• Brett Johnson

Refund Fraud, Part 2: How is it Committed?

Updated: Sep 27



Part One of this three article series defined Refund Fraud.


Part Two? This is where the pavement meets the road. How specifically are these crimes committed?


Whereas there wasn’t a lot of interest in Refund Fraud a couple of years ago from merchants and security people? Today it is the cat’s pajamas. Fraudsters are making a lot of money committing the crime and consultants and security companies are making a lot of money trying to sell products and services to the merchants being victimized.


Before we start? A word.


A few things I’ve noticed to which I take exception:
First: I don’t believe in charging victims. If you are a consultant or security company and are contacting victims trying to sell them your services? You are nothing more than an ambulance chaser. To charge a victim to help them is unacceptable. Help the victim. Then once they are out of danger? Sell them your product or service.
Second: I’ve noticed those out there talking about Refund Fraud fail to specifically discuss how this crime is committed. The reason given is that it will tell anyone who wants to commit this crime how to do it. I don’t believe that. I think the reason the details are not discussed is because people are trying to charge merchants for that information. Criminals already know how to do it. It is freely available on criminal forums and websites. The only people who don’t know how it’s done are the victims. That a consultant or security company would not explain to a victim how they are being victimized so that profit could be made is unacceptable.
Third: Many consultants and security companies tell cybercrime victims, “I can fix all your problems. I can make it all go away.” Victims or potential victims are told they won't need anything else and that crime will drop to zero if they just buy their product or service. It is Bullshit. It’s the cybersecurity version of Pillow Talk. It's happening with Refund Fraud. If a consultant or company tells you they can stop it completely? They have lied to you. Run away. Run far far away.

Let’s get to business.


Type of account needed: A new account is much more likely to be fraudulent than one which has been in the system and active for an extended period. Because of this, aged accounts are preferred when doing Refund Fraud. Refunding on a new account? It is suggested by Professional Refunders those using newly created accounts place 2-3 legitimate orders with them before trying to commit fraud. The account then has history and appears as legitimate when the Refund Fraud takes place.


Can Refunders use the same address multiple times? Every merchant can be refunded unlimited times. Dollar amounts may vary, though. Using the same address, name, etc. depends on whether the merchant is relying solely on Rules Based Security (very likely) or a degree of machine learning. If rules based? Using the same address is as easy as making minor adjustments to the purchasers name and address:

--Robert Perkins becomes Bob Perkin

--10 Oak Street becomes #10 Oak


The changes are just enough so that a rules-based system doesn’t recognize the adjusted address but the delivery driver can still deliver the package. If machine learning and it’s done properly (huge caveat) this will mean the fraudster will need a new address in a new zipcode for each order. It will also mean a different payment instrument (prepaid debit cards, gift cards, newly opened bank accounts, Cashapp type services), different browser fingerprints or new devices, different IPs, and more.


Common Methods of Refunding

· Did Not Arrive (The Most Common)

· Empty Box (Highly Successful)

· Fake TID (Extremely difficult to stop)

What you don’t see mentioned is leaky battery, damaged product, bodily fluids (blood). Why? Because these methods cause more problems than they solve. Those reasons result in things like carrier investigations, requests for photo evidence, denial of claim, etc.

Did Not Arrive Method. Easy enough. Wait 2 business days after the delivery is made for the highest success rate. Contact the merchant and say the product never arrived. Act upset. Say something like it’s a birthday gift. Request a replacement or a refund.


This remains the number one reason given by those attempting Refund Fraud, but not the most successful. Today, merchants confirm tracking information, start carrier investigations, have pictures of the delivery. Or maybe you signed for delivery. Or the delivery driver noted he gave it to a person inside the home. The result? Many of those claiming the package did not arrive are denied their claim. Claiming Did Not Arrive is not favored by more experienced Refunders.


Empty Box Method. You receive the item. Contact the merchant and claim the item was not in the box. This can be for a single item (Camera, Laptop, Cell Phone) or multiple items (clothing, PC Parts). This method is highly successful. For single items you tell the merchant you received the box, but nothing was in it. Multiple items you say the item was completely missing. Most customer service will immediately replace.

If encountering a difficult customer service agent? Hang up and call customer service back as soon as possible before any note can be registered on the account. The refund will most likely go through after the second or third time. This method remains the most used and most successful reason given.


Most companies do not have their own return center. They use other companies to handle their returns.

TID. Fake Tracking ID. This method can be applied to every merchant. This is the method most consultants and security companies don’t want publicly shared. They claim its because they don’t want aspiring criminals knowing how to do it. The Truth is they want merchant victims to pay for their products and services. Criminals already know how to do this.


To illustrate the point, I acquired a tutorial from the darkweb which explains how to do TID step-by-step. The tutorial was free to anyone who wanted it. We will let the tutorial speak for itself and explain how to do TID in order to defraud a merchant:

















An added bonus to this tutorial is a walkthrough of how to defraud Amazon.de with a TID method:








The tutorial also warns of investigations:


And that’s refunding in a nutshell. There are variations to the above techniques. For example, these techniques have been known to work with instore pickup or curbside delivery at retailers like Target, Walmart, Apple, and others.


Innovations will and are popping up.


It’s important to note that Social Engineering plays a huge part in all of the techniques described. The Refunder must establish Trust with the merchant victim in order to get the refund processed. Social Engineering plays a huge part in establishing that false Trust.


This blog article is part two of a three-part series on Refund Fraud available on www.cybercrime101.com.


Part One: Refund Fraud - What is it? (Where we define Refund Fraud).


Part Two: Refund Fraud - How is it Committed? (Where we walk through exactly how this crime is committed so merchants know what it looks like).


Part Three: Refund Fraud – How Can it be Stopped? (Where we discuss strategies and tactics for mitigating this crime).


140 views0 comments

Recent Posts

See All