Dark Web Threat Brief: Refund Fraud

What is Refund Fraud?

Refund fraud is a scam where a person attempts to get money refunded from merchants by falsely claiming the product wasn’t received or not up to par. For example: A person orders an expensive item, such as a laptop that costs several thousands of dollars, from an eCommerce company. The merchant then ships it out and soon the package arrives at its destination.

That’s when the fraud begins. The person initiates a chat session or calls customer service. They explain to the rep that the item never arrived. The merchant then apologizes and sends out another laptop to replace the one which “never arrived.” That new laptop arrives at the fraudster's house a few days later and at this point, they now have two laptops for the price of one. But many don’t stop there. Many fraudsters initiate the same process over and over again.

After a while, eCommerce companies began to notice this pattern and started requiring police reports in order to process the refunds or replacements for expensive items. But cybercriminals are a resourceful bunch, so they began creating fake police reports.

How Refund Fraud Works

Refund fraud is done in a variety of different ways today. But there are a few main components that are part of every instance of refund fraud.

Account: First, a fraudster oftentimes needs an account to commit refund fraud with. A new account is more likely to be flagged as fraudulent by eCommerce companies than one which has been active for an extended period. Because of this, so-called “aged” accounts are preferred when conducting refund fraud.

A fraudster may decide to use their own, existing accounts as one option. If they really want to make a living doing it, however, they are likely to create synthetic accounts that can be used over and over again and won’t be tied back to them. These incorporate real Personally. Identifiable Information (PII) stolen or bought on the dark web to create an account that looks real. For example, a criminal could buy a child’s social security number (SSN) on the dark web. He could then add a name, adult date of birth, address, and phone number.

Routes to Monetization

Did not arrive: This is the most common method of committing refund fraud. The perpetrator will generally wait 2 business days after the delivery is made for the highest success rate. Doing so makes it seem “real.” They then contact the merchant and say the product never arrived. Part of the act is to seem very upset, and even say something like the item was a gift for a loved one. They then request a replacement or a refund and plead until it is granted.

Empty Box: In this method, the criminal receives the item, and then contacts the merchant and claims the item was not in the box. This method can be highly successful. If the attacker encounters a customer service representative who won't refund the item, they often will hang up and call customer service back as soon as possible before any note can be registered on the account. The refund will most likely go through after the second or third time. Persistence pays off.

Fake Tracking ID: This is when a fraudster is able to create a fake tracking number to prove to the merchant that the package didn't arrive. There are in-depth tutorials online to teach fraudsters how to create and use these. These can be very real-looking and difficult to detect.

How to Stop Refund Fraud

Unfortunately, refund fraud cannot be completely stopped as some will always slip through the cracks of even the most robust defenses. But merchants can work to mitigate it and make it almost negligible.

Use Data to Inform Policies and Procedures

Merchants are in possession of a lot of data. Are you fully utilizing it to your advantage? For example, do you know the BINs that are commonly used to commit fraud? Are you flagging prepaid debit and gift cards for closer inspection when used in conjunction with refunds? Approach the data objectively and let it give you answers. It’s not just about the amount of data, but parsing and analyzing it properly.

Threat Intel

Merchants need to choose wisely about where to get threat intelligence. Are those providing you with the information simply collecting it from publicly accessible criminal channels? If yes, then that's a problem because the data is probably years old. Meanwhile, criminals are using private, invite-only or pay-to-play channels to discuss, share, and develop new techniques, tactics, and targets.

Powerful threat intelligence is the backbone behind detecting not only refund fraud, but all types of fraud attacks. This means actively tracking known fraud operations, including visiting the channels where they communicate in order to learn about tools and techniques they use.

This can also mean going deep into their world, infiltrating dark web forums and monitoring communities on platforms such as Telegram.


There is no magic bullet when it comes to identifying and stopping refund fraud. Merchants must effectively combine data analysis with robust threat intelligence in order to gain deeper insight into how and when this fraud is committed, so it can be prevented. By doing this due diligence, merchants can limit how refund fraud impacts their business, save money, and improve their bottom line.

Authored By

Brett Johnson
Brett Johnson
Chief Criminal Officer Arkose Labs
Kevin Gosschalk
Kevin Gosschalk
Founder & CEO Arkose Labs

Arkose Labs delivers the most robust fraud detection with transparent risk insights for better visibility into fraud.

Learn More

Book a Meeting

Meet with a fraud and account security expert

Request a customized demo to learn more.