- Brett Johnson
Refund Fraud, Part 3: Can it be Stopped?
Updated: Sep 27, 2021
Part One of this three article series defined Refund Fraud.
Part Two of this series described specifically how this fraud is committed.
Part Three? Can it be stopped?
I was the first person that seriously attempted to warn merchants about this type of fraud. The first blog article I ever wrote was about Refund Fraud and how it was redefining cybercrime. There had been a couple of articles prior, but those writeups only mentioned Refund Fraud as a curiosity, nothing serious. At the start of my speaking career, I spoke about Refund Fraud at every opportunity.
No one listened. I was heard, but no one listened. I keynoted the CNP Conference in 2017. Questions were asked on how to stop it. Insight was given 4 years ago that is still repeated today. But Refund Fraud was viewed as a sort of curiosity more than the serious crime it already was.
I mention that because the lack of listening seems a problem with cybersecurity overall. Most breaches, online crimes, and cybersecurity issues could have been mitigated or outright avoided had those warnings been heeded.
Can Refund Fraud be stopped?
No need for pillow talk. No, it cannot.
Look to Amazon. This crime begins at Amazon over seven years ago. Amazon has been combating it longer than any other retailer on the planet. Amazon has more money than anyone else. They have the best security tech on the planet. Amazon and Refund Fraud is the reason delivery drivers take pictures of delivered packages. Did Amazon defeat Refund Fraud? No. In fact, dollar amounts for which Amazon can be defrauded have increased.
Amazon didn’t defeat Refund Fraud. You aren’t going to. But Amazon did mitigate the problem. You can too.
Over the years, Amazon employed a variety of tools, techniques, and policies to mitigate Refund Fraud:
· Police Reports
· Data Analysis.
· Rules Based and Machine Learning Systems
· Banned and Blocked accounts
· Required Signature for some deliveries
· Refund approval for higher dollar amounts
· Internal and Carrier Investigations
· Reviews of Refund Requests and Manual Reviews
· And much much more
Amazon provides a good model for how to deal with Refund Fraud.
Data matters. You own the data on your system. If you don’t have a complete, real-time view of everything going on criminals will exploit that blindness. Amazon has suffered with this problem. This allowed criminals committing refund fraud to use the same IP address, same device, and same browser fingerprint for different accounts. Criminals took advantage of the fact that different countries Amazon sites weren’t connected and didn’t cross reference each other. VOIP phone numbers were common. And more. Properly examining Data will prevent these things as well as tell how big of as problem you already have with Refund Fraud.
Properly analyze the Data. All of the Data. The data will gives all types of answers: What payment instruments are being used to commit the fraud. If a criminal is using the same IP on different accounts. If the browser fingerprint matches other accounts. If customer service is being contacted by the same individual for multiple accounts or if VOIP is in use.
That’s a small example of what can be learned from analyzing the data. Data matters. It makes things more difficult for criminals. That’s the idea. You want to make your business a difficult target. The harder you make it for a criminal, the more likely that criminal will choose an easier victim.
Rules Based and Machine Learning Systems. Amazon started with Rules Based. As a result, Refunders could use the same address multiple times to set up accounts and commit fraud. Because the system was rules based all it took was a slight change to the address and the customer’s name. Robert Perkins became Bob Perkin. 10 Oak Street became #10 OakST.
A strictly Rules Based system allows a criminal to continue using the same name and address to create multiple new accounts which appear different to the merchant. Machine Learning changes that.
You should understand where you need a Rules Based approach and where you need Machine Learning in your business.
Signature Required, Pick Up at Station, Delivery Snapshots. Amazon used to deliver those MacBook Pros without a Signature Required for delivery. As a result, Refunders would usually claim the item never arrived. Amazon would then issue either a replacement or Refund—sometimes both. Enough changes have been made over the years (From Signature Required to Assigned Pickup Locations to finally taking pictures of delivered items) that today claiming an Amazon item didn’t arrive isn’t a guaranteed refund for a fraudster.
Did Not Arrive, Empty Box, TID. Those are the three ways Refund Fraud is currently committed. If your business can employ some of the same techniques Amazon has to deter false Did Not Arrive claims? You take away one of the 3 ways Refunding happens.
Weigh and Video. The Empty Box Method is currently the most common and most successful reason given by Refund Fraudsters. Amazon combats this by physically weighing each package before it is shipped as well as video taping each package being prepared. Weighing ensures that none of the boxes are empty as well as that the overall shipment has all the products ordered. Videotaping package preparation guarantees employees aren’t stealing items. This way when a claim is made of an empty package Amazon has the ability to contest such a claim with tangible evidence.
Internal and Carrier Investigations. A customer says the item arrived and nothing was in the box. An internal investigation determines that the package left the warehouse at the correct weight and employees acted properly (weigh and video taping procedures). Contact is made with the customer to determine if the package looked damaged or opened. The answer will determine if the shipper is contacted to initiate an investigation on the carrier side.
Investigations are tools which help determine whether to process a Refund or Replacement or to deny the claim.
Slowing Things Down. Police Reports, Online Forms, Affidavits, Reviews, Investigations, Manager Approval, Etc. All are beneficial in fighting Refund Fraud. But all have something else in common as well. They take time. Meaning that the criminal must wait. Most fraudsters commit a crime, live off the proceeds of that crime, and commit the next crime only when they need more cash quickly. Often a criminal is broke until they receive the item or the money from the refund. Delaying the payout from a couple of days to a couple of weeks is often enough of a deterrent to cause many to seek another target.
Processes and Policies.
Conduct an internal audit. Find out where the weaknesses are in your system.
Hire an outside “Refund Pentester”. Someone experienced in criminal behavior and tools. You need to understand exactly how the refund process is targeting your system. Without knowing you cannot form proper defenses.
Require “Approval” for refunds. This further slows things down and allows you to analyze the order and data to determine if any fraud flags exist. This also allows further investigation into determining a possible TID attempt.
Communicate and Listen. Refund Fraud often succeeds due to a failure to communicate. Merchants fail to properly communicate with off-site return centers. They don’t reach out to customer service. They don’t contact or properly interview the customer making the claim. Often internal departments find it difficult to properly communicate with other departments. And sometimes there is a decided lack of openness within an organization or department for opinions, insights, and experiences from the outside.
Reach out to other merchants and share information about this fraud. Collaboration is key
Know How Refunders Pay. Refunders almost always start by using their own bank accounts and credit cards. As a Fraudster continues to commit Refund Fraud he will need alternate payment instruments. This means prepaid debit cards, gift cards, and services like Chime and Cashapp to purchase product.
Knowing how the item was purchased will help identify instances of potential fraud. Keep BIN lists of prepaid cards, identify Chime, Cashapp, and similar types of services used to purchase product.
Note the use of any of these products doesn’t immediately constitute fraud. But it can be an indicator. Example: New account or account with very little traffic. Higher dollar order placed which turns into a refund or replacement request. Payment instrument is a prepaid debit card? Definitely a flag.
The Ban Hammer. Accounts which are identified as engaging in Refund Fraud should be banned immediately. The address should be blacklisted. The IP range flagged. Phone number flagged. Device banned. Failure to kick a criminal out of your system is an invitation to continue criminal activity.
Prosecute. Criminals are aware very few people are prosecuted for Refund Fraud. The lack of prosecution is one of the major selling points. Criminals boast of no negative consequences. Many merchants fear prosecuting with damage the merchant’s brand. This is nothing more than cognitive dissonance on a corporate level. Faulty thinking. Not prosecuting means you are failing to protect your customers and your brand. It tells criminals that your business is a risk-free target. Protect your brand and deter criminal activity: Prosecute to the fullest extent of the law.
Monitor Criminal Networks. It is important to monitor criminal groups for chatter about your organization. But that comes with a huge caveat. Having someone monitor who has no experience in the dynamics of cybercrime is useless because that person won’t be able to differentiate the false or embellished chatter from the real intel. Monitoring by someone unskilled will often result in doing more harm than good to your business.
Finally? Reach out to those who will assist. Someone who wont talk to you without you giving them money should be avoided. Someone who is paid to recommend a specific company should also be avoided. Those people don't have your best interest at heart. They have their own best interest at heart.
This blog article is part two of a three-part series on Refund Fraud available on www.cybercrime101.com.
Part One: Refund Fraud - What is it? (Where we define Refund Fraud).
Part Two: Refund Fraud - How is it Committed? (Where we walk through exactly how this crime is committed so merchants know what it looks like).
Part Three: Refund Fraud – Can it be Stopped? (Where we discuss strategies and tactics for mitigating this crime).