By Karisse Hendrick, Principal, Chargelytics Consulting
The holiday season should be filled with family, relaxation, gratitude and kindness to others. But, in the online fraud prevention industry, the last few weeks of the calendar year are anything but relaxing. Often, if you get to see your family or spend some time volunteering, it’s a luxury. With significantly higher online traffic, life gets much easier for fraudsters in November and December. If fighting fraud the rest of the year is like finding the needles in a haystack, the holidays mean much more hay in that haystack. Bad actors are relying on that to hide more needles (fraudulent transactions) in your overall order volume.
Fraud fighters are used to this annual onslaught, just as they’re used to fraudsters continually adapting to their fraud prevention efforts. What they aren’t used to, however, are new and expanded tactics being reported this year by online merchants—mainly in the U.S., but internationally, as well.
Specifically, merchants are telling me about three insidious and difficult-to-spot fraud tactics bad actors are deploying in full force of which everyone should be aware.
Fraud threat #1: Scam calls to consumers instructing them to purchase gift cards.
Merchants impacted most: Online retailers with gift cards; especially multi-channel retailers with physical store locations.
How it works: Phishing calls are made to consumers in the U.S. by fraudsters posing as representatives of federal agencies—mainly the Internal Revenue Service or the Social Security Administration—in which consumers are told they are subject to a large fine that is owed immediately. If it is not taken care of, victims are falsely told, they will go to jail or have a financial lien on their assets. Scare tactics and a sense of urgency are deployed to coerce the caller into settling the “debt” immediately by sending retailer gift cards in high amounts. Usually the scammer provides instructions on how many cards to buy and the amount each card should be, which are generally consistent with the velocity settings a merchant has placed in their online system (though fraudsters don’t care if the purchases are made in stores or online) if the merchant has a rules-based system. Once the gift cards have been purchased, the scammer has them provide the gift card redemption codes over the phone.
The Impact: Many retailers with national brands are seeing consumers fall for this scam in high numbers. If the purchase is made online, merchants are almost always seeing chargebacks for these cases. While consumers used their own credit card, it almost always gets reported to the issuer and typically does get passed on to the merchant (though providing the right information in the right way has occasionally resulted in chargeback reversals). If the gift cards were purchased in a store, the liability depends on the form of payment, with some merchants still receiving chargebacks for these purchases. One large retailer confided that they saw a consumer buy more than 100 gift cards, each for $500 each due to this type of scam (this amount is an exception; typically the “fines” are under $1,000 in total).
For online purchases:
- Monitor velocity on gift card purchases. If one cardholder is purchasing several gift cards on your site and they have never made a purchase on your website before, take notice. Consider calling to ask “why so many gift cards?” or “what is this for?” If they don’t have an immediate answer that makes sense, be suspicious.
- If you’re using a rules based system, consider changing the thresholds and velocity settings fairly frequently (though not at regular intervals—fraudsters will figure that out)
- Consider providing verbiage on your gift card checkout page that the SSA and IRS have publicly stated that they will never call debtors and never ask for payment via retail gift cards. If they are planning to purchase gift cards for someone they do not know, they should instead contact IC3.gov to file a complaint.
For in-store purchases:
- Train your store associates to question the purchases of multiple gift cards. Especially by people that do not appear to be in your store’s target demographic. Sure, that little old lady may be purchasing a stack of gift cards for her grandchildren. If she is, she will love to tell you about it if you ask! If she’s hesitant or uncomfortable with the question, it may be a good opportunity for your store associate to educate her that she may have been a victim of a popular scam.
- Educate your customers. I was excited to see that one large national retailer is addressing this issue at each of their cash registers while shopping at one of the locations last month.
When it comes to messaging to consumers, you will need to coordinate with your marketing and/or corporate communications departments. While it’s common for companies to not acknowledge scams affecting their stores, you can argue it is a great way to build consumer trust and in turn, loyalty. When customers know you’re looking out for them, they are more likely to share that positive experience with their friends and on social media. Conversely, an “I was scammed at _____” Twitter post is understandable, even though your brand was not responsible for the fraud.
Fraud Threat #2: Re-shipping schemes + ATO at the issuing bank
Merchants impacted most: Physical goods retailers; particularly those selling high-value items such as professional cameras, laptops, jewelry, gold coins or bars, etc.
How it works: Fraudsters are recruiting unwitting consumers to receive packages for them using a variety of romance or work-from-home scams. They’re often establishing relationships with victims via social media.
The “mules” are asked to provide personal information fraudsters use to change the billing address on file at an issuing bank for an existing credit card belonging to an unrelated person. Mules receive the card number, a link to a retailer and a shopping list. They are instructed to place an order and have it sent to their own address. When the product is received, they un-box the item and put it in a new box to be shipped overseas to the fraudster.
The cunning thing about this scheme is that it involves three victims/players. The mule, the merchant and the issuing bank. For fraudsters, it solves their AVS problem (the Address Verification System used by CNP merchants to confirm an address provided by a cardholder is on file with the bank). It also ascertains the billing and shipping addresses on an order will match and that the cardholder name is established with the street address, e-mail address and phone number being used to place the order.
The Impact: One could argue that the liability should rest with the issuers—they’re the party directly compromised by the fraudster and, had the AVS not been a match, high-dollar items probably would not have been shipped. Multiple retailers, however, have reported receiving chargebacks for these orders, only learning what happened when they call cardholders. Chargeback re-presentment results have varied. Some merchants who respond accurately with the right information have had chargebacks reversed. As they are CNP purchases, however, most have been awarded in the cardholders’ favor, with merchants bearing the cost.
These are tough cases to spot. To protect merchants who have found ways to identify and prevent these transactions, I am withholding some information publicly. With that in mind:
- Be wary of high-dollar purchases by new customers not in your target demographic
- Merchants reported consumers purchasing multiples of the same items
- If your fraud provider tracks pre-purchase customer behavior on your site, work with them to ensure they are scoring orders that go directly to an item with an external link
- Consider implementing a policy to call consumers that make purchases like the ones described above. One diligent fraud provider I spoke to said they called people who placed orders that fit this profile to ask why they purchased so many laptops. The response was simply “personal use.” When asked for more information, they continued to repeat “personal use.”
It should be noted that one of the main issuing banks being manipulated in this way is aware of this activity and I have been in touch with them directly. They have been proactive in researching the situations, but do not have authority to reverse chargebacks to ease the merchants of the financial responsibility.
Fraud Threat #3: High volume of account takeovers using Credential Stuffing
Merchants impacted most: Online merchants with digital goods (e.g., loyalty points, travel miles, event ticketing, online gaming and e-gift cards)
How it works: According to a 2018 survey conducted by online company LogMeIn, more than 60 percent of online users worldwide use the same password for more than one account. In the U.S., this percentage is even higher. Because of that, fraudsters have been buying usernames and passwords stolen in breaches and testing them in bulk across a multitude of websites (via bots, human farms or manually, depending on the fraudster’s resources). This practice is known as credential stuffing.
While it has been impacting merchants with online user accounts for the past few years, reports of credential stuffing are spiking. Merchants offering loyalty points and travel miles have seen good user accounts drained and those assets transferred—sometimes to a long line of accounts as a cover. These points or miles are often sold to consumers or to companies that provide cash or trade for these otherwise non-transferable payment methods.
Other merchants are seeing the card on file used for purchases fraudsters send to a different address, utilizing the legitimacy of the account. Event ticketing companies are seeing event tickets, including season tickets to sport teams or local venues, bought and re-sold. Online gaming companies are experiencing gaming accounts emptied of items a user may have been earning for years, especially “special edition” and high-demand items.
The Impact: The impact to a merchant depends on what was stolen from the illegally-accessed accounts. If you are a company that provides points or miles for purchases, the impact may seem minimal. However, there is cost associated with customer service contacts and replacement points when the good user realizes their account has been drained. For event ticketing companies, customer contact costs exist, but with the added cost of replacing the items stolen, for which, in the case of sold-out events, it can be difficult to make the user whole. For merchants seeing card-on-file ATOs, the impact in the form of chargebacks is similar to other payment method fraud. For gaming companies, concerns are similar to event ticketing. There are costs associated with replacing items and consoling upset gamers who spent countless hours earning them.
An additional cost of credential stuffing account takeover is one that can’t be measured, but it impacts every merchant threatened by this fraud tactic—damage to brand. Even though consumers have ultimately caused the vulnerability by reusing passwords, they undoubtedly will blame the company. Reports of this activity, especially on social media and user forums, can cause distrust toward the merchant.
- Use fraud prevention technology that leverages machine learning (to quickly spot new patterns of behavior and adjust the scoring models accordingly), bot detection, device ID detection and behavioral biometrics
- If you see specific items being targeted, consider placing a several day hold on product transfers from one wallet to another, explaining to legitimate users this is for their protection
- Consider working with your communications department to provide users with internet safety tips such as utilizing a password manager or altering passwords dramatically from one account to another. Some companies have forced password resets for all users, but these are only effective when the password cannot be the same as the last several passwords (even then, some merchants have reported seeing users change a password multiple times to ultimately have the password be the same as before the forced reset). Customers may not take it, but they generally appreciate the advice and understand the company is looking out for them (as well as their bottom line…but the users don’t need to know that part).
The above list is not exhaustive. But these threats are either newly emerging or spiking right now. You may have noticed a theme in these situations—utilizing unwitting consumers. While this makes fraud difficult to spot, take some comfort that these new threats are the result of the collective online merchant community stepping up its fraud detection efforts over the last few years. Your effort and vigilance, along with implementation of sophisticated fraud prevention technology has forced fraudsters to become more creative. And, knowing about these fraud threats will help you improve your strategies and methods. This year, anyway.
Happy fraud fighting & happy holidays!