Stealing from an eCommerce retailer is tricky business. It’s not like walking into a store and walking out with a backpack full of stuff. In the case of an online shop, each transaction provides merchants with multiple data points, and if those don’t make sense, then services like Riskified decline the transaction. And so, for fraudsters who want to make good on the “investment” they made in stolen credit cards, creativity is required. Like a raptor testing the fence for weak points, fraudsters try a huge variety of tactics to find a way to get through merchants’ defenses.
They’re a clever bunch, and staying ahead of them requires quickly learning their approaches. It’s far from a comprehensive list, but here are three of the more creative fraud attacks we saw in the last year.
Come fly with me
This isn’t quite as whimsical and charming as the Frank Sinatra song, but it is an excellent illustration of how fraudsters think. One of the really important points to keep in mind when thinking about indicators of fraud is that price is no object. Anything more than the price paid for the card is profit, and fraudsters have no incentive to minimize costs for a person they’re already defrauding. Because of that, they’ll happily spend far more than an item is worth if it increases their chances that a purchase will go through.
Here’s how that works in travel. A fraudster has a bunch of stolen cards and wants to turn those cards into profit. The fraudster creates a website for a travel agency and then visits an online travel forum and says “limited time only! Half price tickets to anywhere you need to go!” Sounds great, right? A shopper – let’s say Sue Smith – takes the fraudster up on the offer. Sue wants a flight to Paris.
Here’s where it starts to get really interesting. Our fraudster reaches for John Doe’s stolen card. The fraudster is going to use that card to buy and resell Sue Smith’s ticket. Our fraudster checks social media and sees that John Doe is married with two kids. Perfect. Our fraudster visits a travel agency and places an order for five seats on a flight to Paris. John Doe, his wife, their kids and Sue Smith. That’s the price of five tickets to sell one of them at half price. But that’s nothing but profit for our fraudster. Sue Smith gets her half-price ticket. John Doe files a chargeback for a trip to Paris that he never knew about. And the travel agency is out the cost of five tickets.
What should the travel agency have done? It’s not easy to do, but the key is to avoid letting good indicators blind you to the bad. In physical goods we call this the “mixed cart” problem. Fraudsters buy a bunch of previously purchased goods and then add an unexpected big ticket item. The key is to avoid rubber stamping a purchase because parts of it look familiar and, instead, review it holistically. “Holistically.” You’ll hear that again in this post.
Meet the mules
What’s the worst summer job you ever had? Babysitter? Flipping burgers? How about being an unwitting accomplice of fraudsters? Probably not.
One of the ways in which eCommerce fraud is different from physical fraud is that sometimes completing the purchase is the easy part, while receiving the goods is tough. Riskified makes note of addresses that have been associated with chargebacks, and we keep track of “reshippers” (we’ve talked about those before). To get past both of those, fraudsters will “hire” people as “shipping associates” to do their dirty work. The fraudster posts job descriptions online looking for a motivated employee to receive and resend products for a pretty decent hourly wage. Little did he or she know that those goods were stolen.
We don’t know of anyone ever getting in trouble for this work, but it probably doesn’t do much to bolster the old resume. It is, however, a great example of the ingenuity of fraudsters in completing their purchases. The “mules” are likely to be new shoppers, which makes detection particularly tricky. Furthermore, contrary to established reshippers whose addresses are usually tagged, these addresses don’t have a track record which will draw attention to them during the fraud review process.
So what’s the solution? Look at the order holistically. I know. I know. But that’s the best way to avoid this type of problem. Does the order fit with what you know about that customer? Is it logical that a shopper would have an expensive order sent to a previously unseen name and address? Does this pattern match with what was done before? Looking at the full story of the order helps Riskified tell which orders are gifts and which orders are en route to a fraudster.
Wanna get away? And also some free stuff?>
This is another way to get around the problem we just covered where receiving and reselling can be the tricky bit. In this case, however, the fraudsters don’t rely on another person to do their dirty work; they make a trip out of it.
Fraudsters know that shipping to their personal address isn’t a good idea. It’s not sustainable. If an address is associated with a chargeback, then solutions such as Riskified pay it closer attention. And the fraudsters know that we keep an eye on packages sent to reshippers (even though reshippers are legitimate more often than not!) So what’s left? How about booking a room for a working vacation?
That’s right – the charming 1,600 square foot home with the lakeside views becomes the nerve center of a fraud operation. Fraudsters book the room – oh yeah, that’s done with a stolen card, too – and then receive and reship their packages from that location. Because no previous chargebacks are associated with that address, it’s much easier for fraudsters to do their dirty work. Of course, once those orders are reported as fraudulent down the road, things become a bit trickier for the homeowner.