In the world of CNP fraud, every day is Halloween. Excluding exposed fraud, which is fairly uncommon, perpetrators of online fraud go to lengths to conceal their identity and location in an attempt to fool eCommerce merchants. In this post, we provide an overview of the various techniques and methods employed by fraudsters to disguise themselves and give some pointers on how to identify these tricks for what they are.
The most basic of ‘disguises’ used by fraudsters to to avoid getting caught are fake names. To make a fraudulent transaction appear legitimate, fraudsters employ the following methods:
- Providing the same fake name in both the billing and shipping addresses.
- Providing the true cardholder’s name in the billing address and a name of a fake family member (same surname as the cardholder) in the shipping address.
Unmasking the fraudster:
If the customer name provided is unique (e.g. Shalhevet Zohar), a simple online search of the full name with or without the shipping city should help you understand if there really is a person by this name. Search results may include a social media profile, a phone book listing, or even a university record.
If there are no search results for a unique customer name, it might be a fake name. A generic customer name like John Smith poses a bigger challenge, as you will always have search results. In such cases the customer name is a neutral indicator, and you should examine other data points to help determine the legitimacy of the transaction.
As a second layer of disguise, perpetrators of fraud sometimes invest time in creating a social profile under the same fake name they provided when placing the order. Supposedly, they hope the existence of a social media profile under this name will help establish the legitimacy of the fake identity they have chosen.
Seeing through the disguise:
A simple way to uncover the fact that a social profile is “fishy” or newly created is checking the amount of friends, connections, and followers. Hint – it will usually be very close to zero. A social media profile with many connections, and especially one that “matches” the story – e.g. the listed hometown, employer, and/or other details match those provided in the order – is a good sign. If the profile has a few dozen connections and you’re unsure whether it is fake or real, search for a ‘friend’ or ‘follower’ who is a family member of the profile owner (has the same surname). If the profile of this family member appears to be legitimate and has many friends and connections, this bodes well for your customer. People will usually not accept a random friend request from someone they don’t know and who happens to have the same last name as theirs.
Anonymous Phone Numbers
In many cases, customers need to provide a phone number when placing an order online. Naturally, those committing fraud want to avoid being caught, and so will seek phones that aren’t tied to a real identity. This includes VoIP services such as Skype, where a user can purchase a phone number with a country and area code of their choice. In these cases, the call is actually carried over the Internet infrastructure rather than via a mobile or landline carrier. Fraudsters are also very fond of ‘disposable’ phones (colloquially known as “burners”). These are either prepaid SIM cards or an app that allows you to purchase a specific number and have calls made to that number routed to your phone.
Identifying the trick:
Anonymous or disposable phone numbers are not so easy to identify. That being said, there are several data sources that can be useful for validating phone numbers. One most commonly used service is White Pages – where you can search for a phone number and find the name or address that’s linked to it. In most cases, White Pages will be also indicate whether the number is a landline phone (which is safer), a mobile phone, or a VoIP phone (highest risk of fraud). You can also try googling the phone number.
Opening a new email account from which to place fraudulent orders online is a common fraud method of operation (MO). In the same manner that someone committing fraud does not want to provide their real name and location, they also do not use their real personal or work email accounts to make fraudulent purchases. Fraudsters also understand that once a chargeback is incurred for a transaction made via a specific email, that email address will most likely be flagged for fraud by the merchant. The email accounts used for placing fraudulent orders will usually be created via services such as gmail or Yahoo, which can be used by everyone and are free of charge. When dealing with less sophisticated fraudsters, the email username will not match the other names in the transaction (the buyer and recipient names).
Unmasking the fraudster:
A strong indication that an email address may be connected to fraud is if it is a disposable email account. Disposable email services are used by fraudsters as a means of saving time (as they do not require validating the account). Often, no password is required to access the email account, and simply having the email address is sufficient. It’s hard to think of a legitimate use case for these email service. The email username can also tip you off. For example, the user name “i love money” in this address – email@example.com – should raise a red flag. Another way to validate the legitimacy of an email address is figuring out how long it has been in use and whether it has been used for legitimate purposes. Email accounts that have been in use by legitimate customers for more than a month will usually show up in an online forum, be connected to a social profile, appear in a petition, or in a housing or school listing. If you cannot find any previous mentions of the email address anywhere on the web – that isn’t great. In this case, you may want to utilize a tool or service that helps estimate the ‘age’ of an email address. Generally speaking, the ‘older’ an email account is, the safer is it.
Even low-level fraudsters know that as part of their fraud prevention measures, merchants check the distance between the physical addresses (billing and shipping) and the location of the buyer as indicated by the IP address. In an attempt to ‘fool’ these filters and go undetected, fraudsters will connect to the Internet via proxy servers – usually through a service that assigns them with an IP address different to the true location of the computer from which the order is being placed. Usually, someone committing fraud will try to use a proxy server that is in a country or state that matches the billing address. For example, a Canadian fraudster who is making a purchase with a credit card issued in France will search for a French proxy connection, so that when the merchant’s systems compare the buyer’s IP address to the billing address, it will seem as though the cardholder connected to the Web from home or at least from their country of residence to place the order.
How to see through the disguise:
Identifying proxy usage requires a technical solution. Different proxy servers have different “tells”, which is why Riskified has developed a multilayered system to detect proxy connections, and this is one of multiple fraud detection technologies included in our full-stack solution. However, there are many standalone tools that you can integrate into your systems, which provide a “proxy score” – an estimate of how likely it is that a certain IP address is in fact a proxy.
Reshippers & Package Rerouting
Another way in which fraudsters try to conceal their location is providing a shipping address that cannot be linked to them. To avoid the package arriving at their own homes, fraudsters may have the item sent to a foreclosed house from which they can easily pick it up later, or use a UPS store as a ‘drop point’. Reshippers, also known as package or freight forwarding centers, are a service that forwards packages onward to their final destination. The customer provides the address of the reshipper in the order details, and has the item shipped to their home. It’s easy to understand why this options is attractive to fraudsters. Similarly to a proxy connection, using a reshipper means that the merchant never learns the buyer’s true location. Package rerouting is yet another fraud MO used for this purpose. The fraudster provides the cardholder’s real address when placing the order, which helps ensure the order gets approved – as it seems more legitimate. Once the order has been authorized and approved, the fraudster contacts the merchant and asks to change the shipping address or reroutes the package via services such as UPS My Choice – sometimes even without the knowledge of the merchant!
Identifying the trick:
There is no easy way to identify package rerouting before it occurs, as the original shipping address will seem legitimate. However, we strongly advise that merchants instruct their shipping partners to inform them if the recipient asks to change the shipping address, and to block services that allow customers to update the shipping address without the merchant’s knowledge. Reshipping services, however, are much easier to identify. Even a simple online search may suffice to validate suspicions that the address or phone number provided in the order belong to a package forwarding center. In addition, reshipper addresses often include many letters and numbers. The number and letter sequence included in the address is the package identifier, which the end-customer can use to track the package delivery status. It’s important to note that especially in international orders, reshippers are commonly used by legitimate consumers.
Consumer Fraud (‘Liar Buyer’)
In effect, this type of fraud is the best disguise of all. Remember when you were too old for regular children costumes, and thought it was cool to ironically “dress up as yourself”? This is essentially what’s so powerful about consumer fraud. These are cases where the customer places an order, receives the item, and then disputes the charge to their card and files a chargeback. In some cases, this happens when a consumer doesn’t recognize the charge on their credit card bill and fails to realize it’s a transaction they indeed carried out. In other cases, it is a blatant lie. What makes this the “perfect crime” is that for a fraud prevention system or analyst, everything about the order seems totally legitimate – because it is. It doesn’t seem like unauthorized card usage because it isn’t.
Unmasking the fraudster:
While there is no perfect way to identify this type of fraud before it takes place, merchants can work to ensure they don’t get “hit” by the same consumer again. Linking data across orders will help you quickly realize if the same customer who previously committed fraud places another order on your site. In addition, it might be worth disputing these chargebacks. Just be sure to collect the ‘evidence’ (e.g. proof of shipping, shipping documents signed by the customers. etc). The MRC’s 2015 Global Fraud Survey found that, on average, merchants disputed 56% of chargebacks incurred and reported victory in 64% of the cases.
Have you seen any of these fraudster “disguises” before? Do you have other tips or best practices for identifying fraud MOs? If you’ve seen other interesting fraud methods of operations we’d love to hear your story. Leave a comment below or contact us at firstname.lastname@example.org.