How cybercriminals use refund as a service to defraud companies

March 20, 2023
As if e-commerce companies didn't have enough to worry about, the latest trick from hackers is growing and it's flooding sites – refund fraud.

As if e-commerce companies didn't have enough to worry about, the latest trick from hackers is growing and it's flooding sites, especially as we gear up for peak holiday season – refund fraud.

According to the Better Business Bureau, online retail fraud losses are expected to approach $380 million in 2022. Last December, a man pleaded guilty to defrauding a retailer for over $300,000 by performing refund fraud over three years - ordering expensive goods and returning cheaper or damaged items for reimbursement. 

Today, in the era of cybercrime as a service, outsourcing refund fraud to professional criminal social engineers is simple. The items don't even need to be returned. The group conducts fraud on behalf of the customer for a cut of the refunded value – usually 10-30% of the total refund value.

According to a new report, over 1,600 professional refund service adverts are on hacker forums. The research identified over 540 new refund fraud service adverts in the first three quarters of 2022.

A Lucrative Threat

Hacker forums such as Cracked, Nulled, and Sinisterly regularly promote these fraudulent services and now have dedicated sections for them, proclaiming excellent customer service and experience. Members with upgraded memberships can create threads.

Once a thread is created, other forum members can leave feedback and reviews. Five stars for fraud! Yep. Refund fraud as a service has officially hit the outsourcing market, and it's lucrative. 

It's tricky to spot too. Legitimate customers with no history of fraud can enlist highly experienced fraudsters to perpetrate fraud on their behalf. This makes it difficult for retailers to identify it due to the absence of prior activity. A group requesting refunds across multiple customer accounts is unlikely to be detected. Requests sometimes require users to provide their credentials to the hackers, so they seem legitimate.

Two powerful tactics are frequently used when it comes to non-arrival fraud tactics. First, fraudsters claim an item did not arrive (DNA). It's as simple as saying the package never made it to the buyer. This tactic works best when packages are left outside without a requirement for a signature.

This trend rose in popularity during the pandemic when no-contact delivery became big. If a package is signed for or confirmed that it was delivered, stores request a police report to corroborate the story. Fraudsters often comply and go as far as forging police reports.

Tracking Fraudsters

The second method is the partially empty box (PEB). Fraudsters claim the package was missing elements. It is mostly used for lightweight, high-value items such as jewelry, smart watches, and mobile phones.

Fraudsters do a good job tracking what is and isn't possible at retailers. They maintain lists of stores and companies that can be defrauded. These lists detail the types of items, value, processing time, and refund fees.

It's not just retailers that are victims. It's delivery carriers too. Bad actors don't discriminate and target whatever they can scam. Unsurprisingly, some fraudsters use the information their customers provide to extort them or discourage negative reviews.

One forum, Nulled, even had to set guidelines to prohibit this activity. Other criminals pretend to offer refund fraud but instead, they attempt to steal personal information or money from customers. All of the risks lie with the customer. 

How can businesses protect themselves from this growing trend? Three things spring to the forefront. 

First, e-commerce sites and delivery providers should implement a one-time password provided on delivery. A unique password protects against DNA methods. It is hard for the recipient to argue that a package wasn't received if they validate the delivery with a password that only they know. 

Secondly, customer service employees should also be aware of refund fraud methods and tactics. They should be trained to look for red flags, such as using a third party to request a refund, or inconsistencies, such as IP addresses between the customer's regular sessions and their refund request. Reps should also look at atypical buyer behavior – such as items above the value usually purchased by the customer or if multi-factor authentication has been removed from an account. 

Collaboration is Needed

Since refund fraud targets e-commerce sites and delivery carriers, the two need to collaborate, such as looking for patterns in their data sets that may indicate fraudulent activity, like noticing many refunds or a lot of packages lost in transit. Dedicated in-house threat intelligence with the ability to infiltrate online criminal communities is also critical to understanding trends.

This can be expensive, so look for a partner to collect information and share the biggest threats to your business. It is critical that someone can monitor dark web activity, disrupt threat actors and fight back against attacks.

Once a claim is recognized as fraudulent, the store should rebill the customer's account. Fraudsters only get paid after a refund is confirmed, and if the refund fails, many don't offer a refund themselves. When sites rebill a customer's account, they recover some losses and protect their reputation. Reputation is power in the underground market, so with many strikes against it, a fraudster may receive bad reviews or be forced to take a retailer off their list. 

It's no surprise that mimicking the real-world service-based economy now applies to cybercriminals. Refund fraud is no exception and companies must take control. Any business that operates online is a target for fraud. Protecting your organization and customers against online fraud and malicious threats requires real-time insights that ensure the efficacy of your security initiatives. 

As the holiday shopping season kicks off, e-commerce sites should take the necessary steps to reduce their risk of refund fraud, including educating employees on the methods and tactics fraudsters take

Cyril Noel-Tagoe, is a Principal Security Researcher at Netacea where he researches, speaks and writes about malicious bots and other cybersecurity topics. Previously a cybersecurity consultant at KPMG, Noel-Tagoe graduated with an MSCi degree in Computer Science degree from the University of Birmingham in the UK.

About the Author

Cyril Noel-Tagoe | Principal security researcher

Cyril Noel-Tagoe, is a Principal Security Researcher at Netacea where he researches, speaks and writes about malicious bots and other cybersecurity topics. Previously a cybersecurity consultant at KPMG, Noel-Tagoe graduated with an MSCi degree in Computer Science degree from the University of Birmingham in the U.K.