I previously published a version of this, but after a recent conversation about the topic, I decided to pull it out of the closet and pin it to the soapbox again.

A commonly posed question is “Why is there so much cyber fraud?”. My quick answer is some version of "because it's so easy". My longer explanation is based on two criminological theories: the Fraud Triangle and the Routine Activity Theory. Many other theories can be attributed, but I think these two play heavily and make the most sense to me.

The Fraud Triangle is a framework that has been widely used since criminologist Donald Cressey first proposed it in the mid-1950s. It has become the de facto theory guiding those in the fields of forensic accounting and fraud prevention.

1) Pressure: Also known as incentive, this refers to the personal pressures individuals face that push them to commit fraud. These pressures can be financial, mental, or physical, though they are often financial. Individuals experiencing intense pressure may become more susceptible to engaging in unethical behaviors as a means of alleviating the strain.

2) Opportunity: This is the essential element. The individual under strain must have the chance to commit fraud. Organizations with lax security measures and weak internal controls enable unethical employees to act on their desires. Organizations with more opportunities for fraud face a higher risk of fraudulent activity. It’s a straightforward equation. (I’m looking at you, volunteer-based community organizations).

3) Rationalization: This is how a person under pressure and with the opportunity internally justifies their behavior. They convince themselves that their actions are acceptable. Rationalization is a psychological mechanism that allows individuals to commit a crime and then overcome feelings of guilt. It is also a common pressure point exploited by criminal investigators during interviews with fraud suspects.

The Fraud Triangle, as designed by Cressey, states that for fraud to occur, all three elements of the triangle must be present. The individual must be under some form of pressure, have the opportunity to commit the crime, and be able to justify the act (at least in their mind).

Now, we know there are exceptions when one or none of these elements are at play and the person still commits, or attempts, fraud. But this theory works in most cases.

The second criminological theory at play is the Routine Activity Theory, proposed by criminologists Marcus Felson and Lawrence Cohen in 1979. They believe that crime occurs when three elements converge: a Motivated Offender, a Willing Victim, and the absence of a Capable Guardian.

The criminologists asserted that crime occurs when a motivated offender encounters a suitable target at the same time and place that lacks a capable guardian. Crime will not happen if any one of these elements is absent from the setting. On the Internet, there is no shortage of motivated offenders, and willing, or at least unaware, victims are abundant. The defining factor in determining whether cyber fraud occurs is the presence of a capable guardian. Who, or what, fulfills that role on the Internet?

Of course, in the realm of Internet-facilitated fraud, time and place are fluid. The suitable target and willing offender can be individually located anywhere in the world and still meet in time and place. Chances are, there will not be a capable guardian present.

Combining those two theories: An individual must confront external forces that apply financial, mental, or physical pressure. They must encounter another person or business entity that is willing or, at the very least, unknowingly presenting themselves as a victim. The location where the offender and victim meet lacks security controls to intervene and halt the actions. Lastly, the offender must rationalize their actions to alleviate their conscience.

And the Internet is the great facilitator.

The News…

LexisNexis Risk Solutions has disclosed a data breach affecting over 364,000 people, with hackers obtaining sensitive personal data from a third-party platform used for software development. The stolen data varies, but includes names, dates of birth, phone numbers, postal and email addresses, Social Security numbers, and driver license numbers. https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/782e2159-f2d4-4394-8d03-51bf08a6b3e5.html

Apple claims to have blocked $2 billion in fraudulent transactions on its App Store in 2024, with a total of $9 billion in fraudulent activity over the past five years. They also claim to have identified nearly 4.7 million stolen credit cards last year. I suppose we know where the bad guys are shopping, or at least attempting to shop. https://therecord.media/apple-billions-app-store-fraud

Analysis of the 2024 Internet Crime Report published by the Internet Crime Complaint Center (IC3) continues and the Incogni’s research team found that 72% of crimes targeting older adults were facilitated by online personal data availability resulting in $4.2B in losses. This blog post includes some great graphics. https://blog.incogni.com/personal-data-exposure-implicated-in-72-of-elder-fraud-cases/

The FBI is releasing indicators of compromise associated with Funnull Technology Inc., a Philippines-based company facilitating cryptocurrency investment fraud scams. Funnull provides computer infrastructure for these scams, which involve perpetrators deceiving victims into investing in virtual currency. https://www.ic3.gov/CSA/2025/250529.pdf

New York tax preparer sentenced to four years in prison for orchestrating a $145 million tax fraud scheme that included him filing “tens of thousands” of fraudulent tax returns. https://www.justice.gov/usao-sdny/pr/bronx-tax-preparer-sentenced-prison-filing-tens-thousands-false-tax-returns-causing

The US banking industry, represented by five major associations, is lobbying the Securities and Exchange Commission (SEC) to repeal a cyber incident reporting rule adopted in July 2023. The rule requires public companies to disclose material cybersecurity incidents within four business days, which the associations argue adds complexity and strains their resources. They claim the rule introduces confusing compliance requirements and creates additional risk, with some ransomware groups leveraging unfulfilled SEC disclosure requirements to extort victims. The associations are requesting the SEC to repeal the rule or remove certain disclosure requirements. https://www.infosecurity-magazine.com/news/us-banks-sec-repeal-cyber/

Tom Uren believes the information revealed during the Danabot takedown proves conclusively that the lines between Russia’s criminals and government-sponsored spies are blurred. https://www.lawfaremedia.org/article/russia%27s-cybercriminals-and-spies-are-officially-in-cahoots

Someone is claiming to possess 428 million unique TikTok user records, including email addresses, mobile phone numbers, and internal account flags. The actor alleges that the data was extracted through a vulnerability in TikTok's internal API, which was exploited before it was patched. The hacker claims to offer mobile phone numbers, TikTok user IDs, usernames, Account flags like private_account, secret, verified, and ttSeller status. TikTok is investigating the alleged breach. https://hackread.com/threat-actor-tiktok-breach-428-million-records-sale/

DFIR

Dr. Brian Carrier addresses the following questions: What SOC investigations are, why clues are important to them, why clues are challenging for SOCs to handle at scale, and how SOCs can investigate clues effectively at scale. https://www.cybertriage.com/blog/soc-investigations-2025-clues-are-key/

Forbes Magazine tells you what makes a digital forensics expert qualified. Maybe. https://www.forbes.com/sites/larsdaniel/2025/05/12/how-to-tell-if-a-digital-forensics-expert-is-qualified/

Cool Job

Director of Security Operations, Rockstar Games. https://job-boards.greenhouse.io/rockstargames/jobs/6232008003

Cool Tool

Open URL blacklist feed https://urlabuse.com/doc

Truth.

Reader Mail

matt, my company is now blocking the newsletter. I’m not sure what changed but the emails don’t come through and I get the no-no pop-up when I try to visit the website. I signed up with a personal email account. Ken

Yes, your organization probably enabled some type of content filtering or is blocking newsletters altogether. Hopefully, you didn’t register with a Yahoo email address, as they aren’t very good at delivering it either. Consider using the Substack app.

Get more from Matt Dotts in the Substack app

Available for iOS and Android

Get the app

feedback: matt[@]threatswithoutborders[.]com

Irrelevant

If you’re currently in college for Computer Science, you still have time to switch your major to Animal and Plant Science, or even Art History. According to an analysis by the Federal Reserve Bank of New York, many humanities majors, such as nutrition, art history, and philosophy, have lower unemployment rates compared to STEM majors like computer science, chemistry, and physics. https://www.newyorkfed.org/research/college-labor-market#--:explore:outcomes-by-major

Sign Off

I appreciate all of you who came back to read another issue.

See you next week.

Matt

“A fool is known by his speech; and a wise man by silence.” - someone who doesn’t write a newsletter on the Internet.

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.