Refunds are a standard cost of retail — especially in eCommerce. But online shopping makes it much more difficult for businesses to investigate and verify valid refund demands from customers. Some customers take advantage of these difficulties by committing refund fraud.
As shown in the rise of ransomware-as-a-service attacks, cybercriminals have shifted to a service-based economy — and refund fraud is no exception. Refund Fraud-as-a-Service is an increasingly popular way for social engineers to monetize refund scams, and enable more customers to commit refund fraud.
What is refund fraud and how does it work as a service?
Refund fraud is the abuse of refund policies for financial gain. Customers can commit refund fraud in several ways:
Making false claims that an order hasn’t arrived
Falsely claiming they’ve returned their order when they haven’t
Reporting that not all parts of the order have been received.
In compliance with their refund policy — and to avoid bad reviews — eCommerce businesses sometimes refund customers making these claims, despite a lack of evidence to support them.
But many eCommerce businesses now require more evidence before they’ll issue a refund, such as proof of postage or scanned tracking codes. Customers don’t usually have this information if their refund claim is fraudulent.
In response, cybercriminals now offer Refund Fraud-as-a-Service. Customers hire them to claim the refund on their behalf in exchange for a cut of the money. These professionals socially engineer businesses into providing refunds by using third party services to falsify tracking and returns information.
Is refund fraud getting worse?
Refund fraud existed long before online shopping was commonplace. But the impact is now far more widespread and damaging.
Claiming a refund in a physical store requires you to take the product back for inspection by store staff. Now, as eCommerce accounts for a growing proportion of retail sales, and there are more stages in the supply and delivery chain, it’s much easier to claim fraudulent refunds.
In 2021, one man committed $300,000 worth of refund fraud against a single business over three years. And one survey found that fraudulent returns cost businesses $25.3 billion in 2020.
Refund fraud methods
Non-arrival fraud methods
One of the most common methods of refund fraud involves claiming the item hasn’t arrived. This usually works if the courier doesn’t require a signature on receipt of the parcel, or if the courier delivers it to the wrong address.
Empty box method
The empty box method involves claiming that your package has arrived, but doesn’t contain any or all of the components that were ordered. This is usually used when the order consists of a lightweight product, or a product with several different valuable parts.
Unlike non-arrival fraud, returns fraud involves pretending to return a faulty item without sending anything back to the company. When the returned item isn’t received, the fraudster produces falsified proof of postage to claim their refund.
Service providers usually work with third party fraudsters to commit returns fraud, including:
Boxing services — used to create fake postage information such as labels and receipts
Fake tracking ID — used to modify tracking information required by the company (such as tracking numbers and delivery address) so the fraudster can send a junk parcel that will be logged as sent but not accepted or received
Scanning services — a type of insider attack in which delivery service employees mark packages as damaged or lost, when in fact they have been delivered intact.
Method brokers teach customers how to commit refund fraud without getting caught. Several refund fraud ebooks and tutorials are available for purchase online.
The challenges of detecting refund fraud-as-a-service
The rise of Refund Fraud-as-a-Service poses a significant challenge for eCommerce businesses. Detecting fraud is much easier if you’re dealing with inexperienced or unskilled individuals, or a single customer who repeatedly makes fraudulent claims against you. You can identify patterns of behavior, or clumsy attempts at fraud. But professional cybercriminals use tools and techniques that are much harder to detect.
A group of customers requesting refunds across various accounts and retailers is less likely to be flagged by a single fraud team. Many cybercriminals avoid claiming too many refunds at the same retailer for this reason.
In addition, a skilled Refund Fraud-as-a-Service provider is less likely to get caught than an inexperienced customer. So if the latter hires the former to commit fraud on their behalf, the false refund is more likely to go through unnoticed.
Learn how to mitigate sophisticated refund fraud attacks
Refund Fraud-as-a-Service only works if criminals can systematically avoid detection. This is easy to do in the current climate — many fraud teams don’t have the resources or technical expertise to detect advanced refund fraud scams.