Anonymity is a fraudster’s best disguise. Fraudsters need to blend in with good consumers to ensure their orders get approved and shipped to them. If an order looks out of the ordinary, it has a higher chance of getting declined or at least being held up for review. So fraudsters try to make their orders look as normal, if not better, than your other orders. Part of seeming normal can include providing a valid phone number with their order.
There’s a common misconception that fraudsters will not answer the phone or refrain from answering emails for fear of getting caught. However, most fraudsters know that because they’re impersonating the name on a stolen credit card, or using an entirely bogus name, there’s little to no chance of getting caught if they answer a phone call from a merchant.
But what phone do they use when they answer merchant calls? Fraudsters are unlikely to conduct criminal activity on their Family & Friends plan, as the billing from their carrier would lead law enforcement back to them. So a fraudster needs a number that can’t be traced back to them in any manner and one that shares no history with them.
Burner phones and numbers
Burner phones are traditionally defined as phones that are used for a single purpose and then disposed of. Since the rise of cell phones, burner phones have typically taken the form of inexpensive, prepaid phone lines. Phones that can be purchased in cash anonymously from a store for as little as $20 – $30 have provided criminals with phone numbers that can’t be traced to any account or personal profile.
To minimize effort, fraudsters normally purchase a large number of burner phones at the same time, using these numbers on hundreds (if not thousands) of orders before they get recognized by merchants and added their number gets deny listed. It would behoove fraudsters to use stolen credit card details to purchase these in the first place so there’s really no trace leading back to them from these phones.
But physical phones seem antiquated for today’s sophisticated cybercriminal. What fraudsters really need are burner numbers. Burner numbers allow fraudsters to use the same device or software to cycle through a large set of numbers easily. Apps such as Burner, Hushed or CoverMe are available on iOS and Android making it that much easier for fraudsters to communicate with merchants with almost no traceable records.
Porting phone numbers
Most of us are familiar with the practice of “porting” a phone number from one provider to another when you changes contracts. While consumers regularly port numbers legitimately, fraudsters have been using porting to gain access to a consumer’s phone number, their credit card details and their personal information tied to their carrier account.
‘Port’ fraud is conducted by calling a victim and pretending to be an authoritative organization, such as a bank or a government organization. Fraudsters will attempt to get personal information such as social security numbers, birthdays, and other pieces of information from the victim. The fraudster will then call the victim’s mobile phone provider and request that their phone line be ported over to their device.
Beyond securing the victim’s phone number, fraudsters can leverage the newly acquired phone number to access the victim’s bank accounts by responding to SMS verification messages sent by the bank to that number. This allows a fraudster to drain a victim’s bank account while using their phone number for online credit card fraud. Since ported phone numbers have a rich and valid history they can often mislead a merchant to conclude the order is valid since the number and cardholder share a strong link.
Since cell phone carriers allow us to port our numbers, we’re all more likely to keeping our cell phone number longer. In fact, we’re more likely to keep the same number for years and even decades now. Thus, a quick and simple Google search on almost any phone number will reveal records on where that phone was used, such as college sign up sheets, address locations or links to work.
But a burner phone is inferior in this regard, offering little to history at all. While this protects a fraudster’s identity it also reveals the likelihood of the burner phone number being used for fraudulent purposes. However, currently there is no certified method for confirming if a number is a ‘burner number’ because it’s impossible to predict how long a legitimate user will hold on to a particular phone number. A merchant can at best make an educated guess if a particular number is a burner line or not.
Fraudsters are incredibly confident criminals so you should always assume they will answer your call. It’s in their best interest to do so as they want you to trust them and send their order to them as soon as possible. In fact, they’d be happy for you to upsell them for additional items since they’re not paying for any of it. So be fully prepared before you a make the call to confirm your customer’s identity and verify their order.
Spending a little time researching the information available to you can help you be far more successful in verifying customer identities. If the phone number provided has no history, be wary. Remember most consumers keep their line for years and this will cause some evidence of their identity to be linked to their number via a simple Google search. You need to find a genuine link between the phone number, the cardholder and their order.
Since you want to confirm an identity it may seem appropriate to ask for details you’ve already captured, like the spelling of the cardholder’s name, their zip code or address, or the item(s) they’ve ordered. But sophisticated fraudsters can have this information ready and available as they’re anticipating your call. So why not ask for the wrong information?
A common practice used by savvy risk analysts is to ask a customer (or fraudster) to confirm the wrong information. For example, confirming the shipping address with a few incorrect details, like the wrong street number of a similar sounding street. This changes the dynamics of the conversation as a legitimate customer will be quick to correct the incorrect address for their shipment. However, given the number of calls a fraudster has to answer (especially if they order high priced items) they’re more than likely in a hurry to confirm the requested details. So they’ll likely agree with whatever information you provide to get their order confirmed.
Unless they’re excellent at leveraging a few identities with tremendous success, fraudsters need to use thousands of identities and are thus often dealing with dozens of credit cards and orders at the same time. Thus, while it may seem like asking them for their identification details (driver’s license number, state, etc.) would cause them to panic or “fumble” the conversation, keep in mind some fraudsters have been doing this a long time and with great success. Thus, they have methods for “buying time” with you on the phone while they look up the details you’re requesting. So you’re better served asking the customer for something they would’ve committed to memory like their address or even the color of the item they’ve purchased. But you’ll likely determine who is and isn’t genuine if you suggest the wrong address or color first.
Over time, you’ll learn how to be better prepared with less time to make verification calls. But you should also consider if this is where your time is best spent. Given the increasing competition for a limited number of qualified buyers online, would you be better served focusing on your company’s growth than manually reviewing orders and verifying customer identities? Especially since even experienced risk analysts cannot guarantee complete protection from fraud?
If so, you may want to consider leveraging an industry expert like Signifyd since we verify your orders against a network of thousands of merchants and real-time machine learning that conducts thousands of searches every minute. We provide a financial guarantee for every order so if somehow a fraudster does get through you know you’re covered. Using Signifyd gives you the confidence to approve more orders and ship them out faster so legitimate customers are never turned away. Let us take the guesswork out of your orders and secure your revenue from unpredictable chargebacks. We believe your time is better spent talking with your customers and partners to grow your business. Let us talk to fraudsters, or better yet, let us eliminate your fraud concerns entirely.