Behind Enemy Lines: F-Secure Reveals How Scammers Operate with New Scam Kill Chain

Image

Go inside the mind of a cyber criminal with F-Secure’s Scam Kill Chain framework : a new in-depth look at the playbook used by scammers around the world. Global cyber security leader F-Secure’s threat intelligence experts break down exactly how these digital con artists choose, approach, and ultimately attack their victims – information that only strengthens the fight against fraud for everyone.

“We’re essentially shining a huge spotlight on cyber criminals who have been operating in the shadows,” said Laura Kankaala, Head of Threat Intelligence at F-Secure. “While there’s no way to completely prevent this, the Scam Kill Chain is our best defense. We have to be one step ahead of how  these scammers operate, so we as an industry can help prevent the crimes from happening in the first place.”

With the borderless nature of the internet, cyber crime is thriving, and consumers are losing more than $1 trillion per year to scams on average. It’s the single biggest threat facing consumers today. And while some efforts have been made in the industry to make sense of the scam ecosystem, they’re often disjointed. There hasn’t been any comprehensive framework detailing the full range of techniques scammers use – until now.

Introducing the F-Secure Scam Kill Chain

Every scam is made up of a series of tactics, known as F‑Secure’s Scam Kill Chain . Originating from the military, the term “Kill Chain” has been historically applied to cyber security. Now, given the threat level scams pose to consumer safety, it’s only fitting to extend it to cover scams targeting consumers too.

The framework is broken down methodically into eight stages:

  1. Reconnaissance

  2. Development

  3. Contact

  4. Persistence

  5. Access

  6. Exfiltrate

  7. Lateral Movement

  8. Monetization

Stage 1: Reconnaissance

In the Reconnaissance tactic, the scammer gathers information about potential victims that they can use in the following tactics of the scam. Reconnaissance consists of both identifying potential victims as well as subsequently gathering their information for future use. The “attack surface” of a scam are the consumers who will be targeted by the scam.

The goal of the scammer is to identify as many victims as possible or a more targeted group of victims and gather as much information about them. The scammer may use several techniques for this purpose such as manually hunting for victim details from social media (name, address, interests, etc.), performing automatic data collection, phishing for information via SMS and phone calls, or purchasing personal data of victims from closed sources (i.e. illegal market­places or the “dark web”) on the internet.

Stage 2: Development

For a scam to be successful, the scammer must carry out several steps, each building on the success of the last. In the Development tactic, the scammer establishes resources that eventually form the foundation of their entire scam.

These resources are used to support operations in later tactics of the F‑Secure Scam Kill Chain and include “creating, purchasing, or compromising/stealing resources that can be used to support targeting”. Such resources may include both physical (computing resources, human scammers, etc.) and virtual (web­sites, social media accounts, malware, etc.) infra­structure that is later used to scam victims.

Stage 3: Contact

Once potential victims are identified and their information is gathered, the scammer must leverage this information and contact them. In the Contact tactic, the scammer may use several manipulative techniques, including either interactive contact (phone call), non-inter­active contact (online advertisements), or a mixture of both.

Popular channels used by scammers include email, SMS, posts and direct messages on social media, etc. In some cases, the victims themselves may even contact the scammers (albeit inadvertently) for example by searching for pirated soft­ware on the internet. The ultimate goal of the Contact tactic is to initiate a response, either by sending a URL leading to a malicious site or getting the victim to provide them with private and sensitive information.

Stage 4: Persistence

As a scam progresses, the chances of it being discovered increase. At this stage, the scammer has invested effort in building and commencing the scam. The scammer now needs to prolong the scam by any means possible, in order to get to the monetization tactic. We call this the Persistence tactic.

The scammer may apply several techniques to do this, but one of the focus areas is cultivating trust. This could mean lying about the intent of the scam, lulling the victims into a false belief of earning benefits by making small payments, or moving conversations to different message platforms to avoid detection.

Stage 5: Access

In this tactic, the scammer attempts to access the victims’ devices (lap­tops or mobiles, for example). The goal is to steal a variety of private information with or without getting a foot­hold on the device. Scammers are typically interested in victim data that can be consumed directly or sold, rented, or ransomed later. This could include personally identifiable information, credit card details, bank account details, etc.

The victims’ information may be accessed in several ways, either by theft, being shared directly by the victims, or accessed using malware. Although similar to the Contact tactic, it differs as the goal of the Access tactic is to actively access and control the victims’ information.

Stage 6: Exfiltrate

Just having access to the data isn’t enough, as this could be denied or revoked at any time. Now, the scammer must take possession of it. This happens in the Exfiltrate tactic, where the scammer takes possession of the stolen data either by sending it out from the device from which it was captured, or by saving the data entered by the victims on the scammer’s hosted service.

Some exfiltration techniques may warrant an interaction with victims, where­as others can be conducted without the victims being aware of data theft. Some techniques might be automated, whereas some are manual.

Stage 7: Lateral Movement

Typically, the success of a scam increases in line with the number of victims it gathers, and scammers tend to act on this philosophy to increase their profits. In the Lateral Movement tactic, the scammer will attempt to spread the scam to as many people as possible using the initial victims’ current environments.

This can happen in several ways, for example the scammer may abuse the initial victims’ social media accounts to spread the scam to other contacts, post scam messages on the first victims’ groups or forums, leverage one social media account to get access to another, etc. An added benefit of this proliferation is that it allows the scammer to hide their tracks, as it becomes harder for sub­sequent victims to identify the true perpetrator.

Stage 8: Monetization

The last and most crucial step in the F‑Secure Scam Kill Chain is the Monetization tactic. Scamming is a business, making a profit is at the heart of almost every scammer’s motive, and all previous tactics lead up to this point. However, the scammer must take steps to avoid being detected.

For example, direct money transfers might be traceable, and as the scammer and the victims may be in different geographies, dealing in cash might be infeasible and attract unwanted attention. So, a scammer’s currency and means of monetization can be multi­fold, including actual money, cryptocurrency leading to a plethora of investment schemes, sales of valuable data, identity of another person, benefits of utilizing premium member­ship of services with­out paying, gift cards etc.

By sharing the Scam Kill Chain widely, F-Secure is helping the anti-scam industry in their fight against digital fraud — detailed research is the best way to develop effective defenses against scams. Click here  to view the entire Scam Kill Chain framework.

F-Secure: The Solution

F-Secure’s cutting-edge scam protection solutions identify and block digital threats as soon as they appear. Their flagship app Total  gives millions of users comprehensive online security with a single subscription. This includes VPN, password management, ID monitoring, antivirus, Wi-Fi protection, and much more.

F-Secure’s anti-scam technology also features AI-driven tools like Shopping Protection, SMS Scam Protection, and Banking Protection. It’s no surprise that over 200 telecom providers, banks, insurance companies, and other key players in digital security partner with F-Secure  to integrate its features into their apps, providing their customers with a complete, all-in-one security solution.

About F‑Secure

F‑Secure makes every digital moment more secure, for everyone. We deliver brilliantly simple, frictionless security experiences that make life easier for the tens of millions of people we protect and for our more than 200 service provider partners. For over 35 years, we’ve led the cyber security industry, inspired by a pioneering spirit born out of a shared commitment to do better by working together.

Jan 30, 2025
10 minute read
Category
Scam Trends Topic - Scam Detection Industry - Big Tech / Social Media
Written by
Global Anti-Scam Alliance (GASA)
Global Anti-Scam Alliance (GASA)
Share article

Latest blogs & research

GASA Mexico Shares Scam Prevention Tips During the 2026 FIFA World Cup

GASA Mexico shares practical advice for football fans on avoiding ticketing, travel, phishing and payment scams during the 2026 FIFA World Cup.

Best Practices Video Region - Latin America Industry - Consumer Protection & Authorities

Watch the Global Anti-Scam Summit Europe 2026 Session Recordings

Watch keynotes, panels, workshops, working group sessions and Scam Fighter Awards recordings from the Global Anti-Scam Summit Europe 2026 in Lisbon.

Best Practices Region - Europe Topic - Fraud Prevention Topic - Data Sharing

Public-Private Partnerships in Action: Key Takeaways From the Global Anti-Scam Summit Europe 2026

Key takeaways from the Global Anti-Scam Summit Europe 2026 on how public-private partnerships can strengthen scam prevention, intelligence sharing, regulation and victim protection.

Best Practices Region - Europe Region - Global Video
nomorobo joins scam.org

Nomorobo Joins Scam.org to Shield Consumers from Fraudulent Calls and Texts

Nomorobo has joined Scam.org as a member partner, bringing call and text blocking technology into the platform to help consumers protect themselves from fraudulent communications.

News Topic - Scam Awareness Region - Global Region - North America

Scams Continue to Rise in Germany: Two in Three Adults Encountered a Scam in the Past Year

The Global Anti-Scam Alliance (GASA), in collaboration with Worldline, has released the State of Scams Germany 2026 Report.

Report Topic - Scam Reporting Scam Trends Topic - Fraud Research
gasa webinar

Anatomy of an Investment/Crypto Scam

On 21 May, the Global Anti-Scam Alliance (GASA) hosted a webinar bringing together leading voices from the crypto industry, law enforcement, compliance, and civil society.

Region - Europe Video Topic - Fraud Policy Event - GASA Meet-Ups

ICC and GASA Publish Best Practices Framework for Combating Scam Advertising

ICC and GASA have published a best practices framework for combating scam advertising, focusing on risk-based verification, transparency, reporting and collaboration.

Best Practices Region - Global Topic - Fraud Policy Industry - Financial Authorities

Scams Surge Across the U.S.: 82% of Adults Targeted as Engagement and Losses Continue to Rise

The Global Anti-Scam Alliance (GASA), in collaboration with Iris® Powered by Generali, has released the State of Scams USA 2026 Report.

Research News Scam Trends Region - North America