Return fraud has risen in popularity as consumers have turned to online shopping amid the global pandemic. They will almost certainly spike as retailers rush to meet the crush of post-holiday demand.
We found a robust dialogue among scammers on dark web forums over retailers’ policies - what dollar amounts triggered fraud investigations, which companies are particularly willing to offer cash back, and how to avoid law enforcement. Some vendors sold online training manuals in return fraud techniques.
The simplest return fraud is the “Did Not Arrive” claim. Shoppers simply wait until a package arrives, bring it inside, and then call the seller and claim it never came. Yes, it’s a trick as old as e-commerce, and yes, retailers have developed security algorithms to fight it. But the COVID-19 has made this scheme easier because more people are asking for contactless deliveries. And even in the face of security measures, scammers have a number of ways to increase their chances of success: they use “aged” accounts with a long history of successful transactions, and they keep return requests to items that cost less than a few hundred dollars.
Social engineering is also an important technique. Imagine, for example, that a scammer ordered a new pair of pricy sneakers. They call the company and say it never arrived. For the retailer, it’s less expensive to replace an item rather than refund it, because the cost of the replacement is limited to what they pay. The scammer, however, doesn’t need two pairs of basketball shoes. How to convince the retailer to pony up cash instead? That’s where social engineering plays a role. A sob story might help - like telling the retailer that the shoes were supposed to be a gift and today is the day you were supposed to give it might work. And, the manuals recommend, scammers should remain polite but persistent, the better to make customer service representatives more willing to exercise discretion in the scammer’s favor.
These sorts of return frauds however, aren’t scalable. Sure, it’s possible to pull them off every once in a while, but pretty soon, accounts get flagged and retailers start applying more scrutiny. But just as the most successful businesses during the Gold Rush weren’t miners, but the people that sold the shovels, cybercriminals have a number of illicit service providers they can turn to for help.
One of the more inventive scams relies on dry ice. In this scenario, a fraudster asks to return an expensive item, like a large flat screen television. In reality, they want to keep the TV and send an empty box. The shipper, and the retailer know the weight of the television. Sending an empty box simply doesn’t work. The solution? A helpful scoop of dry ice that weighs exactly as much as the TV. It evaporates in transit, allowing the fraudster to claim that the TV must have been removed from the box while being shipped.
The dry ice scam, however, isn’t feasible for most people to pull off. But the dark web has people willing to do this on behalf of others. Alongside this scam are services that provide counterfeit shipping documents to further help fraudsters bolster their case.
Nearly every retailer that engages in ecommerce is likely a victim of refund scams. But the biggest victims fall in line with the company's online market share. Amazon leads the pack in dark web mentions of this topic, followed by Walmart and Apple. These three companies are discussed 55 percent of the time.
Apple, by the way, seems to be the most lucrative target. A successful return fraud for a new laptop could net $3,200. The company also seems to relax its policies around the launch of major products because volume is so high.
Ultimately, most of the return frauds rely on some form of social engineering, and these techniques exploit the human weaknesses of a company. The success of these scams shows that retail security teams can’t simply rely on technical measures to improve security. Dark web monitoring can uncover the strategies that scammers use to exploit a firm, and the extent to which anti-fraud measures are working.