Phishing and other forms of email fraud have been industrialized, and now rely on a coordinated, scalable operating model that supports everything from credential compromise and account takeover,
to more efficient cash-out, according to a new report from AppGate: "The Industrialization of Digital Fraud—From Social Exposure to Cash-Out."
“Fraud is no longer a series of isolated events—it is an industrialized system operating across the entire digital journey,” says Mike Lopez, senior vice president of fraud
solutions at 360 Fraud Protection by AppGate.
The study is designed to give fraud, risk and security leaders “a common language—and a measurable framework—to align
defenses with how attackers actually operate, reducing losses without adding unnecessary customer friction.”
There is a certain urgency to this. As Alloy has reported, every $1 in direct
fraud loss creates $5.16 in total impact for lending institutions, including recovery, chargebacks, churn and operational costs.
advertisement
advertisement
The report notes that siloed, point-based defenses are largely
ineffective against attackers operating in what it calls “the full fraud chain.”
In addition, it reports that the “expansion of digital payments and real-time rails
increases the attack surface and accelerates the 'deception → ATO → cash-out' cycle.”
The study continues that “tolerance for friction is
falling: customers expect smooth experiences, and institutions must defend without degrading conversion or increasing false positives.”
The challenge? “In this
environment, the market is shifting toward passive verification (signals, behavior, machine learning) to preserve the user experience, reserving friction for critical moments... or high-fraud
probability). The practical consequence is an architectural shift: controls designed to make real-time decisions on sessions and transactions, not just to block campaigns.”
But
here’s one warning: If your architecture depends on “a single checkpoint (login or the email channel), attackers bypass it by shifting to SMS/QR/social; containment must exist
post-click/post-scan.”
Within the report, the company’s 360 Fraud Protection introduces the Fraud Industrialization Stack, a new framework that organizes fraud into four
interconnected layers:
External exposure, meaning social impersonation, phishing, brand abuse and scam infrastructure.
Identity capture — The increasing risks of
credential theft, social engineering, and account compromise.
Account and session control, resulting in takeover, device abuse, and transaction manipulation.
Cash-Out — monetization through “fraud payments, mule networks, and high-velocity extraction.”
The report draws on intelligence from AppGate’s
Guardian Fusion Center, the Anti-Phishing Working Group (APWG), Verizon’s Data Breach Investigations Report, Microsoft’s Digital Defense Report, Juniper Research and Alloy.