Fraudsters and fraud prevention professionals live in opposite worlds: one is building defenses, the other is breaking them down. But if you dropped a fraud prevention expert into the shoes of a fraud ring member, their workday might feel surprisingly familiar. These rings are structured, organized and efficient. They have hierarchies, defined roles and clear objectives — much like the businesses they attack. 

That level of organization is why account takeover (ATO) attacks are surging, with losses climbing 24% year-over-year. Fraud-as-a-service has become a booming industry, growing at a pace most mainstream businesses would envy. Together, it all makes fraud rings less of a fleeting threat, and more like a strategic competitor. To beat them, fraud leaders need to understand how fraud rings work, the roles that make attacks possible and the playbooks that keep them running. 

Meet the team behind an ATO attack

Within their businesses-like structure, fraud rings’ success depends on clearly defined responsibilities. Each role plays a critical part in moving an attack from planning to profit. Here are some of the jobs fraud rings are filling, and how they work together to bring attack plans to life: 

The scouts 

Scouts perform reconnaissance on target businesses and accounts to kick off attacks. Their job is to acquire or test stolen credentials and probe defenses to find weaknesses. These fraudsters identify thresholds for bypassing controls like MFA or biometrics, laying the groundwork for the rest of the operation.  

The execution experts 

Once credentials are verified and a path through step-up defenses is identified, execution experts take over. These specialists use the intel gathered by scouts to manually access accounts and begin altering information (or tailor bot scripts to do the job for them). Their goal is to cement control over accounts — logging in repeatedly, resetting passwords or biometrics, and changing profile information to establish trust and entrench themselves as the account’s “owner”. They transform stolen credentials into fully compromised, fraudster-controlled accounts. 

The monetization specialists 

These fraudsters are responsible for turning compromised accounts into revenue. They execute transactions that funnel funds through compromised accounts to other ring members, using either stolen payment cards or saved payment methods on compromised accounts. Their work converts stolen credentials into real financial gain, making them the final step in monetizing attacks. 

The commercialization team 

Here, everything is documented — from scouts’ findings to execution experts’ tactics — and packaged into detailed playbooks that lay out every step needed to execute attacks. These guides are sold on the dark web to other rings or lone actors, fueling the fraud-as-a-service economy. They also manage forums where buyers can get support, ensuring attacks can be replicated at scale. 

Putting rings out of business 

Fraud rings aren’t posting on online job boards, but they are scaling their operations massively in other ways. There’s no interview process or HR paperwork; these rings can bring in new members, scam unsuspecting consumers into joining their operations or create hyper-sophisticated bot scripts with ease.  
 
For fraud teams, understanding the structure of ATO attacks is the first step toward dismantling them — and the foundation for building defenses that can stop fraud rings before they strike. To see what they look like in action, download our latest report.