MITRE Releases the Fight Fraud Framework — a Shared Language for Cyber and Fraud Teams
MITRE has launched the Fight Fraud Framework (F3), a free behavioural knowledge base that helps fraud investigators and cybersecurity analysts describe, detect, and disrupt fraud campaigns. It draws on real-world incidents and complements the MITRE ATT&CK framework.

MITRE Fight Fraud Framework F3 diagram showing fraud actor tactics and techniques across the full attack lifecycle from reconnaissance to monetization
US financial fraud losses reached $16.6 billion in 2024, up from $4.2 billion in 2020 — a fourfold increase in four years that reflects both the growing scale of fraud operations and the structural difficulty organisations face in countering them. A core part of that difficulty is organisational: fraud investigators and cybersecurity analysts have historically operated in separate teams, with different tools, different terminology and different mental models of how attacks unfold.
MITRE's newly released Fight Fraud Framework (F3) is a direct response to that gap. Published by MITRE's Centre for Threat-Informed Defence (CTID), F3 is a free, open, behaviour-based knowledge base that maps fraudster tactics, techniques and procedures (TTPs) derived from real-world incidents. The goal is to give both fraud and cyber teams a common structure for describing, detecting and disrupting fraud campaigns — from initial access through to financial impact.
How F3 Relates to MITRE ATT&CK
F3 was designed to complement rather than replace MITRE ATT&CK, the established knowledge base of adversary tactics and techniques used across the broader cybersecurity industry. Where a tactic or technique already exists in ATT&CK — such as Reconnaissance, Resource Development, Initial Access, Defence Evasion and Execution — F3 adopts it directly with definitions modified for fraud-specific outcomes. Fraud-specific techniques that fall outside ATT&CK receive F1XXX-series designations to maintain compatibility with the broader ATT&CK schema.
Two tactics in F3, however, do not exist in ATT&CK at all: Positioning and Monetization. Positioning covers the adversary's actions after gaining access — collecting data or preparing for execution. Monetisation refers to the conversion of stolen assets into usable funds or value. These additions capture what distinguishes fraud from other cyberattacks: success ultimately depends on moving and extracting financial value, not just gaining access.
Beyond Rule-Based Detection
Most organisations currently rely on rule-based fraud detection systems that apply predefined conditions to transaction data and trigger decisions to approve, decline or flag activity. F3 operates at a fundamentally different level. As the MITRE CTID Research Team explained: "F3 is a behaviour-based model that maps how fraud occurs. It codifies fraud actors' tactics and techniques across the full lifecycle, based on real-world incidents. In essence, F3 answers: 'What is the adversary trying to achieve at this stage, and how do they typically do it?' By doing so, it enables organisations to understand and describe complete fraud campaigns rather than isolated suspicious events."
The team notes that F3 can inform and improve rule design by grounding detection logic in observed fraud behaviours and attack sequences. F3 itself does not score transactions or make enforcement decisions — rules, heuristics, or machine learning models remain necessary to determine whether to allow, block or escalate activity.
A Practical Path for Organisations
MITRE's CTID team outlines a practical starting path for organisations beginning to adopt the framework: integrate fraud and cybersecurity teams through shared workflows and joint analysis; document incidents and trends using F3 as a standardised recording structure; and map F3 techniques to existing data sources to better identify and monitor adversary behaviours.
Four principles guided F3's construction. The effects of a technique must be observable during a fraud incident. Every incident must include at least one digital or technological method — such as phishing, malware or unauthorised access. Techniques must describe adversary behaviour, not entities or tools. And behaviours that appear in multiple concrete forms are captured as sub-techniques to maintain a consistent level of abstraction throughout the framework.
A Living, Open Framework
F3 is designed as a living framework, to be updated continuously as new fraud schemes emerge and adversaries adapt. MITRE plans to add data sources for detecting fraudster techniques and recommended mitigations as the framework grows. Organisations can review the framework, suggest edits, prioritise future content, and contribute new techniques or refinements at the F3 website. The framework is globally accessible, open and free for use by any organisation.
Layla Haddad
Cyber Policy & Digital Risk CorrespondentLayla Haddad covers cybersecurity regulations, data protection laws, and digital transformation initiatives across GCC and North Africa. She has worked closely with compliance teams, fintech startups, and government advisory groups. Her articles explore how cyber policy, AI governance, and privacy frameworks shape the region’s digital future.