Artificial intelligence and crypto are making life easier for cybercriminals targeting your assets. But while their tactics evolve, the underlying principles stay the same – and can be used against them.
The Scam Kill Chain is a framework developed by Helsinki-based cybersecurity firm F-Secure to map out how scammers think, operate, and adapt. Designed to keep pace with shifting tactics, it provides a structured view of the methods behind online fraud.
It outlines the eight stages of a scam, beginning with reconnaissance – a fact-finding mission – and ending with monetization, the extraction of funds from the victim.
Each stage includes the tactics that scammers rely on: from setting up fake websites and profiles to contacting victims and keeping them engaged.
The term “kill chain” originated in the military, where it described the structure of an attack, before being adapted for cybersecurity by US defense contractor Lockheed Martin as the “Cyber Kill Chain,” a model outlining how perpetrators carry out cyberattacks.
While common in enterprise cybersecurity, the creators of the Scam Kill Chain saw a need for a similar “playbook” to protect consumers. The document goes beyond surface-level trends like deepfakes or celebrity scams and looks at the deeper technical patterns.
“While the surface of the scam changes, underlying technicalities are much more unchanging,” said Laura Kankaala, threat intelligence lead at F-Secure.
By understanding the structure behind scams, rather than just reacting to surface-level tactics, cybersecurity professionals and technology developers can build targeted protections that address the core mechanics of fraud.
The eight stages of a scam
Every scam begins with Reconnaissance, where the scammer collects information to be used in later stages of the scheme. This may involve manually harvesting personal details like names, addresses, and interests from social media or using automated tools to collect data at scale.
Scammers may also turn to phishing via text messages or phone calls or buy personal information from illegal marketplaces on the internet.
“Typically, scammers might not initially know a lot about the people they're targeting. They are just trying to find them through specific channels – social media ads, creating fake profiles, on dating apps – and then swiping right until someone swipes right back, and then you have the discussion with them,” Kankaala said.
The Development stage is crucial for cybercriminals as it lays the foundation for the rest of the scam, meaning that a mistake here could ruin the entire operation. This is where scam content, such as phishing websites or malware, are created.
According to Kankaala, “Development can make a key difference with how the rest of the scam plays out. Poorly planned and prepared scam will be detected and fall short – never leading to the next steps of the kill chain.”
Next comes the Contact stage, where scammers use manipulative techniques – from interactive approaches like phone calls to non-interactive ones like online ads – to provoke a response and prompt victims to reveal sensitive information.
More elaborate scam operations often cast a wider net by contacting a large group of people and then selecting those most likely to fall for the scheme.
According to the framework, for the scam to progress, the initial contact must be prolonged by “any means necessary." This is called the Persistence stage, in which cybercriminals seek to build trust with their victims. Tactics used in this stage include convincing victims to make small payments under the false belief of earning rewards or shifting conversations to different platforms to avoid detection.
In the Access stage, scammers will attempt to get access to the victim’s devices and social media accounts with the goal of stealing private information. Scammers are typically interested in data they can use directly or sell, rent, or ransom later. This could include credit card details and cryptocurrency wallets.
However, that alone isn’t enough, and the scam moves to the Exfiltrate stage. This is when stolen data is transferred and saved on the scammer’s hosted service, which can be done either manually or automatically.
In the Lateral Movement stage, cybercriminals use the victim’s environment to reach new targets. This can involve hijacked social media accounts or posting messages in forums and group chats used by the victim – helping scammers expand their reach and, in turn, their potential profit.
Monetization is the final stage in the Scam Kill Chain, where scammers cash in while avoiding detection. Rather than traceable transfers, they often use cryptocurrency or digital assets like premium memberships on platforms such as Steam.
The crypto “backbone” of cybercrime
With cybercrime already a trillion-dollar business, new technologies like cryptocurrency and AI are accelerating its growth.
“Cryptocurrency has really become a backbone of crime,” Kankaala said. It allows scammers to sidestep traditional fraud checks and move stolen funds through decentralized systems – while also fueling black markets for stolen data and malware.
AI is also reshaping how scams look and feel, particularly in the Development and Contact phases. Scammers now use it to create fake identities, generate convincing content, and deploy deepfakes in real-time calls.
“AI is destroying the pillars of trust that we used to have on the internet,” Kankaala warned.
Some scams are highly opportunistic, but others are deeply personal. Scammers may spend time profiling individuals to assess their financial status or emotional vulnerability.
“People are more likely to fall victim to something that they feel familiar with,” she said.
Many of these operations are no longer run by lone actors. Organized crime groups now operate scam centers like businesses – blending cybercrime with human trafficking, money laundering, and gang activity.
“Cybercrime and scams of today are becoming increasingly more organized,” Kankaala said. The solution, she added, lies in combining education, stronger technology, and broader collaboration across industries.
“Sometimes we might lose a lot of money, but money can be recovered. However, we also lose trust in other people. Trust in technology. Losing faith in that cannot necessarily be recovered that easily,” she said.
Your email address will not be published. Required fields are markedmarked