The MITRE Fight Fraud Framework (F3) is a structured, analyst-built knowledge base of tactics, techniques, and sub-techniques used by fraud actors in cyber-based financial fraud incidents. Released in April 2026 by MITRE's Center for Threat-Informed Defense, it gives fraud and cybersecurity teams a common language to describe, detect, and prevent financial fraud.
The problem F3 solves is not technical: it is organisational. Banks, fintechs, and payment processors routinely split fraud prevention responsibilities across cybersecurity, fraud analysis, anti-money laundering (AML), and compliance teams. Each uses different terminology and different frameworks. **A cyber incident that looks like a social engineering attack to the SOC looks like an account takeover to the fraud team and a suspicious transaction to AML. Without a shared taxonomy, these teams struggle to coordinate; and attackers exploit the gaps.
According to the 2026 NASDAQ Global Financial Crime Report, financial fraud losses were estimated at $579 billion in 2025. The latest FBI IC3 Report put losses impacting Americans alone at $17.6 billion. F3 exists to reduce this figure by enabling the "shift left" that fraud teams have been calling for: detecting and disrupting attacks before they reach the monetisation phase.
Key takeaways
- F3 is the first ATT&CK-aligned knowledge base focused specifically on cyber-based financial fraud.
- It was developed by MITRE's Center for Threat-Informed Defense with contributions from JPMorganChase, FS-ISAC, Lloyds Banking Group, CrowdStrike, and others.
- F3 covers 7 tactics and dozens of techniques and sub-techniques, with social engineering and phishing prominently featured.
- It is designed for fraud-fusion teams, bridging cybersecurity, fraud, and AML functions with shared terminology.
- For security awareness training programmes targeting financial services, F3 provides the most current and precise taxonomy of attack techniques employees need to recognise.
What does F3 cover, and how is it structured?
F3 is a behavioural model. Like MITRE ATT&CK, it structures adversary behaviour into three layers:
- Tactics: the fraud actor's goal at each stage (e.g., Reconnaissance, Initial Access)
- Techniques: how the actor achieves that goal (e.g., Phishing for Information)
- Sub-techniques: specific implementations (e.g., Vishing, Smishing, Quishing)
What are the 7 F3 tactics?
| Tactic | What the fraud actor is trying to do |
|---|---|
| Reconnaissance | Gather information to plan future fraud operations |
| Resource Development | Acquire infrastructure, accounts, or capabilities to support attacks |
| Initial Access | Gain a foothold in a target environment or account |
| Defense Evasion | Avoid detection during the operation |
| Positioning | Collect data, manipulate accounts, or prepare for execution |
| Execution | Run malicious code or initiate fraudulent transactions |
| Monetisation | Convert stolen assets into funds under the attacker's control |
Not every tactic appears in every fraud incident. An attacker who purchases access (Access Acquisition) may skip Reconnaissance and jump directly to Initial Access.
Which F3 techniques are most relevant to social engineering?
Phishing for Information, Impersonation, Phone Number Spoofing, MFA Takeover, and Account Takeover are the techniques most directly addressed by security awareness training. They represent the human-facing attack surface that no technical control eliminates on its own.
How is F3 different from MITRE ATT&CK?
F3 is built on the methodology of ATT&CK ā same design philosophy, same empirical grounding in real-world incidents, same technique/sub-technique structure. But the two frameworks cover fundamentally different problem spaces.
| Dimension | MITRE ATT&CK | MITRE F3 |
|---|---|---|
| Primary scope | Cyber intrusions (IT/OT systems) | Cyber-based financial fraud incidents |
| Primary actor | Nation-state, cybercriminal groups | Fraud actors (often financially motivated) |
| Target | IT infrastructure, data | Financial accounts, transactions, funds |
| Outcome | Data breach, ransomware, espionage | Fraudulent transfers, account takeover, identity theft |
| End goal | Compromise, persistence, disruption | Monetisation |
| Primary user | SOC analysts, threat intelligence | Fraud-fusion teams, AML, compliance, SOC |
The key distinction is the monetisation tactic, which does not exist in ATT&CK. F3 extends the attack lifecycle to capture how stolen data and access are converted into financial gain; the step that matters most to fraud prevention teams.
F3 also includes new content for behaviours with no ATT&CK equivalent, while referencing and refining existing ATT&CK techniques where they apply directly to financial fraud (e.g., credential stuffing, session cookie theft, adversary-in-the-middle).
The two frameworks are complementary, not competing. A financial institution's SOC can use ATT&CK to describe the technical intrusion and F3 to describe the fraud lifecycle that follows.
Why does F3 matter specifically for financial services?
Financial institutions are the initial release focus of F3; and for good reason. They operate under the most demanding fraud environment of any sector: regulated transaction monitoring, AML obligations, KYC requirements, and direct exposure to account takeover, wire fraud, and payment manipulation.
The techniques most prevalent in financial fraud (vishing, smishing, phone number spoofing, MFA fatigue, and impersonation) are all prominently mapped in F3. This makes F3 the most directly applicable framework for:
- Designing simulation programmes aligned to real attack paths, not hypothetical scenarios
- Training contact centre agents on the specific techniques used to bypass their identity verification processes
- Reporting fraud incidents using a consistent taxonomy that fraud, cyber, and compliance teams all understand
- Gap analysis: mapping existing controls to F3 techniques to identify which attack paths have no coverage
The foreword to the F3 methodology document (contributed by the Head of Cybercrime and Fraud Intelligence at JPMorganChase) frames the challenge clearly: what starts as an isolated social engineering attempt can snowball into a large-scale fraud attack within hours when teams lack a common language to coordinate their response.
Other resources for Financial Services CISOs:
š Deepfake Fraud in Financial Services: What CISOs Need to Do Now ā
š Why Basic Phishing Training Won't Stop AI Social Engineering ā
āļø AI Vishing: Why Finance Teams Are the New Front Line ā
Explore each F3 technique in depth
The Arsen Team has produced dedicated resources for each of the social engineering-relevant F3 techniques covered in the initial release. Each resource includes the technique's F3 tactic classification, a practical explanation of how it works in financial fraud scenarios, key takeaways, and a FAQ section.
Explore them below:
- Phishing for Information: Multi-channel credential harvesting via email, SMS, voice, and QR code
- Access Acquisition: How fraud actors buy existing access instead of breaching systems themselves
- Adversary-in-the-Middle: Real-time session and credential interception that bypasses MFA
- Compromise Accounts: Hijacking email, corporate, cloud, and social media accounts for follow-on fraud
- Brute Force: Credential stuffing, spraying, and cracking techniques
- Steal Web Session Cookie: Harvesting browser session tokens to bypass authentication entirely
- Supply Chain Compromise: Attacking through trusted vendors rather than directly
- Phone Number Spoofing: Manipulating caller ID in vishing attacks against customers and bank staff
- Browser Session Hijacking: Injecting into live browser sessions to inherit authenticated access
- MFA Takeover: MFA fatigue attacks and technical MFA interception methods
- Account Takeover: Unauthorised access to financial accounts via credentials, API keys, and password reset abuse
- Impersonation: Account holder and official impersonation in vishing and in-person fraud
FAQ
The MITRE Fight Fraud Framework (F3) is a knowledge base of tactics, techniques, and sub-techniques used by fraud actors in cyber-based financial fraud. It was built by MITRE's Center for Threat-Informed Defense, with significant contributions from JPMorganChase, FS-ISAC, Lloyds Banking Group, CrowdStrike, Marsh, and other financial sector organisations. It was publicly released in April 2026.
ATT&CK covers cyber intrusions broadly; IT and OT environments, nation-state and criminal actors, data breaches and ransomware. F3 focuses specifically on cyber-based financial fraud: the techniques fraud actors use to obtain money, assets, or information from individuals and banking institutions. F3 adds a Monetisation tactic not present in ATT&CK and covers fraud-specific techniques like phone number spoofing, account takeover, and MFA fatigue.
Directly. F3 maps the specific techniques (phishing, vishing, smishing, impersonation, MFA fatigue, phone spoofing) that employees in financial services encounter most. Building simulation and training programmes around F3 techniques ensures training addresses real, documented attack paths rather than generic awareness.
The live F3 Matrix is available at ctid.mitre.org/fraud. The full design principles and methodology document was released by MITRE in April 2026 and is publicly available.
