While Hollywood may have us believe fraudsters work alone in their mother’s basement, the reality is they are experts at finding each other, connecting for mutual gain and forming international alliances. They work together to pull off elaborate heists while continuing to siphon funds and products from legitimate ecommerce businesses on a regular basis.
Welcome to Scamville, Romania
Consider the town of Ramnicu Valcea in Romania, dubbed “Scamville” as a result of more than 100 known cyber-gangs nestled in a population of only 120,000. Well-known ring leader Nicusor Popescu, appropriately nicknamed “The Dom” for his expensive taste in champagne, has been described by prosecutors as “self-controlled, intelligent and charismatic.” He’s one of many young men who spawned a movement out of sheer boredom and the wisdom to capitalize on the gullibility of humans drawn in by too-good-to-be-true offers and identity cons. One successful fraudster managed to scam data from 3 million eBay users by convincing an IT employee he was an eBay staff member who forgot his password.
Understanding freight forwarding for online fraud
The simple yet effective scheme uses two different fraudsters to pull off the crime, “Operators” and “Stuffers.” Operators create fake reshipping websites designed to look like legitimate freight forwarding companies and recruit work-from-home employees whose sole job it is to receive and reship packages on their behalf. Operators then market these reshipping ‘mules’, also called parcel mules or ‘drops’ among fraudsters, to Stuffers who own the stolen credit cards and need a place to ship their goods that won’t raise concern from the ecommerce business from which they’re ordering (stealing). Operators and Stuffers typically split the profit on a fraudulent order while the mule gets nothing.
Here’s how this scheme normally works:
1. Operator recruits mules or ‘drops’ who almost always work from home
2. Operator advertises their mules’ services to Stuffers
3. Stuffer rents a mule (i.e. an unsuspicious shipping address) and makes an online purchase using stolen credit card information that is shipped to the mule’s address
4. Mule repackages the item and ships it abroad to the Stuffer’s address
5. Operator and Stuffer split profits from fraudulent order
6. After 30 days, the mule is fired by the Operator, often without ever getting paid
Fraudsters can’t ship the goods they’ve procured with stolen credit card details to themselves for fear of being tracked and caught by authorities or being blacklisted by merchants who will cancel their orders. They need to route the stolen goods to make the order look legitimate.
Shipping mules rarely realize they’re breaking the law while they are unwittingly committing mail fraud. While they could face felony charges they are almost always spared prosecution. Operators play upon the desires of those who want to work from home with an enticing offer of $2,500 or more per month plus the cost of shipping fees. In reality, mules never see payment for their work, thereby proving the offer was simply too good to be true.
Fraudsters churn through mules at a rate too fast for investigators to identify them for prosecution. With shipping mules blissfully unaware of their crime and no valid connection to their operator, fraudsters rest assured knowing they will neither be identified by authorities nor flagged by merchants from whom they can continue stealing goods.
Breaking the chain
Over the course of a month, shipping mules can receive dozens and even hundreds of packages. By paying attention to key commonalities among each branch of this crime syndicate, merchants can avoid becoming another victim in this fraud scheme. For example, according to a research project undertaken by security professionals, a vast majority of Stuffers tend to operate in and around Moscow. While countries like Indonesia or Pakistan may utilize a mule in the United States, approximately 90% of Stuffers studied had mules based in the US who were shipping their packages to Russia. These fraudsters generally use a credit card from the UK, Canada or the US and make purchases under the cardholder’s name or a false alias instead of the mule’s. This keeps them off the grid of the credit card issuer’s internal fraud prevention system that scans for name and number mismatches.
Are you shipping to a “mule” state?
Data shows that certain states have higher percentages of reshipping mules than others. For example, Georgia and Nevada have a much higher rate than California. However, no state is estimated to have greater than a .01% chance of its population currently engaged in a work from home scam. Because of this low percentage, it would be difficult for merchants to pick out any state in particular as having more shipping mules than others.
Key tips and identifiers to avoid shipping scams
Now that you know what a mule is and who they typically are, how can you prevent yourself from shipping to them? Here are some key identifiers and tips to guide you.
1. Order Velocity
Fraudsters look to max out shipping mules before cutting them loose after 30 days. That means sending them as many packages as possible to reship. Most merchants either keep records or have an instinct about how frequently their average customer places an order. If a merchant notices that one address in particular is suddenly ordering far more packages than average, consider it a major red flag.
2. Neighborhood/Cost of goods mismatch
Fraudsters prey on innocent job seekers desperate for work-from-home employment, who usually reside in lower-income communities. If you sell items with a high resale value and you notice a $20,000 order being sent to a low-income area, it behooves you to scrutinize the order further.
3. Card Name / Delivery address mismatch
Nowadays it’s nearly impossible to carry on a normal life without leaving some type of digital or government trace. Even roommates sharing an apartment with one name on the lease could provide a history at the residence through post office records or a utility bill. Whatever the circumstance may be, it should be fairly commonplace to match a cardholder correctly with a delivery address. If no evidence can be found, follow up with a phone call.
Once a merchant connects to the alleged cardholder, he or she should ask a series of specific questions only the cardholder would know. Many fraudsters employ criminal phone banks to impersonate card holders so shipping mules never get called. Skilled in the art of impersonation, these phone fraudsters will be ready with details to back up their phony identity, so ask for names of local parks or schools in the area of the delivery, since they will likely be based in a separate location. If the alleged cardholder cannot provide these answers, sound the alarm.
Not all mismatches are bad
As much as we encourage you to review billing and shipping address discrepancies, occasions do exist where these mismatches do not equal fraud.
1. Just moved
One of the most common reasons for mismatch in billing and shipping addresses occurs when a cardholder relocates to a new neighborhood. This type of information is easily verifiable through utility bills, change-of-address requests from the post office, or local, geographic references. Many cities require residents to update driver’s license or state ID’s within days of moving in. Sites like Trulia and Zillow offer public information about residential home sales and neighborhoods throughout the country. Don’t be shy about following up on a mismatch to ensure the quality of an order. Legitimate buyers will appreciate you going the extra mile.
2. Gift for a friend
With the holiday season around the corner, expect a spike in gift-for-friend scenarios, with a majority of those orders showing a billing and shipping address mismatch. Social media can serve as a speedy tool to help verify connections and confirm geographic locations. If the search on the cardholder turns up empty, try a search for the same information on the recipient. If you still can’t validate the transaction, it may be time to decline.
Perhaps someone needs to impress a client at the last minute or wants to surprise his or her significant other with a piece of jewelry. Many consumers will ship personal orders to their place of business or vacation spot. The situation itself could be completely valid, but since you are trained to identify potential fraud, you need to follow up. Double check office addresses match to a legitimate business and request a “care of” contact for shipping such as a hotel where the recipient is staying. Then employ the tactics previously discussed to follow up.
Trust your gut
Once a merchant has processed the fraudulent transaction and shipped the package, the likelihood of recouping the loss drops close to zero. Differentiating between billing and shipping mismatches stemming from fraud versus legitimate errors remains a serious challenge for merchants; the chargeback a necessary burden. The best way to avoid the clutches of online criminals is to remain vigilant in prevention.
By identifying orders that clearly have the marks of a foreign bought freight forwarding scheme and canceling them, merchants can reduce the number of chargebacks they incur and help stop online crime. For example, be cautious if you see an order containing several high-end goods purchased from a Russian IP address with a billing/shipping mismatch. Especially if the shipping address is to a personal US address using a non-Russian name.
A defining characteristic for the cyber gangs of Scamville in Romania is the high-end nature of goods they market, like cars, boats and jewelry. As most merchants know, jewelry, consumer electronics and big-ticket items are prone to more fraud through such schemes. Because of import fees and markups, laptops and cameras can be much more expensive in Russia and parts of Eastern Europe than in the United States or Western Europe. This creates a large incentive for fraudsters to undercut their local competition by offering these stolen goods at surprisingly low prices.
Be aware of your delivery addresses, and if something seems off trust your intuition and don’t ignore it. Mismatches often lead to mules. Now that you know what to look for you can do something about it.
Cybercriminals run a business so it’s important to recognize you’re not dealing with just one individual. Working more like a hive, fraudsters comprise an intricate network of workers linked to a corrupt, black market for stolen data like credit cards and shipping information. Many fraud prevention companies use technology to identify fraudulent transactions and provide scores and recommendations. Signifyd take things one step further with real-time machine learning and a 100% financial guarantee against fraud and chargebacks. With Signifyd you can accept more orders from anywhere without the fear of fraud. Guaranteed.