The MITRE Fight Fraud Framework (F3) is an analyst-developed, structured knowledge base that describes the tactics, techniques, and sub-techniques used by fraud actors in cyber-enabled financial fraud incidents. Published in April 2026 by MITRE’s Center for Threat-Informed Defense, F3 provides fraud and cybersecurity teams with a shared vocabulary for describing, identifying, and preventing financial fraud.
The challenge that F3 addresses is not purely technical. It is organisational. Banks, fintech companies, and payment processors often divide fraud prevention duties between cybersecurity, fraud analysis, anti-money laundering (AML), and compliance teams. These teams frequently rely on different terminology and separate frameworks. The same incident may be interpreted in different ways: the SOC may treat it as a social engineering attack, the fraud team may classify it as account takeover, and AML specialists may see it as a suspicious transaction. Without a unified taxonomy, coordination becomes difficult, and fraud actors can take advantage of the gaps between teams.
According to the 2026 NASDAQ Global Financial Crime Report, estimated financial fraud losses reached $579 billion in 2025. The most recent FBI IC3 Report stated that losses affecting Americans alone amounted to $17.6 billion. F3 was created to help reduce these losses by supporting the “shift left” approach that fraud teams have increasingly demanded. The goal is to detect and disrupt fraud activity before it reaches the monetisation stage.
What does F3 cover, and how is it structured?
F3 is a behavioural framework. Similar to MITRE ATT&CK, it organises adversary behaviour into three levels:
Tactics – the objective pursued by the fraud actor at a given stage, such as Reconnaissance or Initial Access.
Techniques – the method used to achieve that objective, such as Phishing for Information.
Sub-techniques – specific forms of implementation, such as Vishing, Smishing, or Quishing.
What are the 7 F3 tactics?
| Tactic | What the fraud actor is trying to do |
| Reconnaissance | Collect information needed to prepare future fraud activity |
| Resource Development | Obtain infrastructure, accounts, tools, or other capabilities that support the operation |
| Initial Access | Establish access to a target environment or account |
| Defense Evasion | Avoid detection while the operation is in progress |
| Positioning | Gather data, alter accounts, or prepare for later execution |
| Execution | Run malicious code or initiate fraudulent transactions |
| Monetisation | Turn stolen assets into funds controlled by the fraud actor |
Not every fraud case includes every tactic. For example, a fraud actor who buys access through Access Acquisition may bypass Reconnaissance and move directly to Initial Access.
Which F3 techniques are most relevant to social engineering?
Phishing for Information, Impersonation, Phone Number Spoofing, MFA Takeover, and Account Takeover are the F3 techniques most closely connected to security awareness training. These techniques represent the human-facing part of the attack surface. Technical controls alone cannot fully remove this risk.
How is F3 different from MITRE ATT&CK?
F3 follows the methodology behind ATT&CK. It uses the same general design principles, the same focus on real-world evidence, and the same technique and sub-technique structure. However, the two frameworks address different problem areas.
| Dimension | MITRE ATT&CK | MITRE F3 |
| Primary scope | Cyber intrusions into IT and OT systems | Cyber-based financial fraud incidents |
| Primary actor | Nation-state and cybercriminal groups | Fraud actors, often financially motivated |
| Target | IT infrastructure and data | Financial accounts, transactions, and funds |
| Outcome | Data breach, ransomware, espionage, or disruption | Fraudulent transfers, account takeover, or identity theft |
| End goal | Compromise, persistence, or disruption | Monetisation |
| Primary user | SOC analysts and threat intelligence teams | Fraud-fusion teams, AML, compliance, and SOC teams |
The main difference is the monetisation tactic, which is not part of ATT&CK. F3 expands the attack lifecycle by showing how stolen data, compromised accounts, and unauthorised access are turned into financial gain. This is the stage that matters most for fraud prevention teams.
F3 also adds content for behaviours that do not have a direct ATT&CK equivalent. At the same time, it references and refines relevant ATT&CK techniques where they apply to financial fraud, including credential stuffing, session cookie theft, and adversary-in-the-middle activity.
The two frameworks are complementary rather than competing. In a financial institution, a SOC can use ATT&CK to describe the technical intrusion and F3 to describe the fraud lifecycle that follows it.
Why does F3 matter specifically for financial services?
Financial institutions are the primary focus of the initial F3 release, and this focus is justified. The financial sector faces one of the most complex fraud environments. It must manage regulated transaction monitoring, AML obligations, KYC requirements, and direct exposure to account takeover, wire fraud, and payment manipulation.
The techniques that appear most often in financial fraud are clearly represented in F3. These include vishing, smishing, phone number spoofing, MFA fatigue, and impersonation. As a result, F3 is especially relevant for:
- Designing simulation programmes based on real attack paths rather than hypothetical scenarios
- Training contact centre agents to recognise the specific techniques used to bypass identity verification processes
- Reporting fraud incidents with a consistent taxonomy that fraud, cybersecurity, and compliance teams can all understand
- Performing gap analysis by mapping existing controls to F3 techniques and identifying attack paths that remain uncovered
The foreword to the F3 methodology document, contributed by the Head of Cybercrime and Fraud Intelligence at JPMorganChase, clearly explains the challenge. A single social engineering attempt can escalate into a large-scale fraud attack within hours when teams do not share a common language for response coordination.
To conclude: The MITRE Fight Fraud Framework (F3) is the first ATT&CK-aligned knowledge base created specifically for cyber-based financial fraud. Developed by MITRE’s Center for Threat-Informed Defense with contributions from JPMorganChase, FS-ISAC, Lloyds Banking Group, CrowdStrike, and other organisations, it gives fraud, cybersecurity, AML, compliance, and fraud-fusion teams a shared structure for understanding financial fraud activity. With seven tactics and dozens of techniques and sub-techniques, F3 places strong emphasis on phishing, social engineering, account takeover, and monetisation. For financial services organisations, it offers a practical and current taxonomy for building awareness training, improving incident reporting, mapping controls, and helping employees recognise the techniques used in real fraud operations.







