Ready to learn more?
Reroute Fraud: The Growing eCommerce Problem
A Guest Post by Fraud Expert Alexander Hall
Summer is here. What does this mean for merchants?
The data from our friends over at NoFraud paints a clear picture: during Summertime, fraudsters kick into gear rerouting, intercepting, or hijacking packages of products relevant to summer activities. This concept is nothing new, as the needs of fraudsters are the same as ours. Fraudsters are constantly evolving their tactics to target hot items, and this changes with the emergence of new trends, seasons, releases, and technology upgrades.
This specific shift in fraudulent directives affects merchants of many industries as the seasonal products range from pool equipment to clothing and apparel, to BBQ accessories, and more.
Below I have outlined four methods employed by fraudsters and what merchants can do to reduce their exposure and mitigate losses.
During my time spent on the other side of the fence, I observed four primary methods used by bad actors to obtain goods illegally.
The first method is most familiar. Legitimate customers place orders using legitimate payment methods, but the items are stolen after delivery. Criminals will go as far as to follow the routes of delivery trucks and brazenly pull up to houses and steal the package. Criminals operating in this way are known as porch pirates. The porch pirates have no idea of the contents of the package but are willing to risk jail time to find out. Due to the increase in purchasing of summer-related items, this lends to the uptick in losses identified by NoFraud.
The theft of legitimate packages isn’t so much fraud as it is blatant theft. However, the result is the same for the merchant. Chargebacks for these events are received and coded for unfulfilled or item not received.
The remaining methods are actual fraud. Each of these methods employs different tactics and therefore produces different flags for the merchant to identify. But all of these methods involve the following steps:
Obtain payment information.
There are two primary ways for a fraudster to obtain payment information. They can obtain stolen information or establish new payment information and leverage that data. For this article, we will stick to stolen payment information, which is the most common.
When a fraudster establishes new cards or accounts, they have likely put in the effort to manipulate the necessary information so that they don’t need to redirect successful transactions. When effective fraudsters establish new lines of credit, they tend to use additional techniques in order to associate new addresses with the identity that they are targeting. This results in matching billing and shipping information that the fraudster dictates.
Fraudsters obtain stolen payment information in many ways, the most prominent channel being Dark Web exchanges. Fraudsters will search various Dark Web forums and purchase stolen information. The information obtained on the Dark Web can include card numbers, account holder names, CVVs, billing addresses, and more. Alongside the payment information are step-by-step instructions for how to complete orders. The information in the instructions may include information that can increase the chances of circumventing fraud filters.
Place the order.
By following the instructions found on the dark web and plugging in the stolen payment information, the fraudster places the order. Fraudsters will often filter through billing addresses on the Dark Web forums to purchase card information local to their operation. This is where the first and least reliable method comes into play.
Shipping Items to a Non-Billing Address
In this method, the fraudster follows the instructions found online. They enter accurate and complete payment information but use a different shipping address. The instructions found online indicate that the shipping address can be within a threshold of “X km” from the billing address before an escalation is triggered. Then, the fraudster places the order, taking advantage of merchants that employ rules-based fraud prevention, and the order is shipped.
Adjusting Shipping Information After Checkout, Before Shipment
The third method involves social engineering against the merchant’s customer service team. When placing the order, the fraudster plugs in the correct payment information as well as the shipping address to match the billing. If this satisfies merchants’ fraud prevention guidelines, the order is usually confirmed. Then, expecting the fulfillment to take a few days, the fraudster calls customer service or submits an urgent ticket, requesting that the shipping address be adjusted.
This tactic can effectively bypass the fraud prevention analysis employed during checkout and takes advantage of a company’s desire to satisfy the needs and requests of its customers. The shipping address is changed, the order is processed, the shipping label (with the new, unrelated address) is printed, and the package is shipped.
Adjusting Shipping Information with the Courier Service
The fourth and final method takes place after the package has been shipped and leverages social engineering against the courier service. As with the third method, the fraudster inputs all of the correct and matching billing and shipping information during checkout. Once the tracking information has been received, the fraudster contacts the courier service and uses any number of justified reasons to ask them to hold the package at the post office. For instance, they may say that an emergency came up and their cousin will pick up the package. After providing the postal worker with the information for the “Pickup Person,” the conversation ends.
The Systems of Manipulation
Before we talk about the steps you can take to prevent fraud, let’s pull back from the granular view of the methods and identify how the fraudster is manipulating existing systems to achieve their goals.
For the first and simplest method, the criminal drives around and watches for unattended packages. The “system” that is being manipulated is on the level of the general public, people who don’t collect their packages immediately upon delivery.
In the second method, the fraudsters take advantage of e-commerce systems that haven’t yet employed even the most basic fraud prevention measures. Not all orders with mismatching billing and shipping information will be fraudulent. However, if left unchecked, this can wreak havoc, resulting in enormous losses for the merchant.
Alternatively, in the third method, the fraudsters identify that an effective fraud prevention system is in place. Instead, they attack the merchant based on its customer satisfaction policies. The needle on the gauge indicating merchant security and customer satisfaction is stuck at 90 degrees, allowing fraudsters to assume the guise of legitimate customers to adjust orders.
Using the fourth method, which is the most reliable method, the fraudsters understand that the merchant is well-equipped and knowledgeable regarding the processes in their system. The checkout form has additional verifications in place behind the scenes, and the customer service team cannot be duped into making changes during the fulfillment process.
Because the merchant’s systems are robust, the fraudster engages with the next system down the line and associates a new identity with the order for pickup. The value of assigning a supposed brother-in-law, sister-in-law, or cousin is that the name can be anything. Historically speaking, the postal service does not employ investigational services to challenge this information.
This is an escalation process employed by effective fraudsters. By moving the exploit further and further down the line and finally moving the exploit out of the merchant’s hands entirely, effective fraudsters can maintain a high success rate. This is but one example of many forms of fraud that are becoming more and more evident with each shift or passing cycle.
What can be done?
There are four critical elements to an effective fraud prevention strategy: knowledge, data, monitoring, and more data.
Knowledge of the internal processes and hand-offs within your company is an essential part of your fraud-prevention strategy. It is helpful not to think of instances as “transactions” but as “transfers of value.” The reason for this is simple: Fraudsters are not limited to exploits centered around cash, checks, and cards. Therefore, your fraud prevention strategy shouldn’t be either. By identifying your transfers of value, you have a great starting point for envisioning your fraud prevention policies and processes. All that is left is to fill in the blanks.
Data is shared at lightning speed among service providers and publications. Stay up to date with the information that identifies emerging trends. As your company grows outward into new territories, new systems, and new processes, become aware of emerging threats so you can arm yourself against them.
Monitoring the performance of your company will give you insight worth its weight in gold. Monitor where attempts have been identified in your own operations and report them so that you can raise awareness within your organization.
This can seem like a truckload of effort, trial and error, and man-hours…and it is. This is where service providers step in to the picture with:
More Data is available for operations who look for it. Public information is powerful on its own. It tells us what to keep our eyes open for. But proprietary information is golden. By partnering with effective fraud prevention solution providers, merchants can leverage a symphony of proprietary data. Service providers use experienced personnel to orchestrate and manage the lifespan of your transactions by referencing a myriad of past information. They then use this data to make the best assertion against suspicious transactions, resulting in an operable balance between merchant security and customer satisfaction.
How Do Service Providers Do This?
Consider the first method that I outlined above. By tracking a data-rich network of CNP Merchants who report chargebacks for stolen packages, a part of the analysis might result in the cross streets or zip code being flagged, with action taken to recommend using signed delivery. The data of the merchant network allows for the merchant to be aware of the risk prior to experiencing losses.
Consider the second method: billing and shipping mismatch. By scrutinizing every mismatch, a company runs the risk of prolonging or even canceling good orders in its attempt to catch the bad ones. This risks damaging the relationship with good customers. However, by employing the data from an extended merchant network, analysts may reveal past purchases that fit this pattern. Perhaps a parent orders a gift for the child, a boss for an employee, or brother for a sister, a friend for a friend. You don’t know for sure, but global data networks can help thin the fog.
With the third method, the “customer” requests to change the shipping address to one different from the billing address. The ‘new’ address likely isn’t in your system. Is it in the merchant network? Are there chargebacks associated with it? It’s unlikely that you will find the answer to these questions in your data, but you can tap into the merchant network of your service provider to find them.
Service providers can also respond to the fourth method by taking a proactive approach. By tapping into reports of past occurrences, service providers cross-reference relevant information with numerous data points from sources ranging from social media to utility services providers to courier services.
By partnering with a fraud prevention service provider like NoFraud, you get access to more data sources and software that operates behind the scenes to automate your transaction analysis. Coupled with a well-informed decision-making process, merchants can rest easy knowing that their operation has the right balance of customer satisfaction and transaction security.