How Scams Really Work: Breaking Down a Complex System into Something We Can Fix

In 2024, consumers reported losing $12.5B through fraud, which was a 25% increase in just one calendar year.  $12,500,000,000 in annual losses. And that is just what was reported.

What makes that figure so troubling, aside from the staggering number of zeroes, is that the total number of fraud reports stayed virtually flat across that one-year span. So, while the number of fraud incidents didn’t grow, the average cost per incident did, primarily because more fraud attempts were successful. In 2023, 27% of people who reported fraud said they lost money. In 2024, that figure jumped to 38%.

Investment scams increased by 24% to create $5.7B in financial losses along with $2.95B in financial harm caused by imposter scams. This data tells us that scammers are getting better at their jobs, growing the complexity, diversity, and ultimately effectiveness of their financial fraud crimes. To combat this growing threat, we need to first understand how the whole operation works so let’s dig in.

Scams Are Not Random Acts - They’re Industrial Operations

The security industry, for the most part, treats scams like individual bad actors and actions instead of thinking systemically. We see a phishing email here, a fake investment scam site there, and a romance scammer somewhere else, instead of seeing these incidents as part of an industrialized criminal ecosystem. Fraud rings operate like legitimate SaaS companies, complete with subscription pricing, customer support, and feature roadmaps. Phishing-as-a-Service (PhaaS) platforms empower someone with little to no technical skills to launch sophisticated campaigns for as little as $50 a month, which seems like a bargain compared to the financial gains the fraudsters are getting. Who says crime doesn’t pay?

Criminals have essentially democratized fraud, removing the barriers to entry that used to require real hacking expertise. A lot of industries could learn from that kind of business acumen. As a result, in the 12 months ending in August 2025, cybercrime domains used in attacks increased by 126%, with nearly 20 million unique domains weaponized against victims. That kind of growth and volume is unlikely due to disorganized, dispersed, and disparate criminals. This is what the organized part of organized crime looks like.

Understanding the Scam Supply Chain

Before we can attempt to fix a problem, we must understand that the modern scam supply chain is an ecosystem of distinct components, each presenting opportunities for disruption.

• Infrastructure acquisition is the foundation. Criminals need domains, hosting accounts, and network resources to run their operations. They acquire these cheaply and at scale, often exploiting legitimate services that don’t ask enough hard questions. Evidence of this can be seen in a November 2025 analysis that found that over 7.3 million domains used in cyberattacks were registered in bulk; a 177% increase from the prior year.

• Tooling and templates increase efficiency and effectiveness. Modular attack kits include plug-and-play phishing templates, synthetic identity generators, and even deepfake toolkits. In September 2025, Microsoft seized 338 websites linked to a Phishing-as-a-Service operation whose customers could send up to 9,000 phishing emails per day. These kits make it trivially easy for criminal customers to launch attacks without building anything themselves.

• Contact and manipulation are where criminals engage victims. While email continues to be the most common contact method, phone calls and text messages also feature prominently. Criminals use time-tested techniques of urgency and authority that continue to be effective regardless of the delivery mechanism.

• Money movement closes the loop. The most recent annual data shows consumers lost more money through bank transfers and cryptocurrency than all other payment methods combined. Nearly two million money mule accounts were reported across financial institutions globally, serving as conduits to launder stolen funds. Once the money moves through these networks, recovery becomes nearly impossible.

Disrupting the Machine

Now that we’ve presented most of the doom and gloom around fraud, here is some good news. If scams operate as interconnected supply chains, then they are susceptible to the same vulnerability of all interconnected systems: If we can disrupt the right individual links – in this case the infrastructure criminals depend on accessible resources - we can degrade the entire system.

When registrars and hosting providers increase friction - whether through better verification, faster takedowns, or information sharing - they raise the cost of doing business for criminals. But this is only successful if the time gap between detection and disruption is very small, because research shows that 95% of phishing site visits occur within the first 20 hours of detection; and every hour a malicious site stays alive, it is generating more victims. Organizations that detect and disrupt threats within minutes – instead of days – can fundamentally change the economics of scam operations.

Disrupting the platforms that criminals created to lower barriers to entry is another way to significantly degrade the criminal ecosystem. When law enforcement and private sector partners take down (PhaaS) operations, they don’t just eliminate one threat; they force every criminal customer who relied on that service to find alternatives, buy new tools, and rebuild their processes. Criminals (like their legitimate counterparts) lament increases in friction and cost. So, if these disruptions happen consistently, the economics of operating a scam platform can begin to look a lot less attractive.

Lastly, financial disruption hits criminals where it hurts most: their revenue stream. When payment networks, cryptocurrency exchanges, and financial institutions freeze accounts and block transactions, they prevent funds from leaving the system before recovery becomes impossible. For criminals, who are primarily (if not entirely) motivated by money, this makes the prospect of launching a criminal fraud enterprise much less desirable. Criminals, again mirroring their legitimate counterparts, want to maximize profits while minimizing friction and risk. Any disruption in cash flow can dramatically alter our adversaries’ math.

Moving Left of the Boom

In the Intelligence Community, we talk about operating “left of boom,” which means acting before an attack rather than responding to the aftermath. We need to apply the same principle to fraud, because waiting until a victim reports a scam means the damage is already done.

Organizations making the most progress against fraud are those that understand they’re fighting a system, not isolated incidents. As a result of that understanding, they build automated detection that identifies threats before victims click, develop relationships with infrastructure providers that enable rapid takedowns, and share intelligence across sectors so that a threat identified in one place is a threat that can be blocked in all places.

While this may sound simple, it isn’t. Criminals are sophisticated, well-funded, and constantly adapting. We see them leveraging AI to generate more convincing phishing emails, using deepfakes to impersonate executives in wire fraud schemes, and exploiting cryptocurrency to move money faster than traditional recovery mechanisms can respond. No doubt, these are some of the best early adopters of technology in the world! But, by understanding how the scam ecosystem works - the infrastructure, tooling, contact methods, and money movement - we can start identifying the intervention points that will likely have the greatest impact.

The pattern of continued growth in financial losses due to fraud year-over-year is not a foregone conclusion. But, to reverse that trend, we need to start thinking about scams not as many individual events, but as a system that – when understood – can be disrupted.