For online fraudsters who spend all year hiding behind masks, Halloween is just business as usual. Fraudsters who obtain stolen credit card details and hide behind makeshift email accounts are especially fond of digital goods, because of their high resale value and instantaneous over-the-web delivery. These goods, mainly digital gift cards, airline and event tickets tend to attract the most sophisticated and devious fraudsters.
Over the course of several years, Riskified reviewed millions of orders, including many instances of obvious and subtle fraud. Below, we lay out some of the most common ‘‘tricks” we’ve identified which fraudsters use to swindle retailers. These includes tips on shady order elements to look for, as well as methods used by fraud rings that our in-house tools were able to identify, and which we think merchants should be aware of as they track and review orders.
Phony Email Accounts
For physical goods, typical fraud detection techniques involve looking for matches in shipping and billing addresses, as well as AVS. But for digital goods, nothing is being shipped. In effect, the recipient email account is the delivery address. Fraudsters know this, and create email addresses designed to look like they belong to the credit card holder. The best way to see through this “trick” is to investigate the recipient email account and to research the actual domain: have you ever had an order from it before? Is it from a recognizable email domain? Fraudsters often use “disposable” domains to bolster anonymity, many of which are designed to look like the real thing.
Email accounts with a significant track record will usually appear as a search result in an online forum, a social profile, in a petition, or in a housing or school listing. And if you cannot trace the email account, you can turn to third party data sources like Emailage to find out how long an account has existed. The longer an account has been around for, the more likely you are to get a treat this Halloween.
Some fraudsters will go the extra mile and will actually create a social media profile to match their phony email, hoping it may help establish the legitimacy of the fake identity they have chosen. An easy way to uncover a fake identity across social media is to simply check the number of friends, connections, and followers. Hint – it will likely be a bit lacking.
Merchants routinely check the distance between the physical addresses (billing and shipping) and the location of the buyer as indicated by the IP address, so it’s not surprising that fraudsters try to disguise their physical location by using proxy servers. And with no shipping address, as in the case of digital goods, fraudsters know that using a sophisticated proxy is doubly important. A proximity between the person placing the order and the credit card billing address is a positive sign, and the only way to verify this proximity is by the IP address. Riskified uses proprietary technology to establish the actual computer/device location, in order to overcome sophisticated proxy servers that attempt to hide this location under a proxy IP address. Our highly complex proxy-detection algorithm pings shoppers through our storefront beacon to estimate whether fraudsters are using a proxy or not. When we believe digital gift card shoppers are hiding their actual IP address, it’s usually a good indication to tell them to go knock on someone else’s door.
There are inexperienced, generic fraudsters (think of them as the ones who dress up as pumpkins and ghosts) and then there are the really nasty ones. A few months ago, Riskified’s fraud detection tools picked up on an anomaly: a huge spike in orders of iTunes gift cards from customers over 60 years old. Unless Frank Sinatra just released a new single, something was very wrong.
It quickly became clear that we’d uncovered a huge fraud ring: all these customers reported being recently contacted by fraudsters posing as “technical support representatives.” After convincing the elderly to allow them remote desktop access, the fraudsters would comb the victim’s emails for credit card information. If they found it, they’d buy iTunes gift cards right on the remotely controlled computer, have them delivered to the victim’s email, and then forward the email to themselves.
This fraud scheme was particularly hard to detect because the orders were being sent to legitimate email accounts which matched the credit card information, without proxy use! There was no formulaic way to sniff this one out apart from noticing an aberration and following up. Fraudsters aren’t stupid, and will go to astonishing lengths to steal.
There is no magic formula for unmasking digital fraudsters. Turning away orders too aggressively will result in false declines, but legacy rules-based systems don’t adapt to increasingly sophisticated fraud techniques. A vigilant order review, both by advanced machine-learning models and human eyes, plus robust linking data, can go a long way toward keeping fraudsters at bay.