Online retailers targeted by refund fraudsters, report warns


Many of us have felt reassured to receive a refund at some point – but now cyber-conmen are increasingly offering bogus claims as a service to consumers in exchange for a cut.

With the cybercriminal underground becoming increasingly service-driven, many crooks have been setting up shops on dark web forums such as Nulled and Sinisterly, tempting previously legitimate customers to participate in a variety of ingenious scams at the expense of e-commerce retailers.

Evidence of this growing phenomenon came to light in December last year, when a man pleaded guilty to defrauding one retailer out of more than $300,000 over a three-year period. In this case, the perpetrator got greedy and careless, focusing all his refund scams on one victim – but many other bad actors on this stage are far more careful, spreading their bets across multiple targets to better avoid detection.

An in-depth report into the growing trend by cyber analyst Netacea has identified several key scams operated by these gangs, many of which require collusion not only from customers but also from delivery service workers.

“A typically honest customer who suddenly decides to perform refund fraud is likely to be detected due to their inexperience,” said Netacea. “However, if that customer outsources to a professional refund fraud service, it will be perpetrated by skilled fraudsters.”

Once their services are engaged, these cyber-fraudsters-for-hire – who typically charge between 10% and 30% of the total refund value once the payment has been made – use the customer’s account details to pose as them in a targeted social engineering attack. This is aimed at persuading the retailer to issue a refund for an ‘undelivered’ item that did in fact arrive, or conversely, for a never to be returned article.

As an aside, there is no guarantee that the fraudsters won’t take the customer’s account details and use these against them later – either to extort them after they have colluded in the refund scam, or simply by selling them on to other cybercriminals.

“Refund fraudsters will use the customer’s account to engage with the store’s customer service representatives,” said Netacea. “Most require customers to remove any multi-factor authentication from their account to enable easy access.”

Refund fraud gang REKK offers services on dark web
List of targeted stores put up on dark web forum by one purveyor of fraud refund services, known as REKK

How it works

Netacea breaks refund fraud down into two main broad categories: “non-arrival fraud” and “return fraud.”

“Non-arrival methods are used by refund fraudsters to claim that the customer did not receive the items they purchased,” it said. “This entitles the customer to a refund whilst at the same time removing the obligation to return the item.”

Netacea distinguished two main methods by which this fraud is perpetrated. The first of these, where the customer and crook acting on their behalf simply claim the item did not arrive, grew in popularity during the COVID pandemic, when delivery workers frequently had to leave parcels at the door.

“Fraudsters will wait a few days after the delivery is made and initiate a refund [claim],” said Netacea. “This method works best when packages are left outside the delivery address without being signed for.”

Web-based ‘service request’ forms issued by refund fraudsters to collaborators ask whether this was the case during the initial legitimate delivery – also a further sign of cybercriminals’ increased sophistication and tendency to ape legal business practices.

“However, experienced refund fraudsters can still have success if an item is signed for, especially when a fake signature is used,” added Netacea. “In some cases, delivery drivers sign for the package themselves, making it easier for the refund fraudsters.”

Even if retailers have evidence that a package was delivered, for instance, through an electronic record of delivery, they will allow for the possibility that a parcel was stolen by requesting a police report confirming the theft of an item.

The cybercriminals behind the returns scam capitalize on this by reporting a false claim of theft to the police, who then issue a confirmation that said report was received. This is then submitted by the crooks to the retailer as 'proof' that while the package was delivered, the recipient never received it. In other cases, the scammers simply forge a police report to send back to the hapless e-tailer.

Another form of non-arrival fraud entails pretending that though a package did arrive, not all of the ordered items were enclosed. This appears to be a popular method for light digital items such as mobile phones or smartwatches, because the difference in weight between a full and partly empty package in such cases is negligible – meaning the delivery center’s records of parcel weight cannot be used to disprove the fraudster’s bogus claim.

Dark web advert for package scanning fraud services
Another dark web listing, this one advertising parcel scanning tampering services using 'insiders' at delivery centers

An inside job

The second popular type of scam is the straightforward ‘returns fraud’ method, which entails claiming compensation for fake returns.

“These methods are used when the refund fraudster is claiming for reasons such as receiving a wrong or damaged item, and the store requires the original item to be returned,” said Netacea. “After committing returns fraud, the fraudster will argue that since they have returned the item, the store should process their refund.”

In this case the gangs use accomplices, insiders working for parcel-delivery centers who are paid to tamper with return postage labels so packages full of junk or even empty ones are returned instead – often with all data connecting them to the customer erased. Prices for such ‘services’ are usually capped at just under £50 ($55) per parcel on the dark web, Netacea found.

“This is intended to cause the return center to throw out the junk package and prevent them from tying it to the customer,” it said. “At the same time, delivery tracking will show the package as having been delivered, entitling the customer to their refund.”

Other inside accomplices working at delivery centers help the cyber gangs offer ‘scanning services’ to customers, altering parcel tracking data to make it look like packages have been lost in transit, damaged, or returned to sender, when in fact they have been delivered to the intended recipient.

These somewhat more high-tech services can cost the client a bit more – starting from £25 but topping out at around £150. And for those seeking to upscale their e-commerce fraud collaboration, cyber-crooks offer access to delivery center accounts for anywhere between £100 and £750.

“Our research suggests that these accounts may be being taken over through credential stuffing, using tools such as OpenBullet,” said Netacea. “Once access to an account is obtained, many sellers will create multiple sub-accounts to be resold under that account.”

It adds that most gangs defrauding online retailers prefer to use insiders at delivery centers as these “lend weight to their social engineering attempts.”

“For example, a scanning service can make it look like a package was refused and returned

to the store by combining a RTS [return to sender] or damaged scan with a delivery scan, using the store’s address and a fake signature,” said Netacea. “This strengthens the fraudster’s case for a refund to be provided for their customer.”

Notice from dark web forum moderator at bottom of screen
Warning from dark web forum moderator that cybercriminals using customer data against them will be banned

The ‘decent’ criminal

So established has this nefarious business become that it also appears dark forum moderators are taking action to deter crooks from sidelining their operations at the expense of clients, with extortion and the like strongly discouraged.

“Blackmailing or extorting customers or using their information as a weapon would result in a permanent ban,” reads one disclaimer on Nulled, in yet further evidence of cybercriminals’ growing tendency to adopt airs of pseudo-legitimacy online.

However, Nulled caveats that by adding: “This is only allowed if a scam report is made and won by the refunder or after consulting with staff [sic] members before taking action.” Presumably, this refers to customers who try to turn the tables on scammers by reporting them.

Despite such attempts by dark web moderators to reassure the wary and enforce some kind of best-practice guidelines among cybercriminals, Netacea stresses that most of the risk is nevertheless born by customers enticed into cooperating with organized online gangs.

“This is a relatively low-risk monetisation model for the refund fraudster, as the refund is not requested from an account held by them,” it said. “With decent operational security in place, there is little to link them to the fraud. Conversely, the customer outsourcing the fraud bears not only the risk of a failed refund, but also of providing personal information to the refund fraud service.”

Netacea points out that other kinds of scam artists are also trying to muscle in on the action, stealing customer account details originally intended for their ‘fellow’ crooks. “Scam artists also take advantage of the interest in refund fraud by creating lookalike profiles for prominent refund fraudsters to steal personal information or money from their customers,” it said.

To help mitigate the threat to their business interests, Netacea suggests that online retailers make a habit of rebilling customers as soon as any refund claim is found to be fraudulent.

“Not only does the e-commerce store recover some of its losses, but it serves to reduce the reputation of the refund fraud service,” it said. “Reputation is power in the underground market. An influx of rebill complaints from customers may cause the refund fraud service to drop the retailer from their store list, to avoid negative reviews.”