Glossary of Cyber Fraud
This glossary defines general common fraud, abuse, and adversarial-behavior terms as they are used in real investigations.
Account Takeover (ATO)
When a hacker tries to execute an account takeover (ATO), their goal is to take control of your account and use it to steal information or for their own personal profit. In the context of this account takeover definition, the end objective is typically to benefit the hacker or their organization.
However, account takeover fraud can also be used to execute a vandalism scheme designed to hurt the reputation or the operational capacity of a company. Fortunately, there are several things you can do as part of an account takeover protection plan.
References
What Is Account Takeover (ATO)? Definition & Fraud Protection | Fortinet
Abuse
The misuse of infrastructure, services, or resources to host, distribute, or conduct harmful, deceptive, or disruptive activity. Abuse may be financial, operational, or legal in nature and does not always involve direct fraud. Abuse commonly includes:
Hosting objectionable or non-copyright-protected content (e.g., webpages, images, video) used to deceive, exploit, or harm others.
Sending abusive or unsolicited email (spam) from compromised or intentionally misused resources.
Malicious or disruptive network activity such as intrusion attempts, Distributed Denial of Service (DDoS) attacks, port scanning, or other forms of abusive traffic.
Copyright violations subject to takedown or removal requests under the Digital Millennium Copyright Act (DMCA).
Abuse is often an early indicator of adversarial activity and may precede more overt fraud or security incidents.
References
Report abuse of AWS resources | AWS re:Post
Adversary
Person, group, organization, or government that conducts or has the intent to conduct detrimental activities.
References
Bot
An Internet bot is a software application that runs automated tasks over the internet. Tasks run by bots are typically simple and performed at a much higher rate compared to human Internet activity.
Some bots are legitimate—for example, Googlebot is an application used by Google to crawl the Internet and index it for search. Other bots are malicious—for example, bots used to automatically scan websites for software vulnerabilities and execute simple attack patterns.
References
What are Bots | Bot Types & Mitigation Techniques | Imperva
Botnet
The term “botnet” refers to a collection of computers linked together to perform a specific task. Botnets themselves are not a threat to your network. For example, some botnets perform helpful tasks like managing chatrooms or keeping track of points during an online game. However, when botnets are misused for malicious purposes, they can be very dangerous. This is because a botnet can control your computer and also use it to carry out attacks.
A botnet is a network of computers infected by malware that are under the control of a single attacking party, known as the “bot-herder.” Each individual machine under the control of the bot-herder is known as a bot.
Brute Force Attack
A brute force attack can manifest itself in many different ways, but primarily consists in an attacker configuring predetermined values, making requests to a server using those values, and then analyzing the response. For the sake of efficiency, an attacker may use a dictionary attack (with or without mutations) or a traditional brute-force attack (with given classes of characters e.g.: alphanumeric, special, case (in)sensitive). Considering a given method, number of tries, efficiency of the system which conducts the attack, and estimated efficiency of the system which is attacked the attacker is able to calculate approximately how long it will take to submit all chosen predetermined values.
References
Brute Force Attack | OWASP Foundation
Card Testing
Card testing fraud, a prevalent form of credit card fraud, is when fraudulent actors validate the usability of stolen credit card numbers. This fraud usually involves executing several low-value transactions on various websites. These small transactions are often unnoticed by cardholders and fraud detection systems, which tend to focus on larger, more irregular spending patterns. Those committing the fraud use these test transactions to verify the card is still active and has not been flagged or cancelled because of theft and to confirm the card has a sufficient credit limit for purchases.
References
What is card-testing fraud? | Stripe
Chargeback
A reversal of a payment initiated by a cardholder through their bank. Chargebacks are both a financial loss and a downstream signal of undetected fraud.
References
Understanding Chargebacks: Definition, Dispute Process & Examples
Compromised Credentials
Account compromise is when an unauthorized party gains access to a user’s account to steal personal information or other malicious purposes. When an account is compromised, it means that the attacker has obtained the login credentials (such as username and password) or found a way to bypass the account's security measures. Attackers can compromise accounts using various methods, including phishing attacks, malware infections, weak passwords, or security vulnerabilities.
References
Account compromise definition – Glossary | NordVPN
Credential Stuffing
Credential Stuffing is a subset of the brute force attack category. Credential stuffing is the automated injection of stolen username and password pairs (“credentials”) in to website login forms, in order to fraudulently gain access to user accounts.
References
Credential stuffing | OWASP Foundation
Enumeration
Enumeration is the process of scanning a target system, network, or application and collecting information on it while in the process. This step is critical in the reconnaissance phase of ethical hacking or penetration testing, where the aim is to find out some of the weaknesses within the target.
References
Cyber Security - Types of Enumeration - GeeksforGeeks
False Positive
A false positive in cybersecurity is an event or activity that is incorrectly identified as malicious by a security system.
References
Implementer's Guide to Deception Technologies
Fraud
Fraud is any activity that relies on deception in order to achieve a gain. Fraud becomes a crime when it is a “knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment” (Black’s Law Dictionary). In other words, if you lie in order to deprive a person or organization of their money or property, you’re committing fraud.
References
Identity Theft
A common identity theft meaning is when someone takes someone else’s personal information and then uses it for their own benefit, particularly without getting the individual’s permission.
References
What Is Identity Theft? How To Protect from Identity Theft Attacks? | Fortinet
Incident Response
Incident response, or IR, refers to the processes and systems an organization uses to discover and respond to cybersecurity threats and breaches. The goal of IR is to detect, investigate, and contain attacks within the organization. The lessons learned from IR activities are also used to inform downstream prevention and mitigation strategies, thereby enhancing an organization’s overall security posture.
References
What Is Incident Response? - Palo Alto Networks
Indicators Of Compromise
Indicators of compromise (IOCs) refer to data that indicates a system may have been infiltrated by a cyber threat. They provide cybersecurity teams with crucial knowledge after a data breach or another breach in security.
Computer security incident response teams (CSIRTs) use IOCs for malware detection, to enhance Sandbox security, and to verify the effectiveness of heuristic analysis. They are also used to detect and prevent attacks or to limit the damage done by stopping the attacks early on.
References
Indicators of Compromise (IOCs) | Fortinet
Insider Threat
An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.
References
Defining Insider Threats | CISA
Mule Account
A Mule Account, Often Called A Money mule Account, Is A Bank Account Used—knowingly Or Unknowingly—to Receive, Transfer, Or Withdraw Illegally Obtained Money On Behalf Of Criminals. In The Global Financial Crime Ecosystem, Mule Accounts Are A Crucial Layer Of Obfuscation.
References
What Is Mule Account – Detailed Explanation
Phishing
Phishing is a type of cyberattack that uses fraudulent emails, text messages, phone calls or websites to trick people into sharing sensitive data, downloading malware or otherwise exposing themselves to cybercrime.
References
Risk Signal
A Risk Signal is a cybersecurity concern that could leave a business at risk. It's an indication of a threat that has been derived from several sources. A company may have thousands of issues that expose them to a hacking event. However, many of these issues are of minor relevance. A Risk Signal consolidates a large volume of data into a single observation which we know indicates a company could be compromised.
References
What are Risk Signals? : Breach Check Knowledge Centre
Scam
A scam is a deceptive tactic used to trick people into giving up money, personal information, or access to their accounts—most commonly online through emails, texts, social media, or fake websites. Scammers often impersonate trusted individuals or organizations, using urgency, fear, or emotional manipulation to pressure victims into acting quickly without verifying the situation. With the rise of AI, scams have become more realistic and convincing, making it harder to detect them.
References
Online scams: how to spot and stop them. What is a scam?
Synthetic Identity
Synthetic identity theft is a form of fraud where an identity thief combines stolen information, such as a victim’s Social Security number, with other real or invented information, such as false names, dates of birth and addresses. The resulting fake identity is then used to commit acts of financial fraud.
References
What Is Synthetic Identity Theft? - Experian
Threat Actor
Threat actors, also known as cyberthreat actors or malicious actors, are individuals or groups that intentionally cause harm to digital devices or systems. Threat actors exploit vulnerabilities in computer systems, networks and software to perpetuate various cyberattacks, including phishing, ransomware and malware attacks.
References
Velocity
The speed or frequency of actions taken within a system. Abnormal velocity is a common indicator of automation or abuse.
References
BLA7:2025 Resource Quota Violation (RQV) | OWASP Foundation
Zero-Day Abuse
A zero-day attack exploits a software vulnerability that is unknown to the vendor and has no patch. The term "zero day" refers to the fact that the developer has zero days to fix the problem before the attack occurs. Attackers leverage this unknown weakness to compromise systems, often before the vendor or security community is even aware of its existence.
References
What Is a Zero-Day Attack? Risks, Examples, and Prevention - Palo Alto Networks