By Brett Johnson, Chief Criminal Officer, Arkose Labs
In 2011, the Social Security Administration (SSA) randomized issuing new Social Security Numbers. The numbers issued prior to 2011 were vulnerable. If a criminal had the last four digits of an SSN and knew the DOB and birthplace of the victim, the first five numbers were easy.
The SSA responded by randomizing new numbers issued. The move succeeded. That form of fraud ceased for all new SSNs.
Happy ending? Not so much.
The move gave birth to Synthetic Identity Fraud.
Now criminals could fabricate SSNs or use stolen children’s SSNs to create entirely new identities.
A criminal would buy a child’s SSN on the dark web. He would add a name, adult DOB, address, and phone number. He would then apply for credit. Credit bureaus don’t know you exist until you tell them you exist. If a credit bureau had never seen the information submitted on the application for credit, the application would be denied. But it would create a credit report with that synthetic profile’s information. Then using a variety of OSINT manipulation and credit boosting techniques the synthetic would build the profile to AAA credit. Then it’s time to cash out.
Synthetic Identity Fraud became the fastest growing form of financial fraud on the planet.
Financial Institutions and Creditors took years to recognize the problem. Combatting it? Difficult. It was a type of fraud most identity thieves viewed as almost perfect.
The Rise of Refund Fraud
I’ve been warning about Refund Fraud for years. Those warnings fell on deaf ears.
Refund fraud is when a criminal orders a product from a merchant. Upon receiving the product, the criminal uses a variety of social engineering techniques to keep the product and manipulates the merchant into refunding the purchase price.
Refund Fraud changed the dynamic of online crime. Today, most aspiring cybercrooks begin their careers with ‘Refunding’. The fraud itself has evolved to the point that the darkweb and Telegram is littered with hundreds of criminal groups and thousands of criminals working together to defraud merchants. Facebook and Reddit members openly discuss the fraud and share advice on how to commit the crime and which stores to target.
Criminals easily profit $10,000 a week. More experienced attackers regularly bank $100,000+ every seven days. Classes are taught and exploits shared on channels available to the public, while new tactics, techniques, and targets are developed on private channels.
What About Merchants and Retailers?
They are largely powerless. Several businesses and consultants have popped up claiming to know how to fix the problem, but the merchants which were being victimized eight years ago are still successfully being victimized today at higher dollar levels.
Can Refund Fraud be Stopped?
Sadly, it cannot be stopped entirely. Merchants are in a business which requires customer satisfaction. Unfortunately, that is a vulnerability to be exploited.
There’s more. Modern business means efficiency and speed. It is a necessity to remain competitive and profitable. Business functions are segmented, jobs farmed out, and outside partnerships formed to better thrive. It works. It also works for criminals by increasing the threat landscape and the amount of exploits and vulnerabilities.
Anything else? Yep. Our world is siloed. eCommerce, Finance, Infrastructure, Medical, Shipping, everything is separate. Each silo worries only about itself, thinking that by securing individual silos, things will be safer.. That’s wrong. Fraudsters learned years ago to defraud each silo based on its own merits and to chain those attacks together to defraud outside targets. It’s how fraud works.
Are any of those things going to change? No. So the answer to the question, “Can Refund Fraud be Stopped?” is no.
Can Refund Fraud be Mitigated?
The more appropriate question is: can refund fraud be effectively mitigated? Why yes, Virginia, it can.
First, you must admit you have a problem. Because you do. Believe me, you do. Don’t be one of those companies in denial. You know the ones:
- They don’t think it’s an organized crime problem. It is.
- They don’t keep track of losses due to refunds. Or maybe they don’t keep track of online fraud losses.
- They call it a customer service issue and refuse to call it a fraud issue.
- They blame the issue on the shippers, outside partnerships, anything but themselves.
- Etc., etc., etc.
Use Data to Inform Policies and Procedures
Like many 12-step programs, admitting you have a problem is step 1. Now we move to step two, Data. You don’t have all the data you need. You never will. If you did, there would be no fraud. But you do have a lot of data. Are you fully utilizing it to your advantage? For example, do you know the BINs used to commit fraud? Are you flagging prepaid debits and gift cards for a closer inspection when used in conjunction with refunds?
Are you looking at the data objectively or with bias? Some fraud departments refuse to consider refund fraud as fraud because it would destroy their overall fraud numbers. Examining data with a bias is useless. Approach the data objectively and let it give you answers.
The data will allow you to look at your policies and procedures to see how those might be adapted to better address the problem. It will also inform you on which tools you may need.
This brings us to threat intel and an understanding of the criminals attacking. You need that. But understand, you will never have all the information. No one can provide every detail of every threat, active and potential. That means you need to choose wisely on where you are getting threat intelligence.
Are those providing you with the information simply reading it from publicly accessible criminal channels? If yes, then it is a problem because that data is years old. Meanwhile, criminals are using private invite-only or pay-to-play channels to discuss, share, and develop new techniques, tactics, and targets. That means you have a second-rate picture of what is happening and are designing security based on that information and nothing new: A criminal’s field day.
Is Your Threat Intel Good?
The question becomes: Is your threat intel good? Or is it just someone feeding you information you could find yourself?
Let’s find out.
There are many ways you can gain intel on refund fraud. For instance, you may purchase it , attend presentations, webinars, workshops, read papers, or do the occasional group chat. Have you ever come across a discussion on a technique other than 1) Did not arrive, 2) Not in the box or damaged, or 3) Fake Tracking? Those techniques are years old, publicly available to anyone with Google. You don’t want to be making decisions on dated intel while new tactics and techniques are unknown to you.
Anyway—enough soapbox. Here is an example of what I am talking about.
What Happens when Synthetic Identities are Used for Refund Fraud?
One of the most advanced methods Refund Fraudsters currently use is to initiate a return for an item and then manipulate the return shipping label to make it appear the item is returned for a refund, but isn’t. It is so effective that many merchants and retailers remained unaware the items weren’t returned until people like me started talking publicly about the technique. Today, many merchants and retailers have adapted policies and procedures to better combat the issue.
How did merchants adapt? Many started checking to make sure the product was actually returned. Most of the time this is after a refund is processed. Once the merchant discovers the item wasn’t returned they attempt to rebill the payment instrument used for the purchase. To avoid this situation, many criminals close the account before the merchant can rebill. If that happens at least the merchant knows who to chase.
But what happens if there is no one to chase?
Refund Fraud orders require names, addresses, and payment instruments. Most fraudsters use their real names or those of friends and family. They use addresses connected to themselves. They mine those out quickly and then employ techniques and payment instruments which merchants can easily identify and flag.
Synthetic Identities solve this problem for attackers. Synthetics mean bank accounts, not prepaids or gift cards. Synthetics mean the address on the order has OSINT linking the order address to the person ordering. Synthetics mean an unlimited number of names which can be used to defraud a merchant.
Synthetics mean a criminal can defraud a merchant for $130k in product on a single order, get the money refunded to the payment instrument used, shut the bank account down, get their money back, and walk away without consequence. It means the merchant cannot rebill. Synthetics mean the merchant cannot track down the individual because the individual isn’t real.
And the best part of it for the criminals? The merchant doesn’t even know a Synthetic Identity was used against them.
Creditors and financial institutions have been battling synthetic fraud for years. They are used to it. But, you know who isn’t? Merchants and retailers. Oh, they’ve heard of it. I’ve warned them about it for years. Deaf ears. But those merchants and retailers have only been concerned that a fraudster might use a synthetic profile to obtain a credit card and then use the card to defraud a merchant. The worry rested with the creditor or bank.
This is different. This is Synthetic Fraud which targets the merchant, not the creditor or bank. The Synthetic is used to open a bank account. The bank account is then funded and used to defraud a merchant via refund fraud. The onus now is with the merchant. Few, if any, flags on the bank’s side.
Choose Your Threat Intel Wisely
Is the use of Synthetics common in Refund Fraud? More than you think.
If your advisors, who claim to be experts, have never told you about it? I’d say that’s a problem.
Proper threat intel is a necessity. Choose wisely who you listen to if it determines the decisions you are making for your organization.
For more information on current fraud trends, check out the 2022 State of Fraud and Account Security Report from Arkose Labs.