey plan. In India, this even extends to fraudulent UPI mandates disguised as electricity bills or KYC update fees, sent randomly in the hope someone approves them in a hurry. The core of the scam is the misleading consent and a cancellation process that is often intentionally difficult, ensuring the charges continue long before the victim notices.
The Plug-and-Play Promise of FaaS Tools
FaaS providers market their products with the promise of easy profits. For subscription scams, they offer specialized toolkits. A common product is a 'phishing kit', sometimes called a 'SCAMA', which includes pre-built fake login pages for banks, e-commerce sites, or streaming services. These kits can cost anywhere from a few hundred to several thousand rupees a month. The allure is simple: the fraudster doesn't need to build a fake website or understand how to process stolen data. The kit does it all, from capturing user credentials and payment details to routing them back to the criminal. The marketing pitch is one of plug-and-play criminality, promising a high return for a small investment.
The Great Unproven: A Problem of Attribution
Here's the central issue the FaaS industry can't solve: proving that a specific tool actually works as advertised. While sellers boast about their software's effectiveness, it's nearly impossible to verify these claims due to the fundamental challenge of 'cyber attribution'. Investigators and even other criminals find it extremely difficult to trace an attack back to its true source, let alone a single piece of software. Attackers use a host of techniques to cover their tracks, such as routing traffic through compromised computers (botnets), using anonymizing services, and planting 'false flags' to mislead anyone watching. Since many criminals use shared infrastructure and multiple tools at once, singling out one FaaS product as the key to a scam's success is a speculative exercise at best.
Where the Real, Verifiable Threat Lies
While the effectiveness of any single tool is debatable, the collective danger of the FaaS ecosystem is undeniable. The real threat isn't necessarily sophistication, but accessibility and volume. By making fraud tools cheap and easy to use, FaaS has flooded the digital space with low-level attackers. This directly contributes to the rising tide of digital fraud in India, which in 2025 saw a suspected fraud rate of 7.1%, nearly double the global average of 3.8%. Furthermore, recent data shows fraudsters in India are shifting tactics from creating new fake accounts to targeting existing ones through account takeover attacks. FaaS tools that automate credential theft and login attempts directly fuel this trend, amplifying the risk for every digital citizen.
















