MITRE releases a shared fraud-cyber framework built from real attack data

Financial fraud losses in the United States reached $16.6 billion in 2024, up from $4.2 billion in 2020. Behind those numbers is a structural problem: the teams responsible for stopping fraud, fraud investigators and cybersecurity analysts, have historically operated separately, using different tools, different terminology, and different mental models of how attacks unfold.

The MITRE Fight Fraud Framework, known as F3, is a behavior-based model designed to give both teams a common structure for describing, detecting, and disrupting fraud campaigns.

A model built from observed fraud behavior

F3 organizes fraudster behavior into tactics and techniques drawn from real-world incidents. The tactics cover the full attack lifecycle: Reconnaissance, Resource Development, Initial Access, Defense Evasion, Positioning, Execution, and Monetization.

Two of those tactics, Positioning and Monetization, do not appear in MITRE ATT&CK, the established framework for cyberattack behavior. Positioning covers the adversary’s actions in a selected environment after gaining access, including collecting data or preparing for execution. Monetization covers converting stolen assets into usable funds or value. These additions reflect the financial end goal that distinguishes fraud from other cyberattacks.

Where a tactic or technique already exists in ATT&CK, F3 uses it directly with definitions modified for fraud-specific outcomes. Fraud-specific techniques that fall outside ATT&CK receive F1XXX-series designations to maintain compatibility with the broader ATT&CK schema.

What sets F3 apart from rule-based detection

Organizations currently rely on rule-based fraud detection systems that apply predefined conditions to transaction data and trigger decisions to approve, decline, or flag activity. F3 operates at a different level.

Speaking to Help Net Security, the MITRE CTID Research Team described the distinction: “F3 is a behavior-based model that maps how fraud occurs. It codifies fraud actors’ tactics and techniques across the full lifecycle, based on real-world incidents. In essence, F3 answers: ‘What is the adversary trying to achieve at this stage, and how do they typically do it?’ By doing so, it enables organizations to understand and describe complete fraud campaigns rather than isolated suspicious events.”

The team notes that F3 can inform and improve rule design by grounding detection logic in observed fraud behaviors and attack sequences. F3 itself does not score transactions or make enforcement decisions. Rules, heuristics, or machine learning models remain necessary to determine whether to allow, block, or escalate activity.

Bringing fraud and cyber teams together

The MITRE Fight Fraud Framework gives fraud analysts a way to describe incidents using consistent behaviors, gives cyber teams a structure for detecting and validating adversary techniques, and gives security leaders a basis for assessing risk tied to how fraud actually unfolds.

The MITRE CTID Research Team outlines a practical path for organizations starting to use the framework: “Integrate fraud and cybersecurity teams. Bring fraud investigators and cyber analysts together through shared workflows, collaboration, and joint analysis to strengthen detection and response capabilities. Document incidents and trends using MITRE F3. Use the MITRE F3 framework to standardize how fraud scenarios, techniques, and patterns are recorded. Map F3 techniques to data sources. Align documented F3 techniques with your organization’s data sources to better identify and monitor adversary behaviors.”

Design principles behind F3

Four principles guided the framework’s construction. Institutions must be able to observe the effects of a technique during the fraud incident. Every incident in F3 includes at least one digital or technological method, such as phishing, malware, or unauthorized access. Techniques describe the behavior of the adversary, focusing on distinct, observable actions rather than on entities or tools. Behaviors that appear in multiple concrete forms are captured as sub-techniques to keep the framework at a consistent level of abstraction.

These principles tie F3 to observable fraud behavior and keep it applicable to cyber threat intelligence, detection engineering, and security control design.

A living framework

F3 is designed to be updated continuously as new fraud schemes emerge and adversaries adapt their techniques. MITRE plans to add data sources for detecting fraudster techniques and recommended mitigations as the framework grows. Organizations can review the framework, suggest edits, prioritize future content, and contribute new techniques or refinements at the F3 website.