Forward to: Fraud Team

Fraud Detection
Workflows

Ten agent workflows for the Fraud team — automated phishing domain detection, account takeover prevention, synthetic identity detection, merchant fraud intelligence, card fraud network mapping, social engineering site monitoring, application fraud screening, first-party fraud detection, refund abuse intelligence, and fraud ring identification — providing comprehensive domain-level fraud signals.

1Phishing Domain Detection

AI agent monitors newly registered domains for phishing indicators targeting the bank and its customers — detecting brand impersonation, lookalike domains, credential harvesting pages, and social engineering infrastructure before attacks launch.

1
Scan for Brand Impersonation Domains
/login /about /contact /security Domain Ages Web Filtering Categories
PHISHING DOMAIN DETECTION — DAILY SCAN ════════════════════════════════════════════════════════════ BANK BRAND VARIANTS MONITORED: 2,400 permutations NEW DOMAINS SCANNED: 147,000 registered in last 24 hours PHISHING DOMAINS DETECTED: firstnati0nal-secure.com (typosquat of firstnational.com) /login: Cloned bank login page — identical CSS/layout to legitimate site /about: Copied bank branding, logo, and trust badges /security: Fake "secure banking" badge with SSL certificate mismatch Domain Age: 6 hours | Web Filtering: Not yet categorized (too new) PHISHING CONFIDENCE: 99% — Active credential harvesting firstnational-rewards.net /login: Fake rewards portal requesting full account credentials /about: Claims "official rewards partner" — no such program exists Domain Age: 2 days | Web Filtering: Categorized as "Financial Services" PHISHING CONFIDENCE: 97% — Credential + rewards phishing hybrid fn-banking-update.com /security: "Urgent security update" page requesting card details Domain Age: 14 hours PHISHING CONFIDENCE: 98% — Urgency-based social engineering
2
Initiate Takedown Actions
Phishing Signal
3 Active Phishing Campaigns Detected — All three domains feature cloned bank login pages with active credential harvesting capability. Domain ages (6 hours to 2 days) indicate coordinated campaign launch. Automated takedown requests submitted to registrars. Browser blocklist submissions filed with Google Safe Browsing and Microsoft SmartScreen.
ACTIVE THREAT — Takedown requests filed, customer advisory recommended
3
Track Phishing Campaign Lifecycle
Phishing Campaign Timeline
2026-02-17 02:14 firstnati0nal-secure.com registered via privacy-shielded registrar
2026-02-17 04:22 Domain activated — cloned login page detected within 2 hours
2026-02-17 04:30 Automated alert generated — takedown request submitted
2026-02-17 06:15 SMS/email phishing campaign launched using this domain
2026-02-17 08:42 Domain suspended by registrar — total active time: 4.3 hours

2Account Takeover Prevention

AI agent detects account takeover infrastructure by monitoring dark web marketplace domains, credential dump sites, and social engineering toolkits that target banking customers, enabling proactive account protection.

1
Monitor Credential Exposure Sources
/products /login /api /security Web Filtering Categories Domain Ages
ACCOUNT TAKEOVER INTELLIGENCE — WEEKLY REPORT ════════════════════════════════════════════════════════════ CREDENTIAL MARKETS MONITORED: 847 domains BANK-SPECIFIC MENTIONS: 23 this week ATO INFRASTRUCTURE DETECTED: [redacted-market-1].onion — via clearnet proxy domain /products: Selling "verified bank accounts" — our brand listed Pricing: $200-$500 per account with balance guarantees Volume: ~340 of our customer accounts advertised [phishing-kit-shop].com /products: Bank-specific phishing kit for sale — our login page cloned /api: API integration with Telegram bot for real-time credential relay Web Filtering: Malware/Phishing category THREAT LEVEL: HIGH — Active ATO infrastructure targeting our customers
2
Trigger Proactive Account Protection
ATO Signal
340 Customer Accounts at Risk — Marketplace analysis reveals 340 of our customer accounts listed for sale. Phishing kit specifically targeting our login page is actively being distributed. Recommend immediate: force password reset for affected accounts, enable mandatory 2FA, and deploy additional login monitoring rules.
ACTIVE THREAT — Force password resets on exposed accounts

3Synthetic Identity Detection

AI agent identifies synthetic identities by cross-referencing application data with web presence indicators — detecting fabricated business entities, non-existent employers, and artificially constructed digital footprints used to establish fraudulent accounts.

1
Verify Application Web References
/about /careers /contact /leadership Domain Ages OpenPageRank
SYNTHETIC IDENTITY SCREENING — NEW ACCOUNT APPLICATIONS ════════════════════════════════════════════════════════════ APPLICATIONS SCREENED: 1,247 this week SYNTHETIC INDICATORS: Employer verification + address verification via web SYNTHETIC IDENTITY FLAGS: Application #APP-78421 — "John D. Mitchell" Claimed employer: innovatetech-solutions.com /about: Template website — stock photos, placeholder Lorem Ipsum text /careers: No job listings — applicant claims "Senior VP" role /contact: Google Voice number, no physical address /leadership: Page does not exist Domain Age: 23 days | PageRank: 0.1/10 SYNTHETIC SCORE: 91/100 — Employer appears fabricated Application #APP-78439 — "Sarah L. Johnson" Claimed employer: deloitte.com /careers: Legitimate Fortune 500 employer, verifiable /leadership: Organizational structure matches claimed department Domain Age: 10,847 days | PageRank: 8.4/10 SYNTHETIC SCORE: 4/100 — Employer verified, legitimate application
2
Assess Synthetic Identity Risk
Synthetic Signal
APP-78421 — Fabricated Employer Detected — innovatetech-solutions.com is a 23-day-old domain with template content, no employees listed, no career postings despite applicant claiming VP role. PageRank 0.1 indicates zero web credibility. Pattern matches synthetic identity infrastructure — domain created solely to support fraudulent application.
SYNTHETIC IDENTITY — Reject application, file fraud report

4Merchant Fraud Intelligence

AI agent monitors merchant websites to detect fraud indicators — bust-out schemes, phantom merchants, card-testing storefronts, and laundering operations disguised as legitimate e-commerce businesses.

1
Screen Merchant Web Presence
/products /pricing /about /contact IAB Categories Domain Ages
MERCHANT FRAUD SCREENING — ACQUIRING PORTFOLIO ════════════════════════════════════════════════════════════ MERCHANTS MONITORED: 12,400 NEW MERCHANT APPLICATIONS: 347 this week SUSPICIOUS MERCHANTS FLAGGED: luxuryelectronicshub.com /products: Items priced 80% below market — $200 iPhones, $300 MacBooks /about: "Established 2010" but domain age is 18 days /contact: No phone, no physical address, email only /pricing: All items same exact price point ($199.99) — card testing pattern IAB: Technology & Computing | Domain Age: 18 days MERCHANT RISK: CRITICAL — Card testing / bust-out indicators greenvalleyorganic.shop /products: Detailed organic food catalog with sourcing information /about: Family farm story, photos of actual farm operations /contact: Full address, phone, email, social media presence Domain Age: 2,847 days | PageRank: 3.2/10 MERCHANT RISK: LOW — Legitimate e-commerce business
2
Detect Bust-Out Schemes
Merchant Signal
LuxuryElectronicsHub — Card Testing / Bust-Out — 18-day-old domain with impossibly low prices, uniform pricing ($199.99 for all items), and falsified business history. Pattern matches card-testing storefront: low-value authorization attempts to validate stolen card numbers before high-value fraud. Recommend immediate merchant account suspension.
BUST-OUT RISK — Suspend merchant account, review all transactions

5Card Fraud Network Mapping

AI agent maps card fraud networks by analyzing merchant domains, payment processor connections, and transaction patterns to identify organized fraud rings operating across multiple compromised or colluding merchant accounts.

1
Map Merchant Network Connections
/about /contact /legal /partners Domain Ages Countries
FRAUD NETWORK MAPPING — CARD FRAUD CLUSTER ANALYSIS ════════════════════════════════════════════════════════════ CLUSTER DETECTED: 18 merchant domains with shared infrastructure SHARED INDICATORS: /contact: All 18 merchants — same registered agent in Florida /legal: Identical terms of service text across all domains /about: Same website template — only logos and product photos differ Domain Ages: All registered within 14-day window (Oct 2025) Countries: Domains hosted across 6 countries — evasion pattern TRANSACTION PATTERNS: Combined volume: $4.2M in 90 days Chargeback rate: 18.4% (industry avg: 0.6%) Cross-merchant card overlap: 67% of cards used at 3+ merchants in cluster FRAUD RING CONFIDENCE: 94%
2
Quantify Network Fraud Impact
Network Signal
18-Merchant Fraud Ring — $4.2M Exposure — Shared registered agent, identical website templates, coordinated registration dates, and 67% card overlap across the network. Chargeback rate 30x above normal. Web analysis provides irrefutable network linkage evidence. Recommend simultaneous account suspension across all 18 merchants to prevent ring migration.
FRAUD RING — Suspend all 18 accounts simultaneously

6Social Engineering Site Monitoring

AI agent detects social engineering infrastructure targeting bank customers — fake customer support sites, impersonation pages, tech support scam domains, and vishing operation web presences that facilitate voice and digital social engineering attacks.

1
Identify Social Engineering Infrastructure
/support /contact /security /about Web Filtering Categories Domain Ages
SOCIAL ENGINEERING INFRASTRUCTURE SCAN ════════════════════════════════════════════════════════════ firstnational-helpdesk.com /support: Fake support portal — prompts users to call fraudulent number /contact: VoIP number routes to offshore call center /security: "Verify your identity" page harvests full account details Domain Age: 3 days | Web Filtering: Not yet categorized SOCIAL ENGINEERING: Active vishing infrastructure bankingsupport-center.net /support: Generic bank support page — targets multiple bank brands /about: Claims "authorized banking support partner" /contact: Toll-free number with IVR mimicking bank phone tree Domain Age: 12 days SOCIAL ENGINEERING: Multi-brand vishing operation
2
Alert Customer Protection
Social Engineering Signal
Active Vishing Campaign Detected — Fake helpdesk domain routes customers to offshore call center via VoIP. /support page collects account details before connecting to "support agent." Coordinated with SMS campaign directing customers to this domain. Recommend immediate customer advisory via SMS, email, and mobile app push notification.
ACTIVE CAMPAIGN — Issue customer fraud advisory immediately

7Application Fraud Screening

AI agent screens loan and account applications for fraud by verifying employer claims, business existence, address legitimacy, and income source indicators through web presence analysis of entities referenced in applications.

1
Verify Application Data Points via Web
/about /careers /contact /products Domain Ages OpenPageRank
APPLICATION FRAUD SCREENING — DAILY BATCH: 487 APPLICATIONS ════════════════════════════════════════════════════════════ FLAGGED: Mortgage Application #MTG-2026-4821 Applicant claimed income: $285K/year | Employer: "Pinnacle Consulting Group" pinnacle-consulting-group.com /about: Single-page website with generic consulting language /careers: No listings — claims 200+ employees /contact: PO Box address, no physical office /products: Services described in one paragraph — no case studies Domain Age: 47 days | PageRank: 0.2/10 FRAUD INDICATOR: Employer likely fabricated to inflate income VERIFIED: Auto Loan Application #AUTO-2026-9931 Applicant claimed employer: "Memorial Hospital System" memorialhospitalsystem.org /about: Major hospital system — 12 locations, 8,400 employees /careers: Active listings — applicant's claimed department exists Domain Age: 7,847 days | PageRank: 6.2/10 VERIFIED: Employer legitimate, application data consistent
2
Generate Fraud Screening Summary

Application Fraud Screening — Daily Summary

SCREENING RESULTS ──────────────────────────────────────── Applications screened: 487 | Verified: 441 (91%) | Flagged: 28 (6%) | Rejected: 18 (3%) TOP FRAUD PATTERNS DETECTED 1. Fabricated employers (12 cases) — websites <60 days old, no web presence 2. Inflated income via shell businesses (4 cases) — Domain Age vs. claimed history 3. Address mismatches (8 cases) — /contact addresses don't match claimed locations 4. Unverifiable secondary income sources (4 cases) — domains parked or inactive 5. 91% of applications pass web verification — consistent with portfolio quality

8First-Party Fraud Detection

AI agent identifies first-party fraud by monitoring borrower web activities post-origination — detecting asset concealment, lifestyle inconsistencies, undisclosed businesses, and false hardship claims that indicate intentional fraud versus genuine financial distress.

1
Monitor Post-Origination Activity
/about /products /pricing /events IAB Categories Personas
FIRST-PARTY FRAUD DETECTION — HARDSHIP CLAIMS ════════════════════════════════════════════════════════════ HARDSHIP APPLICATIONS: 142 in last 30 days WEB CROSS-REFERENCE: Applicant-linked domains analyzed INCONSISTENCY DETECTED: Borrower: "David R. Thompson" — Claims loss of income, requesting forbearance thompsonluxurycars.com (owned by borrower) /products: Active luxury car dealership — 47 vehicles listed ($2M+ inventory) /about: Borrower listed as owner — opened 6 months after loan origination /pricing: High-end vehicles $80K-$400K — undisclosed business income /events: Hosting "Grand Opening" event next week IAB: Automotive | PageRank: 2.8/10 FIRST-PARTY FRAUD: Hardship claim contradicted by undisclosed business
2
Assess Fraud vs. Genuine Hardship
First-Party Signal
Thompson — False Hardship Claim — Borrower claiming income loss while simultaneously operating a luxury car dealership with $2M+ inventory. Business opened after loan origination and was not disclosed. /events page shows expansion activity (grand opening) contradicting hardship narrative. Recommend deny forbearance, escalate to fraud investigation.
FALSE CLAIM — Deny forbearance, refer to fraud investigation

9Refund Abuse Intelligence

AI agent detects refund abuse and friendly fraud by monitoring merchant dispute patterns, customer-linked web activities, and organized refund fraud communities that coordinate chargeback abuse against banking customers and merchants.

1
Monitor Refund Fraud Communities
/about /products /blog /pricing Web Filtering Categories Personas
REFUND ABUSE INTELLIGENCE — COMMUNITY MONITORING ════════════════════════════════════════════════════════════ [refund-service-1].com /products: "Professional refund services" — guarantees refunds on any purchase /pricing: Charges 20-40% of refund amount as commission /about: Claims "100% success rate" on bank chargebacks /blog: Tutorials on "item not received" and "unauthorized transaction" claims Web Filtering: Fraud/Illegal activity THREAT: Professional refund abuse service targeting our cardholders CUSTOMER LINK DETECTION: 47 of our cardholders identified via cross-reference with known refund abuse forums Average chargeback frequency: 4.2x per quarter (norm: 0.1x)
2
Flag Systematic Abusers
Refund Abuse Signal
47 Cardholders Linked to Refund Services — Web intelligence identifies professional refund abuse services actively coaching customers on successful chargeback techniques targeting our bank. 47 cardholders show chargeback rates 42x above normal and are linked to these communities. Estimated annual loss: $890K from this cohort alone.
ABUSE PATTERN — Flag accounts for enhanced dispute review

10Fraud Ring Identification

AI agent identifies organized fraud rings by analyzing shared web infrastructure, coordinated domain registration patterns, common registration details, and network connections between apparently independent fraudulent entities.

1
Detect Coordinated Fraud Infrastructure
/about /contact /legal /products Domain Ages Countries
FRAUD RING DETECTION — CROSS-CHANNEL ANALYSIS ════════════════════════════════════════════════════════════ ANALYSIS TYPE: Multi-domain network clustering RING IDENTIFIED: 34 entities across 3 fraud types CLUSTER A — MERCHANT FRAUD (18 domains): /contact: All share same registered agent in Miami, FL /legal: Identical ToS — copy/paste across all 18 sites Domain registration: All within 14-day window CLUSTER B — APPLICATION FRAUD (9 domains): /about: Fabricated employers sharing same web template /careers: All list same "HR contact" email address Linked to 23 fraudulent loan applications CLUSTER C — MONEY MULE OPERATIONS (7 domains): /products: "Work from home" job scam sites recruiting mules /about: Identical company descriptions with name substitutions Cross-cluster links: Same registrant email connects all 3 clusters
2
Map Complete Ring Structure
Ring Signal
34-Entity Fraud Ring — $7.8M Total Exposure — Web analysis reveals coordinated operation spanning merchant fraud ($4.2M), application fraud ($2.1M), and money mule recruitment ($1.5M). Single registrant email links all three clusters. Ring has been active for 4 months with escalating sophistication. Law enforcement referral package assembled.
ORGANIZED FRAUD — Refer to law enforcement, freeze all connected accounts
3
Track Ring Evolution
Fraud Ring Evolution Timeline
2025-10-08 First merchant domains in Cluster A registered — initial infrastructure
2025-11-14 Cluster B employer domains created — application fraud campaign begins
2025-12-22 Cluster C money mule sites launched — laundering infrastructure ready
2026-01-15 Cross-cluster link detected — same registrant email connects all clusters
2026-02-12 Ring fully mapped — 34 entities, $7.8M exposure, law enforcement referral filed
Get in Touch

Interested in AI Agent Domain Intelligence?

For pricing, subscription options, custom database builds, or enterprise partnerships — contact us below.

Power Your AI Agents with Domain Intelligence

Subscribe to the AI Agent Domain Database — continuous access to 100M+ domains, 20 page types each, quarterly refreshes, and real-time change signals.

AI Agent Database View Pricing

Annual subscription includes quarterly data refreshes, change detection alerts, and priority API access.