Beware of the renewed ‘bait and switch’ fraudster scheme

A harmful fraud scheme from the past has recently reemerged—ready to strike merchants when their defenses are low. Here’s what you need to know.

Everyone loves the revival of an old classic. Except when it comes to fraud.

Recently, fraudsters have revived a conniving scheme that can lead to chargebacks on high-value purchases. With the holiday season just around the corner and fraudsters are gearing up to take advantage of the vulnerable, it’s especially important to make sure you don’t become a victim. And that starts with knowing how it works and what signs to look out for.

How it works:

It begins with the fraudster stealing the cardholder’s information. (Usually, they have access to all of the cardholder’s cards, indicating that the cardholder was likely hacked.) The fraudster then uses the cardholder’s real name, phone number, and address—but usually a brand new email address—to place a high-value order. Since most of the information used is legitimate, the order is not detected as fraudulent.

As if that’s not bad enough, here’s where it gets really insidious.

The fraudster, posing as the company from which the order was placed, sends an email to the cardholder requesting that they confirm the purchase—and asking whether they’re happy with their item. (The email address usually does not include the company’s legitimate domain, e.g. companyname1@gmail.com.)  Alternatively, the fraudster may call the cardholder on the phone using a fake company number.

The cardholder responds that they did not order the item and, seeing the charge on their card, realizes their card has been compromised. However, they believe the fraudster is a legitimate rep from the company and will help them resolve the issue. The fraudster then “helpfully” provides the cardholder with “return labels,” promising a refund when the order is returned. When the item arrives at the cardholder’s address, they unknowingly ship the item directly to the fraudster—never to see their money refunded.

Just like that, the merchant receives a chargeback and loses the high-value item.

Here are a couple of tips to minimize your chances of falling victim to this kind of fraudulent behavior.

1. In most of these cases, fraudsters test multiple cards until they find one with a sufficient balance for the high-value order. If you see multiple card attempts on orders, that should raise a red flag.

2. On high-value orders, verify the legitimacy of the email address used to make the purchase.

The downside to these solutions is that they require a careful manual review of all orders. If you’re looking for a fraud detection solution that’s less time-consuming, more efficient, and delivers decisions with the highest level of accuracy, NoFraud may be a perfect fit for your business.

NoFraud’s proprietary software combines machine learning technology with human expertise to guarantee safe checkout, detect and prevent fraud, and eliminate the risk of chargebacks. In the rare case that a chargeback manages to slip through our system, you’re covered by our 100% Chargeback Protection Guarantee. Click here to get an instant quote.

If you would like to share your experience with this fraud trend or if you have any questions, please feel free to reach out via email to shoshanah@nofraud.com.

What You Need to Know About Ecommerce Fraud and Fraud Detection

Online shopping has been increasing significantly in popularity over the past decade. By 2021, it’s estimated that around 17.5 percent of all retail sales will occur through online storefronts. While online shopping has been very popular for quite some time, it has become the main method of shopping for many consumers since the COVID-19 pandemic began. Unfortunately, the prevalence of online shopping has also brought about a significant rise in fraud on various online eCommerce platforms like Magento, Shopify, and WooCommerce. If you manage an online store on one of these platforms, it’s important that you look into fraud detection and prevention methods to ensure that customer information is kept safe and secure.

Fraud Is On the Rise

While online shopping has been highly popular for many years, the ongoing threat of the COVID-19 pandemic has caused consumer behavior to shift in a variety of ways, which has itself caused attackers to alter their approaches when it comes to committing fraud. For instance, food delivery has become much more commonplace, which is why fraudsters have focused on this industry in recent months. Some of the top examples of fraud in the online shopping industry include:

  • – Draining loyalty points that can be resold on the dark web
  • – Stealing financial and credit card information
  • – Committing account takeover attacks
  • – Placing orders for services or goods through accounts that have been hacked

The rise in fraud also correlates with changes that online merchants have been making in recent months to account for the increase in online shopping. For instance, many of these merchants are making regular changes to their online applications, which invariably causes more vulnerabilities and bugs to occur when the applications go live. Before you focus on implementing WooCommerce or Shopify fraud prevention techniques, it’s essential that you understand why fraud is occurring more regularly and what the modern trends are with online shopping fraud.

Modern Trends in Ecommerce Fraud

Along with the types of attacks mentioned previously, attackers have been using highly sophisticated bots that are able to solve the CAPTCHA programs that many site owners implement to bolster security. A CAPTCHA is typically used to ensure that the individual entering into their account is a human instead of a bot. However, recent advancements allow this form of security to be bypassed. It’s also important to understand that many of the attacks that have been taking place are focused on APIs as well, which means that they are no longer solely centered around the website itself.

When malicious traffic is sent to a website, it’s typically sent in spikes that occur throughout periods of 24-48 hours. During these sustained spikes, the levels of malicious traffic are significantly higher than those of legitimate traffic from actual users of the website. Unless websites are ready for the changes that have occurred with online shopping fraud, instances of successful fraud will be much more likely to occur.

While fraud is increasing in practically every area of online shopping, there are three separate targets that have had the most sizable percentage increases in fraud, which include home furnishings, online fashion, and food delivery. When looking specifically at home furnishings, account takeover attacks have been especially prevalent and have occurred at a rate of four times higher than before the pandemic. Keep in mind that attackers aren’t solely focusing on the top 50 retailers. With home furnishings, fraud attacks occur on small company websites as well.

As for online fashion, high-end fashion moved quickly from brick-and-mortar stores to online websites back in February and March. Since that time, items like cosmetics, clothing, and sportswear have had a substantial rise in site traffic. Because these items have increased in popularity, fraud attempts have also become more prevalent. It’s possible for an online fashion website to obtain seven times more malicious traffic than legitimate traffic in the same time period. Loyalty card attacks are also very common with online fashion since many of the primary retailers in the industry have loyalty programs.

When looking specifically at food delivery, restaurants, and businesses that offer these services have seen increases in food delivery that range from 70-200 percent. Because of this heightened popularity, websites are finding it more difficult to implement security features that are equipped to handle new users and the distinct behavior patterns that come with them. Account takeover attempts are particularly common within the online food delivery industry.

These trends in online shopping fraud indicate that new security measures will need to be implemented by online shopping websites and platforms if they want to avoid being the recipient of successful fraud attempts. While the presence of COVID-19 explains why fraud is occurring at an ever-increasing rate, customers won’t be happy if they find that hackers are gaining access to their data or accounts. If you want to make sure that fraud doesn’t occur with your website, it’s important that you take the necessary steps to bolster your website security.

Common Techniques of Payment Fraud

There are six basic types of online shopping fraud that you should be aware of, which include:

– Identity theft
– Clean fraud
– Friendly fraud
– Triangulation fraud
– Affiliate fraud
– Merchant fraud

Identity theft is a very common form of fraud that allows the attacker to perform transactions through the shopping platform in question. In order to perform identity theft, attackers work to obtain credit card information, account information, or email addresses from their targets. Once they gain access to the right information, it’s possible for them to make purchases on your store under the name of a customer of yours.

Clean fraud refers to transactions on an online shopping platform that look legitimate but are actually fraudulent. Attackers will steal credit card information before inputting this information into an online shopping platform or website. This form of fraud is very difficult to detect. When looking at friendly fraud, this occurs when a customer pays for an item but eventually initiates a standard chargeback, which they can do by claiming that their account details or credit card information was stolen. They will be reimbursed while also receiving the product in question.

Triangulation fraud is named as such because it uses three points of interest to commit fraud. For one, a fake storefront is created, which lists in-demand items at very affordable prices that are considerably lower than market value. When customers purchase one of these items, the attacker will gain access to address information and credit card data. From here, goods are purchased at another store before they are sent to the customer, which makes the transaction appear to be legitimate. The third aspect of triangulation fraud involves making many additional purchases with the use of the stolen credit card data. Because the initial order was legitimate, it can take some time for this form of fraud to be detected.

Affiliate fraud involves making money directly from an affiliate marketing program by falsely increasing signups and traffic data. As for merchant fraud, this form of fraud takes place when an order is made but the item is never shipped. If performed correctly, it can be very difficult for the customer to get their money back. If you manage an online shopping store or platform, you’ll want to take steps to bolster your eCommerce fraud prevention techniques.

Financial Impact of Fraud

Fraud will invariably have a significant impact on nearly all online shopping sites and businesses. Even if fraud is prevented, retailers spend anywhere from 5-10 percent of their annual budget on fraud prevention. Along with the overall costs of fraud management, it’s important to understand that online retailers must also deal with chargeback losses and false positives. If an attacker gains access to your website and steals credit card information from a high amount of your customers, your reputation will take a hit, which will invariably reduce your annual revenues as you work towards improving your reputation.

Keep in mind that false positives are transactions that are legitimate but flagged as fraudulent, which means that false positives reduce sales and damage your reputation among customers. It’s believed that upwards of 30 percent of transactions that are flagged as fraudulent are actually legitimate. While the overall costs associated with fraud prevention are high, they are much lower when compared to the costs that come with dealing with the aftermath of successful attacks against your website or platform.

How to Engage In Ecommerce Fraud Prevention

In order for your online storefront to be successful on a long-term basis, you will need to engage in eCommerce fraud prevention as well as fraud detection, the latter of which may help you stop fraud attacks before they are completed. There are a myriad of modern prevention capabilities that your business should look into if you want to be at the forefront of fraud prevention. By preventing a high percentage of fraud from taking place, you may garner a reputation as providing customers with a secure user experience, which is invaluable.

Fraudsters are becoming increasingly sophisticated with the kinds of attacks that they administer. If you want to be on top of these issues, it’s very important that you make use of modern security techniques and methods. Some of the online fraud prevention techniques that you use with your storefront include PCI-DSS, CVV, an anonymous proxy server, and various security services.

If you’re looking to engage in WooCommerce, Magento, or Shopify fraud prevention, one software service that you should consider is NoFraud, which is designed specifically to address concerns with eCommerce fraud. This particular software service can be connected with the top platforms for online storefronts, which include Magento, BigCommerce, Shopify, and WooCommerce. Unlike many software services that strive to reduce fraud, NoFraud aims to increase the number of approved transactions instead of focusing on blocking transactions. When implemented into your online storefront, this solution can effectively reduce false positives, which ensures that a higher amount of legitimate transactions take place.

The top features that are available with NoFraud include:

  • – The ability to screen phone orders
  • – The ability to cancel chargeback protection with certain orders
  • – Extensive email and phone support
  • – Comprehensive reporting so that you can remain aware of any attempt at fraud that occurs on your website
  • – The ability to create multiple user accounts
  • – The ability to build lists of customers who are allowed on your website as well as customers who are denied from using your platform
  • – Transaction insight

Once you have implemented this software into your online storefront, you should quickly notice a higher order acceptance rate, increased efficiency, and a significantly reduced chargeback cost.

Because of the rise in online shopping, fraud is prevalent across all shopping platforms like Shopify and Magento. While the COVID-19 pandemic is ongoing, you will likely notice an influx of customers who are shopping at your online storefront. In order to maintain your reputation and reduce the expenses that come with fraud, it’s essential that you focus on bolstering your fraud detection and prevention techniques. With the right software, you can prevent most fraud from occurring on your website, which ensures that your users are provided with a consistent and exemplary user experience. If you act today, you should be able to accommodate the increase in traffic to your website, which can help you keep successful attempts at fraud to a minimum.

eCommerce Fastlane Podcast: Protect Your Shopify Brand

NoFraud’s Director of Business Development, Shoshanah Posner, recently joined the eCommerce Fastlane podcast to discuss the latest fraud trends impacting eCommerce.

In this podcast, you will learn:
– Current fraudster landscape as it relates to data breaches, stolen card data, and synthetic identities.
– What is the Dark Web and what are people doing there?
– Reshipper fraud, triangulation fraud, mule fraud, and how you can protect yourself.

The podcast can be found here. Happy listening!

Preventing Chargebacks for Subscription Billing

Automated subscription payments are quite literally the gift that keeps on giving for eCommerce. Once you’ve acquired a customer, they’re much more likely to buy again and again. Especially popular among Millenials, subscription-based businesses are booming in practically every industry, from personal care products to toys to specialty foods.

Unfortunately, the subscription model also carries an elevated risk of chargebacks from fraudulent behavior. Chargeback sources generally fall into two categories: friendly fraud & criminal fraud. Each requires an effective fraud prevention solution. Let’s talk about ways you can prevent both.

How to Avoid Friendly Fraud Chargebacks
Friendly fraud is a misnomer. It occurs when a customer buys and receives a product, but then disputes the transaction through their bank. There is nothing friendly about this. The product and shipping fees are lost, and you’ll also get hit with a chargeback fee. If the chargeback rate hovers around 0.8%, the fees may set you back thousands of dollars.

It’s nearly impossible to eliminate friendly fraud. However, many subscription chargebacks occur when ethical customers simply don’t understand the subscription process or forget that renewal was due. You may be able to reach out to such customers before they dispute the transaction. Here’s how to reduce those unfriendly friendly fraud chargebacks:

1. Be easy to reach and offer stellar customer service.

According to Verifi, 86% of consumers that filed for a chargeback went straight to their banks without approaching the merchant first. Encourage direct communication with your customers by clearly displaying your customer support information on your website in a prominent location. Provide several convenient ways for them to get in touch (i.e., phone, email, chat, snail mail). When they call, go above and beyond to address their concerns, and cancel their subscription promptly if they ask you to.

2. Make canceling a subscription super simple.

If your cancellation process is confusing, annoying, or time-consuming, your frustrated customers may decide to cut to the chase and call the bank. To avoid this, ensure that canceling a subscription is simple and effortless for them. It’s beneficial to add an “Unsubscribe” button or link to the bottom of your emails or display it clearly on your website so that customers don’t resort to disputing a charge.

3. Be clear about how a free trial works and when it ends.

Your customers should be kept informed about how long their free trial will last and when they’ll be billed. Always send them a message before their trial ends reminding them that they are about to upgrade to the paid version. This will allow them to opt-out if they so choose.

4. Send a courtesy email before filling the first order.

When a customer subscribes, immediately send an acknowledgment email (this can be automated). If the customer has a change of heart or if the subscription purchase was made by mistake, this courtesy notification allows time to cancel. For the business, it mitigates the risk of friendly fraud chargebacks.

5. Notify subscribers before processing their recurring payment.

Subscribers appreciate a reminder message before their recurring payment processes. This can be via email, text message, or whichever way seems the most efficient for your business. It provides a window for them to either prepare for the charge or unsubscribe. While it may be discouraging to see one of your members opt out, the risk of incurring a friendly fraud chargeback is much more detrimental… trust us.

6. Match your billing descriptor to your company or product name.

It’s crucial to make your billing descriptor as close to your company name as possible. A “billing descriptor” is the merchant name that appears on your customer’s credit card statement next to each transaction. If a customer doesn’t recognize that name, they are more likely to dispute the charge.

How to Avoid Criminal Fraud Chargebacks
Data breaches occur almost weekly and stolen credit card information is widely available on the dark web. Fraudsters with sensitive information look for vulnerabilities in an online store’s fraud detection system. The subscription platform is an extremely common target because so many transactions happen simultaneously and criminals think that their activity will fly under the merchant’s radar. You may benefit from setting up a special fraud detection system specifically for subscriptions.

Although subscription transactions are susceptible to all types of fraud, the most typical scheme we have seen is “triangulation fraud.” What is triangulation? This type of fraud involves three parties: the fraudster, the innocent shopper, and the targeted eCommerce store (that’s you). Here’s how it works in four steps:

Step one: The fraudster creates an online store (often on eBay or Amazon) and offers high demand items for extremely low prices. In reality, he doesn’t have any inventory. He’s going to try to scam you into providing these items to the customer for him, instead.

Step two: An innocent, unsuspecting shopper places an order on the fraudulent online store and the fraudster receives payment for the items.

Step three: The fraudster uses stolen credit card data to purchase those same items from your legitimate website and submits the shipping address of the innocent shopper at checkout.

Step four: You ship the items directly to the customer that “purchased” them from the fraudsters online store, who then receives the shipment from you and is none the wiser. Ultimately, the true credit card owner discovers an unauthorized transaction on his or her statement, and the bank issues a chargeback. You are left to deal with the aftermath. In this scenario, you’ve lost the merchandise (and shipping costs) and incurred chargeback fees (and possible penalties).

How can you protect yourself against criminal fraud chargebacks? Here are some important tips to keep in mind:

1. Look for inconsistencies.

Screen every order for potential signs of fraud. Signals of fraud may include unusual patterns that coincide with credit card fraud, money laundering, or loan fraud. Some signals of fraud may be that the billing address is different from the shipping address, the email address contains an unusual amount of characters, or the order has an AVS mismatch. Monitor any changes in customer details and pay specific attention to phone numbers, emails, and shipping addresses – these could indicate fraud resulting from an account takeover.

For physical products, the period between an order being placed and when it is shipped allows sellers to check for fraud the old fashion way — by manually reviewing the transactions. For digital products like movies, software packages, mobile/cloud-based apps, e-gift cards, and ebooks, however, an automated fraud detection system is a critical tool. Buying digital goods involves an online transaction followed by an instant electronic delivery. There is typically a one-second window to spot and stop a fraudulent transaction. Many digital eCommerce businesses process millions of transactions per day, and when only 0.3 percent of those one-second windows are missed, large financial institutions may suffer losses of $10 million per year or more.

2. Install a fraud prevention service.

Screening orders manually can be a huge drain of time and resources. You may want to consider an automated solution that can do all the fraud vetting for you. Some even offer a chargeback guarantee, which means you’ll be compensated if a chargeback does slip through their system.

3. If a chargeback does occur, don’t forget to cancel the subscription.

While seemingly an obvious follow-up, we have seen this step missed and the chargebacks keep rolling in.

4. Don’t offer a completely free product.

Shy away from offering a completely free product in the hope that some customers will become long term customers. Sometimes fraudsters use bots to create multiple orders in an attempt to get as many free products as possible. Smart tactic, right?

Bots are often used to infect innocent devices or software with malware (malicious software). They are capable of causing major damage to individuals and businesses alike. A bot attack may consist of gathering passwords, identity theft, collecting financial information, DoS attacks, relaying spam, logging keystrokes, opening back doors on the infected computers, and exploiting back doors opened by viruses and worms. Bot attacks are particularly active on Black Friday and Cyber Monday. We recommend that you charge at least a shipping fee to disincentivize this behavior.

Unsubscribe from Subscription Fraud
User-friendly policies and some basic best practices will prevent many instances of chargebacks. What’s more, automating your fraud protection process will save you time, money, and labor (not to mention headaches). NoFraud is an option that is compatible with all Bold products. NoFraud’s automated fraud detection tools will interface with your integrated payments process and virtually eliminate chargebacks while keeping your approval rate high. If any chargebacks do occur, you’ll be fully reimbursed under a Chargeback Protection Guarantee.

To find out more about how NoFraud’s AI-powered solution can help your business and to try it for yourself, just send an email to shoshanah@nofraud.com.

ARE FREIGHT FORWARDERS A RED FLAG FOR FRAUDULENT BEHAVIOR?

Receiving an order with a request for delivery to a “freight forwarder” or “reshipper” can make even the most experienced eCommerce merchant wary. For many online sellers, a freight forwarder is strongly associated with fraud—often, it’s assumed to be a fake address used by scammers—and for good reason.

In this blog post, we’re breaking down our most frequently asked questions about how to safely do business with customers that use freight forwarders, what you can do to identify fraud and fight chargebacks, and how NoFraud’s fraud prevention service can help protect you.

Q: What is a freight forwarder?

A: A freight forwarder, or reshipper, is a business that receives packages and reships them to a secondary destination. Many freight forwarders are international shippers, accepting packages from businesses in one country and sending them on to customers in another country.

Here’s an example of how it works: a customer places an order through your site and puts in the freight forwarder’s address as their shipping address. You accept payment from the customer and ship their order to the freight forwarder, and the freight forwarder loads it onto a shipping container and reships it to your customer.

Q: How can I tell if the shipping address on my order belongs to a freight forwarder?

A: An order shipped to a freight forwarder often contains a string of numbers and letters in the address field (for example: 321 Harbor Road Suite 303 #XYZ-56784567). The freight forwarder uses this number to keep track of which packages belong to which customer, or which shipping container they need to be repacked into.

If you look it up on Google Maps, a freight forwarder will typically appear as a storefront or warehouse. Because they often ship internationally, most freight forwarders are located at a country’s borders, and many are near large coastal shipping ports. Examples of popular locations for freight forwarders include Wilmington, Delaware; Portland, Oregon; and Miami, Florida.

There are publicly available lists of registered freight forwarding companies, so you can always research a shipping address and see if it comes up as a reshipper.

Q: Why are orders sent to freight forwarders considered high risk?

A: Many scammers use freight forwarders to disguise their fraudulent orders as valid ones. While shipping a package to Nigeria may raise some eyebrows, shipping a package to Doral, Florida is more likely to go unnoticed by a merchant’s fraud detection system. By hiding behind a reshipper’s address, these scammers hope to sneak past your defenses.

Using a freight forwarder’s address also protects the fraudster’s identity, as they can receive an item without revealing their true location. This is especially helpful for those who place orders using stolen credit card information.

Q: How do freight forwarder scams work?

A: Scammers have figured out a number of different ways to cheat merchants through reshipping fraud, also called delivery address fraud. Here are a few of the more common schemes:

The fake address, fake payment scam
The scammer places an order for delivery to a real reshipping company but pays with stolen or falsified information. By the time you’ve gotten a declined payment bank notification and a chargeback fee, the scammer has already received his order from the reshipper. It’s difficult to track him down because you don’t have his real billing or shipping information.

The fraud mule scam
Perhaps the most infamous form of reshipping fraud, the fraud mule scam takes advantage of innocent third parties. Scammers recruit people looking for legitimate work-from-home jobs as gift wrappers or shipping inspectors. The scammer places orders through your site (usually with stolen credit cards) and ships the packages to the clueless “gift wrappers.” They reship the items to the scammer, who takes possession of the goods without ever giving the merchant his real location or identity.

The fraud mule scam hurts a staggering number of innocent people: the merchant; the owner of the stolen credit card; and the “fraud mule,” the person who unknowingly reships stolen products. For a more in-depth description of this scam and how to spot it, check out our blog post on fraud mule scams.

The shipping costs scam
The scammer starts by inventing a fictional freight forwarding company. He may try to make it look credible by creating a fake website or by giving it a name that’s close to the name of a real freight forwarder.

He then places a large order with your business and asks that you deliver it to his “freight forwarder,” presenting it as a real company. He asks that you cover the cost of shipping and promises to reimburse you. Since the “freight forwarder” belongs to the scammer, he’ll keep any money you send him and then cut off contact.

Q: Are orders sent to freight forwarders ever safe?

A: Yes. There are plenty of genuine customers who use freight forwarders. For example, some use reshipping services when they want to order a product that can’t be shipped directly to their country.

Other international shoppers use freight forwarders to save money. Many people who live outside of the USA have a preference for American brands, which can be prohibitively expensive when purchased abroad. It’s sometimes cheaper to just order the items from American sites and reship them through a freight forwarder.

These authentic international clients can become your loyal customers, and they often place high-value orders. It would be a shame to decline doing business with them due to the risk of reshipping fraud.

Q: How do I distinguish between legitimate and fraudulent orders being shipped to freight forwarders?

A: While you should be cautious about orders shipped to freight forwarders, denying all shipments to reshippers will result in lost sales and hurt your bottom line—especially since the typical customer that uses a reshipper has a higher-than-average cart value. The key to successfully identifying fraudulent orders is to look at the other data points for clues.

These key data points include:

Use of a Proxy
IP proxies disguise a user’s internet connection. For a scammer, they’re a way to attempt to conceal their identity and pass as a legitimate customer.

IP Location
It often makes sense for international shoppers to use freight forwarders, for the reasons listed earlier in this blog post. It makes a lot less sense for a shopper in the US to ship to a freight forwarder when he or she could have accepted delivery directly, to his or her own address. An American IP address paired with an American freight forwarder could be a sign that the customer is only using the reshipper as a “fake address” to cover their tracks.

Do you have multiple orders with different customer names, but all with the same IP address? That’s a red flag. A scammer might be trying to pass himself off as several shoppers to avoid suspicion.

Billing address
Be cautious when an order is placed from a geographic area you don’t normally do business with, especially when the billing address doesn’t match the shipping address. Another consideration: an expensive order coming from a low-income area should put you on your guard. The order might be coming from a scammer, or a “freight mule” unknowingly working for a scammer.

Country where the credit card was issued
Many scammers use stolen credit cards from another country. If a customer’s credit card is from one country and their IP address is from another, there’s a higher risk that the order is fraudulent.

Email longevity
A brand new email account is a sign that your customer may be creating a fake identity to try and fool your fraud detection systems.

Customer order history
When a customer who’s done business with you over a long period of time orders to a reshipper, it’s usually a safe transaction. Be warier of first-time customers, especially when they place expensive orders.

Be suspicious of customers who place many orders in a very short period of time. It’s an unusual behavior for legitimate customers, but scammers often hit businesses with clusters of orders to the same address.

Reshipper history
Check to see if the reshipper has been flagged for fraud by other businesses. Can you find this address on a list of registered reshippers? Some fraudsters create fake reshipping businesses as part of their scams. Be suspicious of freight forwarders you’ve never heard of, especially if their websites seem phony or no one answers your requests for verification.

When you pay attention to these data points, it’ll be easier to spot inconsistencies that point to fraud.

Q: How can NoFraud help?

A: NoFraud’s AI-powered fraud prevention solution interfaces with your integrated payments process to provide you with peace of mind. It gives you instant, automatic fraud decisions on all your orders, including those headed to freight forwarders. Our screening system analyzes all of the above data points and more (such as global blacklists, AVS mismatch detection, etc.) and lets you ship with confidence to your international clients while steering clear of the fraudsters out there.

To learn more about how NoFraud can help your business stay safe from freight forwarder scams, reach out to Shoshanah at shoshanah@nofraud.com.

Update: How Is Online Fraud Trending?

Fraudsters and online stores have played an evolving game of cat-and-mouse ever since the first eCommerce platform was invented. In this article, we’ll talk about some of the latest emerging patterns of fraudulent behavior and what it’s costing businesses that don’t have an effective fraud prevention solution, so you can stay ahead of the curve.

Digital Goods and Why Fraudsters Love Them

The Risk Solutions True Cost of Fraud Report is a LexisNexis study that examines the growing trends in eCommerce sales fraud and the consequences for businesses of all types and sizes. According to a recent report, chargeback losses have increased by 60% among digital goods merchants.

“Digital goods” is a common term to describe any products that are stored, used, and distributed in an electronic format. Digital goods are typically delivered to the consumer via email or download from the Internet. They include products like movies, music files, software packages, cloud-based apps, eGift cards, audiobooks and ebooks. Due to their convenience and widespread popularity, the sale of digital goods is on the rise, and the fraud schemes that target them are as well.

One key factor responsible for the dramatic increase in this type of fraud is that fraudsters see the immediate delivery of digital products as a weakness they can exploit. When it comes to physical products, there is a timeline between when an order is placed and when it is shipped, which allows a seller to check for fraud the old fashion way — by manually reviewing the transaction. Buying digital goods, however, often involves an online transaction followed by an instant electronic delivery. Under such circumstances, a company typically has a window of less than one second to spot and stop a fraudulent transaction. Therefore, fraud screening must occur at the moment of purchase, which is impossible for businesses without an automated fraud detection solution linked with their integrated payments process.

Fraud prevention services use analytics to reveal unusual patterns that coincide with credit card fraud, money laundering, or loan fraud. Many eCommerce businesses process millions of transactions per day, and so if even 0.3 percent of those one-second windows are missed, large financial institutions may suffer losses of $10 million per year or more. In short: eCommerce businesses (especially large ones) must get a highly efficient automated fraud detection system.

Average # of Total Fraud Attempts Per Month

Source: LexisNexis Risk Solutions 2019 True Cost of Fraud Study E-commerce/Retail Report

Credit Card Data Breaches Hurt eCommerce, Not Consumers

When it comes to preventing credit card fraud, eCommerce merchants must keep a very watchful eye. Fraudsters often obtain credit card information to make unauthorized purchases, but how do they gain access to this sensitive data? Two words: Data breaches. Data breaches in businesses and financial institutions are largely responsible for the continuous rise in sales fraud.

In 2014 and 2015, data breaches hit an all-time high, and we continue to see its effects today. The Identity Theft Resource Center noted that there were 786 data breaches in 2014, a 27.5% increase from 2013. Within the first six months of 2015, 436 data breaches exposed more than 135 million records. With so much personal data floating around on the dark web, it’s easy for a fraudster to find credit card information and execute an attack.

At first glance, it may seem that the customer is the victim of a data breach. However, customers who discover fraudulent activity are protected by their financial institution. All they need to do is file a dispute and get their money back. They can even freeze their credit to prevent identity theft. Merchants, however, are the ultimate victim.

The millions of dollars lost from chargeback fees can do serious damage to businesses. Some of the largest companies in retail such as Staples, Michaels, Neiman Marcus, Home Depot, Goodwill, and K-Mart, have been seriously harmed by data breaches. Other businesses like Dairy Queen, P.F. Chang’s, casinos, UPS, and large chain hotels have hacked within the last few years.

To learn more about how stolen credit card information can sneak its way into your transactions, click here.

Combating Bot Attacks

There’s been a 33% increase in automated botnet activity since 2019. A bot or botnet is a network of compromised computers and similar devices controlled by one central server. Bot networks can consist of hundreds, thousands, and sometimes millions of computer devices being controlled by one source. Bots are often used to infect innocent devices or software with malware (malicious software). While the central “command” server can control the bot, they also have the worm-like ability to self-propagate. They are capable of causing major damage to individuals and businesses alike. A bot attack may consist of gathering passwords, identity theft, collecting financial information, DoS attacks, relaying spam, logging keystrokes, opening back doors on the infected computers, and exploiting back doors opened by viruses and worms.

Merchants need to be on high bot-alert when selling heavily discounted or free products. Sometimes fraudsters use these bots to create multiple orders in an attempt to get as many free products as possible. A smart tactic, right? Bot attacks are particularly active on Black Friday and Cyber Monday. We recommend that the merchant charge at least a shipping fee to disincentivize this behavior.

Synthetic Identity Fraud

Synthetic identity fraud is when fraudsters create fake identities by stealing Social Security numbers and coupling them with false information like names, addresses, and even dates of birth. This constitutes a serious threat to merchants because there is no identifiable culprit. Synthetic identity fraud can take years to detect, and it may even go unnoticed. It has become the fastest growing and most common financial crime in the United States. It cost banks $6 billion in 2016, with the average chargeback amounting to $15,000.

There are two methods that fraudsters use to create synthetic identities:

1. Manipulated Synthetics – This type of false identity is created from an individual’s real identity, but with limited changes made to their SSN and other personal information. This method is popular among people attempting to hide their credit card history in order to open a new line of credit, but it can also be used by fraudsters with malicious intent.

2. Manufactured Synthetics – Here, fraudsters collect bits and pieces of personally identifiable information (PII) from a group of real people and create a single fake identity. This is much more difficult to detect.

Identity fraudsters are capable of opening many accounts simultaneously. Then, they can use those accounts responsibly to build a credit score. When they rack up enough fraudulent charges, they use real credentials (used to create their fake identity) to pose as a fraud victim and get their credit line restored. Then, they use the additional credit to commit more theft.

Synthetic identity fraud is a complicated challenge, growing by the day. Solving this problem requires effective strategies that examine the core issue of identity legitimacy and typical outcomes. There needs to be a long and short term holistic prevention system capable of addressing the entire issue.

How Do You Determine the Cost of Fraud?

According to the LexisNexis Fraud Multiplier, the average cost of each dollar of fraud is now $3.13. This is up by 6.5% since 2019.

LexisNexis Fraud Multiplier

Source: LexisNexis Risk Solutions 2019 True Cost of Fraud Study E-commerce/Retail Report

To determine the “cost of fraud” companies should pay close attention to:

– Chargeback Fees: The chargeback fee was created to be a customer protection tool. Chargeback fees and refunds are taken from the merchant’s account automatically without any consultation. Merchants may dispute a chargeback if it’s illegitimate or fraudulent. However, the fees that come from the original chargeback will always remain the merchant’s responsibility.

– Penalty Fees: Penalty fees are primarily based on the percentage of chargebacks received in relationship to total sales. Merchants who exceed the allowed threshold are subject to penalties from both the card network and the acquirer.

– Merchandise redistribution: This is the process of planning, controlling, and managing the flow of merchandise from a vendor to a distribution center and then on to the store or customer. Rerouting along the way (due to fraud) can result in extra costs of thousands of dollars.

– Labor/investigation: Work and investigation in a fraud predicament takes time, energy, money (lots of it).

What Can You Do to Fight Chargebacks?

With the current fraud trends, the Risk Solutions True Cost of Fraud Report highlights the importance of using “more sophisticated fraud mitigation solutions”. It finds that “merchants who use a multi-layered solutions approach experience fewer issues and a lower cost of fraud.” A multi-layered approach to fraud defense may include some or all of the following: traditional verification solutions, automated fraud solutions, a one-time passcode, knowledge-based authentication, and/or digital verification and document verification.

To learn more about how NoFraud can help your business navigate these ever-evolving fraud trends, reach out via email to shoshanah@nofraud.com.

What Is a Fraud Mule Attack and How Do I Prevent One?

A new fraud trend is developing in the eCommerce world, and it’s especially hard for most fraud detection solutions to catch. Known as a fraud mule attack, parcel mule scam, or reshipping scam, this notorious form of fraud harms innocent victims beyond the merchants that are scammed.

In this blog post, we’ll explain how fraud mule scams are operated, as well as tips on how you can keep your business safe and fight chargebacks.

Here’s how a fraud mule scam works:

1. The Promise

A scammer or group of scammers starts by recruiting unsuspecting accomplices. The scammer advertises a work-from-home position on a job board or social media site, promising a quick and easy way to make money as a gift wrapper, shipping inspector, packaging assistant, or similar title. All the applicants have to do, they are told, is receive packages to their home address and reship them to another address, often located in Eastern Europe or Nigeria. One study found that most shipping fraud scammers operated in or around Moscow, with ninety percent using mules living in America to ship packages to Russia.

When advertising the fake job opening, the scammer will often target low-income neighborhoods to take advantage of people desperate for more income. To the job applicants, the promise of earning a lucrative salary for performing simple and easy tasks must seem too good to be true—and it is.

2. The Setup

The fraudster hires one or more people, who will become his “mules,” or “drops,” as they are called by many scammers. Once they’ve chosen the mules, the fraudsters will collect their new hires’ personal information, ostensibly in order to pay them for their work. This usually includes their Social Security numbers, dates of birth, and banking information. Then, sophisticated fraudsters will add their “employee’s” billing address to the account of a stolen credit card via social engineering, using cards issued by banks with lax security.

3. The Purchase

Following instructions from his or her “boss,” the new “employee” will then make an expensive online purchase, unwittingly using the stolen credit card linked with their personal information. These purchases usually consist of valuable items that can easily be resold, such as consumer electronics.

From a fraud prevention standpoint, the order looks like a perfectly safe order. There is no detectable AVS mismatch; the customer’s billing address matches that on record at the bank, the shipping and billing addresses match and the name on the order is consistent with public records of where the “cardholder” lives.

Variations:

In a simpler but slightly less fool-proof version of the same scam, the fraudster will pay for the purchase himself (using the stolen credit card), and use the fraud mule’s shipping address. The fraud mule doesn’t pay for the packages they receive, but because their address and personal information is being used, they still act as a buffer between the scammer and the stolen goods.

Other scammers will ask their “employees” to pay for shipping costs themselves, promising to reimburse them later. Since many fraud mule scammers are based overseas, the cost of reshipping orders can be significant for the mules being taken advantage of. Of course, the fraud mules never receive reimbursement for the money they lay out.

While some small-time fraudsters carry out the entire scam on their own, more serious criminals operate the scam as a service to other crooks. The “operators,” as they are known, set up a network of mules and then charge other scammers (known as “stuffers”) to reship packages through the mule network.

5. The Aftermath

The merchant processes and ships the order to the “employee,” who sends it on to the fraudster. The real owner of the credit card sees the fraudulent charges to his account and calls his bank. Eventually, the merchant receives a notification and a chargeback fee.

The consequences can be devastating. The merchant loses valuable merchandise and receives a chargeback. The unsuspecting “fraud mule” can be held legally accountable for trafficking stolen goods, and will usually receive no payment for his or her “work.” Most are unceremoniously fired within thirty days of being “hired,” as the scammer tries to avoid detection by cutting ties with his mules.

In the worst scenarios, the scammer will “pay” the mule with a fraudulent check or money order, made out for more money than has been promised. The mule will be told to keep the amount he or she has “earned” and transfer the difference back to the “employer.” The mule will deposit the bad check and send the difference to the scammer from his or her personal bank account, only to be held liable by the bank for the full amount when the check is discovered to be counterfeit.

Why is this type of fraud happening now?

Fraud mule scams typically require stolen payment credentials, which can be obtained by attacks from hackers. Given the rash of data breaches that have occurred in recent years, the new trend of delivery address fraud comes as no surprise. The Equifax data breach in 2017 exposed the data of 140 million Americans, including, in some cases, credit card numbers. In March of 2019, 106 million people in the United States and Canada had their records exposed. Included among the stolen data were 140,000 Social Security numbers and 80,000 linked bank account numbers.

These incidents are only two examples of a growing global problem. The market consultancy Juniper Research projects that the number of records stolen in data breaches will increase 22.5% per year through 2023, reaching a staggering 146 billion private records compromised. Each one of these stolen records can be used to place fraudulent orders, putting untold numbers of businesses and individuals at risk.

How will this fraud trend affect your business?

Fraud mule scams typically involve large orders, often in the thousands of dollars. Because the most sophisticated scammers link their employees’ data to stolen credit cards, the fraudulent orders appear perfectly legitimate to most fraud prevention systems.

With so much at stake, merchants need to be able to identify orders placed by mules. Even one chargeback can be devastating to the bottom line, especially for merchants with narrow profit margins. On the other hand, overcautious fraud-prevention solutions result in lost sales.

Traditional fraud-detection solutions can’t keep up

It’s hard to estimate the amount of fraudulent behavior that goes undetected every year, but there are always new schemes being developed by unscrupulous thieves. As new methods of fraud evolve, standard rules-based fraud-detection systems fall short, unable to stay ahead of the trends.

The fraud mule scam is a perfect example of a fraud trend designed to slip past a rules-based fraud prevention solution. Most machine learning systems would also fail to uncover it because no similar fraud tactics would have been in the labeled training data for the supervised learning systems.

What can you do to protect your business from fraud mule attacks?

To avoid losing valuable merchandise to fraud mule scammers, you’ll need to learn to spot the red flags that many such scams have in common.

 – Order Velocity:

Some scammers cut their mules loose (usually by pretending to fire them) after ordering and reshipping one large, expensive purchase. Many more scammers, however, try to send as many packages as possible through their mules before firing them, usually after about thirty days. That means you’ll see a sudden spike of orders to one address, all in a short period of time, from a customer who’s never done business with you before.If one of your customers (and especially a new customer) is ordering more frequently than is normal, consider it a red flag.

 – Income Disparity:

Fraud mule scammers need to find mules who are desperate enough for money, and limited enough in employment options, that they’ll jump at the chance to reship packages. For this reason, they tend to target low-income neighborhoods.

At the same time, scammers are interested in stealing expensive items with high resale value. If you notice that a customer has placed a particularly expensive order for delivery to a low-income neighborhood, look deeper. You might be looking at an order placed by a fraud mule.

– Delivery Address Mismatch:

If you’re suspicious that an order might be part of a fraud mule scam, look up the cardholder’s address. If the scammer hasn’t managed to add his mule’s information to the stolen credit card, you’ll see that the delivery address doesn’t match the cardholder’s address on file. If this is the case, you can call the number associated with the cardholder to confirm that they placed the order.

Beware, though: if you’re dealing with a very thorough scammer, you might find yourself talking to someone who was hired to impersonate cardholders for just that reason.

Nothing beats expert humans

Today, even with advanced fraud rules engines and machine learning, merchants still need experienced fraud analysts to catch the sharpest fraudsters out there. NoFraud fuses man and machine to create the most effective fraud detection system available to interface with your integrated payments process, ensuring peace of mind for you. It’s a solution that has seen tremendous success in combating the recent wave of fraud mule scams. Using NoFraud’s cutting-edge technology, our expert analysts spot the subtle clues across our customer data and react quickly, saving our clients millions in potential fraud losses.

To learn more about this new fraud trend and how NoFraud can help you protect your business, reach out via email to shoshanah@nofraud.com

From breach to checkout, how stolen credit card data gets into your orders

From breach to checkout, how stolen credit card data gets into your orders

Once breached credit card data spills onto the dark web, it’s only a matter of time before some of that data trickles into your eCommerce site’s transaction volume. Nevermind that you’ve plugged all possible leaks in your payment process. Fraudsters will gleefully water down your order form with credit card data stolen from elsewhere. If you’ve ever wondered how that data flows from its rightful owner, across the depths of the dark web, and into your orders, then you need to listen to The Online Fraudcast’s Episode 8–What Happens to Stolen Credit Cards.

No time to listen? We’ve broken out the highlights for you.

How does credit card data spill onto the dark web?

“Credit card numbers get compromised by any number of methods”, says Brett Johnson, Consultant at AnglerPhish.com, and The Online Fraudcast’s co-host. It may be a large database hack, such as Target or Home Depot, a phishing attack targeting the easily deceived, or malware installed on brick-and-mortar stores’ POS systems. Or the data could be compromised on a smaller scale: card skimmers at gas stations, quick snapshots at restaurants, old-school theft of the mail, or fraudulent eCommerce sites (more on that later).

“The sad truth of it is that most of the time the people who are using stolen credit card data won’t be caught,” says Johnson, once known as the internet’s original godfather. “Credit card theft is probably the easiest crime for cyber criminals to commit. You don’t need a victim’s social security number, and there are more credit card numbers available on the dark web now than there ever have been. It’s no longer a problem that you can arrest your way out of.”

What happens to a credit card number when it’s stolen?

Its fate depends on whether it was part of a small- or large-scale breach.

In the case of small-time card skimmers or physical thieves, they’re likely to put the data up for sale within 24 to 48 hours. Ironically, because these numbers are breached piecemeal, it can take longer for the issuer to realize what’s happening. If the card’s owner isn’t vigilant, the useful lifespan of the card data can be longer.

Data lost in larger volumes takes longer to become available. A successful database breach or phishing campaign could yield millions of credit card numbers at a time. The perpetrators want to sell those numbers wholesale to distributors who will resell the data in smaller batches.

Before the distributors will buy the data, they need assurance that most of the numbers are valid. So, the breaching group will validate a small portion of the cards’ information. Non-profits’ donation forms are popular targets for validation, since the forms are designed to minimize the amount of friction for donors.

The validated data could appear for sale in as little as a week, or it could take months. It depends on whether an older batch of data has to sell first. Like your friendly neighborhood grocer, sellers want to move older product before making fresher batches available. Otherwise, they may not get any return on their work. Why?

“Large-batch data has a shorter lifespan because it’s sold to multiple different resellers who are selling it through many different channels,” says Johnson. “That data goes into use faster, and in multiple geographies. The card issuer is likely to notice the problem sooner and shut down all of the breached cards quicker.”

How many people are committing credit card fraud?

There’s no way to determine the absolute number of credit card fraudsters, but the dark web marketplaces offer some sense of scale.

By the time Johnson’s dark web forum, Shadowcrew, was closed down in 2004, he estimates the community counted 4,000 active members.

When Alphaay was shutdown in July, 2017 it was the largest criminal network on the internet with 240,000 members (most of whom used the marketplace to buy drugs). Of those, Johnson estimates that up to 60,000 were active fraudsters.

(In a later episode of The Online Fraudcast, Johnson discusses the closure of Wall Street Market, which boasted 1.15 million user accounts at the time it was shut down. If we apply Alphabay’s ratio of users to active fraudsters, that could mean over 250,000 people involved in credit card fraud.)

Big honeypots: one-day fire sales on no-name eCommerce sites

Remember the fraudulent eCommerce sites mentioned earlier? Here’s some public service announcement material for you; those sites harvest discount-chasing consumers’ credit card information. Karisse Hendrick, owner/principal consultant at Chargelytics Consulting, and Johnson’s co-host described pop-up scam eCommerce sites offering Black-Friday-like deals.

“I saw one site offering very expensive exercise watches with biometrics for a very steep discount, which wasn’t available anywhere else,” says Hendrick. “The site claimed to have just a few of each of these expensive items for ‘one day only.’ Aside from a few other items, it was a pretty sparse website. I’d never heard of the company before.”

This spurred Johnson to share how he would run such a scam, if he were still in the business of crime: “I would buy stolen credit card information to order high-value, in-demand items like those watches. Once I got those products in, I’d set up a merchant website and sell those products at a steep discount. It would take a little bit longer to monetize the stolen credit card data, but it would allow me to harvest all of my customers’ payment information. Plus, this preliminary phase would make my merchant website look more legitimate. Two months down the line I could buy more stolen credit card data, run that data through my merchant website, without needing any products, and cash out.”

eCommerce merchants caught in the middle

In this conversation, Hendrick is quick to point out that “Ecommerce merchants aren’t the ones losing their customers’ data, they just happen to be the platform by which criminals are monetizing stolen credit card data. There’s a big difference between where the data comes from and where the data is used.”

If you’re managing fraud in-house, then check out these timeless Fraud Prevention Tips Every eCommerce Merchant Should Know. There’s a good chance you’re spending more than is necessary to solve the problem. Find out how much fraud is costing your business.

NoFraud Partners with Cashier by Bold

NoFraud is pleased to announce an integration with Cashier, by Bold, available to our Shopify and BigCommerce customers.

Cashier is a feature-rich global checkout solution designed to help your business scale. You can create a flawless shopping experience for your customers with advanced features such as Upsell after checkout, stored credit card accounts, the ability to sell in 150 + currencies, and much more. Best of all, our high converting one-page checkout can be fully customized to match your branding, complete with custom URL and design.”

CNP Fraud Will Hit.. Are You Prepared?

Originally posted on Inside Retail Australia.

Increasingly complex card-not-present fraud will cost retailers US$130 billion globally in digital sales over the next five years.

A Juniper Research study predicts that retailers’ slow pace in keeping up with new fraud prevention requirements will allow cybercriminal practices to become more widespread as more and more consumers shop online. It observes that established point-of-sale vendors will need to move towards mobile POS technology in order to expand their reach into fresh markets and reduce their exposure to card-not-present fraud.

“A layered fraud detection and prevention (FDP) solution naturally helps directly preventing fraud, but it also offers major gains in terms of recovering potentially lost revenue through false positives,” said the report’s author Steffen Sorrell. “This is something about which retailers remain undereducated, and has allowed fraudsters to capitalise on relatively low FDP spend”.

An implication of the Juniper research is that a low understanding of FDP investment return is causing the low uptake of the technology. the report anticipates digital payment players will be spending $9.6 billion annually on FDP solutions by 2023.

Read the full article here.