Fraud investigations and cyber investigations have been describing the same incidents in different languages for years. One team sees account activity, payout attempts, or customer impact. The other sees phishing, device abuse, credential misuse, session hijacking, or malicious infrastructure. By the time those views come together, the incident is much further along.
MITRE F3 addresses that operating reality. MITRE’s project materials describe fraud and cyber teams as observing different parts of the same incident and present F3 as a shared behavioral model for relating events, aligning investigations, and disrupting fraud outcomes. It reflects how these incidents unfold across systems, teams, and business processes.
Viewpoints of a fraud incident
F3 treats fraud activity as attacker behavior that can be tracked across a full sequence. It creates a more practical way to connect technical signals to financial outcomes.
F3 is a behavior-based model of fraud actor tactics and techniques built from observed fraud incidents. The project page says the goal is to help organizations align fraud and cyber operations, map observations to attacker behavior, and prioritize actions that prevent and disrupt future fraud. Taxonomy can seem abstract, but this gives teams a clearer way to connect investigations and reduce fragmentation.
That changes how teams work. A suspicious login, a spoofed site, a manipulated session, unusual account behavior, and a payout attempt no longer need to sit in separate queues with separate owners. They can be understood as parts of the same sequence.
Why Now?
MITRE’s Center for Threat-Informed Defense started the Fight Financial Fraud project in 2025 to refine ATT&CK where it already applied to fraud activity and add new content where coverage was missing. Existing models were useful, but they were not giving fraud and cyber teams enough structure for the incidents they were handling.
The timing lines up with the scale and shape of current fraud activity. The FBI said this month that cyber-enabled crimes drove nearly $21 billion in reported losses in 2025. The FTC said consumers reported $15.9 billion in fraud losses last year, and it separately highlighted $470 million in 2024 losses from scams that started with text messages. The common thread is not just volume. It is how often fraud now begins with digital manipulation long before the financial event becomes visible.
The organizations involved reinforce the point. MITRE CTID lists participants including major financial institutions and industry groups alongside security vendors. That level of participation suggests large institutions were already dealing with cyber-enabled fraud patterns that cut across fraud operations, cybersecurity, and business controls.
Key Takeaways
- Fraud now crosses cyber, payments, and operations.
- Many incidents begin with cyber-driven activity.
- Fraud teams often see the impact later.
- Teams still work from fragmented evidence.
- F3 helps connect one incident end to end.
The Operating Environment Question
A shared model helps teams interpret and communicate what they are seeing. Investigating suspicious sites, validating digital activity, reviewing malicious content, handling sensitive evidence, and coordinating across teams all carry risk when that work happens on exposed endpoints or in the wrong environment. Once teams can connect the behavior chain, they still need a safe, governed place to do the investigation.
F3 brings the behavior chain into view. The next challenge is giving teams a safe place to investigate and act on it.
What’s Next
Part 2 in our series looks at how fraud moves from setup to execution to payout. That is where the framework starts to become especially helpful for teams trying to interrupt activity before the damage is done.