Skip to content

Shipping fraud with address manipulation: What online merchants need to know

Read “The State of Commerce 2023” report

“The State of Commerce 2023” report

Cover of Signifyd's State of Commerce 2023 report

Address manipulation is not exactly new in online fraud, but as with so much in the ecommerce fraud world, the practice is undergoing innovative changes meant to keep fraudsters a step ahead.  

What is shipping fraud with address manipulation in ecommerce?

Fraudsters and fraud rings turn to shipping fraud with address manipulation in order to stay one step ahead of fraud prevention efforts. Those looking to fraudulently buy online, for instance with stolen credit card credentials, enter a delivery address that humans can still read, but that can throw off automated fraud prevention solutions because shipping addresses have been manipulated by strategically adding numbers and other characters to the address. Those added characters mean the legible address is no longer identical to addresses previously recognized by automation. 

Solutions that rely on spotting high-velocity purchase attempts to uncover bot attacks can be thrown off by address manipulation used to commit shipping fraud. Fraudsters and those looking to skirt an online brand’s promotion or reselling policies sometimes use shipping fraud with address manipulation to avoid detection. 

Address manipulation 101 graphic

Why all the focus on shipping fraud and whether addresses have been manipulated?

Addresses have always been a key pillar of fraud detection, beginning with the bedrock practice of examining whether billing addresses and delivery addresses matched in online orders. Orders with matching addresses appeared to be a slam dunk for being legitimate, given that the person paying the credit card bill lived at the address where the order was being delivered.  

How has online fraud changed with the growth of ecommerce?

As ecommerce became much more prominent and ordering online became more a part of everyday life for consumers, an increasing number of digital orders became more complicated and varied. 

Friends ordered online and shipped products to friends. Business and leisure travelers ordered from the road or bought online and had packages shipped ahead to the next destination. Brands and retailers that insisted on a match between billing and delivery addresses would be turning away a good portion of their legitimate business. With one fraud-detection guidepost down, fraudsters saw an opportunity. 

How did fraudsters typically get their hands on goods purchased with a stolen credit card?

Fraudsters commonly worked to get around retailers’ preference for a billing and delivery address match by initially having an order shipped to the legitimate cardholder’s address, before redirecting the package after the order was placed. They might send the package to a locker or a PO box or a reshipper, which we’ll get to in a minute. In some cases, a fraud ring would arrange to steal the package off of the rightful cardholder’s porch, but that method is hardly scalable. Fraud rings would also employ “mules,” as go-betweens, acting wittingly or not, who would accept deliveries at their homes and ship them on to their final destinations on behalf of the fraud ring. 

What is a reshipper and what do they have to do with shipping fraud and address manipulation?

With online orders being shipped more commonly to a variety of addresses beyond the cardholder’s billing address, fraudsters knew they could ship their ill-gotten goods practically anywhere. Yes, it would be incredibly convenient to have packages shipped to their own homes or to fraud ring headquarters. Convenient, but not too smart. What criminal wants to provide the breadcrumbs that could lead law enforcement straight to their door? 

That’s where reshippers, also known as freight forwarders, come in. Reshippers serve a legitimate function. When ecommerce orders are being shipped cross-border, for instance, it’s typically more economical to gather together a number of orders headed for the same country and bundle them into one international shipment, rather than send many individual orders. A reshipper can work as the go-between, serving as the gathering place for the packages, and as the entity that sends the assembled packages on the next leg of their journey. 

Highlights of address manipulation characteristics graphic

The role of reshippers in shipping fraud with address manipulation

Fraudsters and those engaged in policy abuse realized they could add reshippers to their fulfillment journeys to avoid shipping stolen goods to addresses directly connected to their illegal or abusive operations. Not to mention that reshippers can be a key to international fraud rings’ success. Because many U.S. retailers don’t ship internationally, international rings rely on reshippers to get them the goods when they attack across borders.

Also, because of reshippers’ legitimate role in the ecommerce fulfillment infrastructure, fraudsters could avoid suspicion when shipping to an address different from the legitimate cardholder’s billing address. In fact, fraudsters will sometimes use address manipulation to make a residential address appear as though it is a reshipper’s address to allow for multiple orders to be shipped to a residence.

What are the different forms of address manipulation that fraudsters use?

Fraud rings deploy a number of tactics to manipulate delivery addresses. By tweaking each manipulation slightly, they can use the same shipping addresses over and over again without drawing attention to themselves, because each can be seen as a unique address by some fraud solutions. Here are a few of the more common approaches:

Substitution and insertion from of shipping fraud address manipulation graphic

Address manipulation by substitution: The fraudster substitutes a similar-looking letter or number for an actual letter in the correct address — writing 637 Faraway Avenve for 637 Faraway Avenue, for instance, or 2541 F1lagler Aue. for 2541 Flagler Ave.

Fraud rings have even been known to substitute non-Arabic letters for Arabic letters in actual addresses, as in 72347 ۊacaranda Ave. for 72347 Jacaranda Ave. or 3743 𓐒onta Visa Way for 3743 Monta Vista Way. 

Address manipulation by insertion: This is similar to substitution, but instead of swapping out characters, a fraud ring simply adds characters or spaces or symbols into a legitimate address. For instance, 6327 Oakley Road, Suite 12 becomes 6327000000000 O⏅kleeey Raod, Suite 120000000.

More forms of shipping fraud by address manipulation

Address manipulation by deletion: Rather than adding a character or letter, the bad actor can delete a character or a space in a legitimate address to leave it legible by the human eye but distinct from the original address when first read by some machine learning solutions.

Consider the example of 732 Industrial Boulevard, Bay 7 becoming 732 IndustrialBoulevardBay7.

Shipping fraud duplication and deletion method of address manipulation graphic

Address manipulation by duplication: By repeating letters or even entire words in the address, those looking to take advantage of online brands and merchants can sometimes throw off online brands’ and merchants’ fraud detection tools. 

Using this tactic, 3287 S. Lakewood Circle, Unit 27, 63802 becomes 3287 S. Lakewood Circle, Unit 27 Unnit 27. As with the other forms of address manipulation, this tactic allows fraud rings to reuse the same address many times over. For instance, the address above is good to go again when it becomes 3287 S. Lakewood Circle, Unit 27, 6380263802 63802.

Address manipulation by transposition: Fraudsters using transposition turn to a fairly common error, but use it to their advantage. They simply switch the order of two letters in an address to create a plausible address that is distinct from the accurate address. For instance, a fraud ring that wanted a package to end up at 6937 Riverside Drive, might use the address 6937 Rivreside Drive, to throw a merchant’s fraud detection off their trail. 

How big a problem is shipping fraud with address manipulation in online fraud?

It’s a bit ironic how big a problem such a small change in a delivery address can cause. In the fall of 2022, Signifyd’s risk intelligence team discovered a voracious fraud ring that deployed shipping fraud with address manipulation as one of its key tactics. 

Image of the Earth from space to symbolize Southeast Asian fraud ring

The fraud ring was a revelation to even the seasoned fraud professionals on the team because of its scale, persistence and sophistication. Based in Southeast Asia, the fraud organization focused on large online retailers and brands in the United States. Unlike a typical criminal ring, which attacks until it meets resistance and then moves to the next target, this ring adjusted and continued attacking.

After staging small attacks, likely staged to gather intelligence on various retailers’ fraud prevention strategies, the ring unleashed the full force of its attack during the holiday shopping season. Signifyd was able to identify and stymie the group’s efforts, but these attacks went well beyond Signifyd’s Commerce Network. In all, a Signifyd analysis concluded that the ring made off with an estimated $660 million in goods from U.S. merchants in November alone. That analysis estimated that all told, the fraud ring targeted a total of $3.3 billion in products nationwide that month. 

Defending your business against address manipulation shipping fraud

As you can see, getting a handle on address manipulation is no easy task. Signifyd relied on human intelligence and machine learning to identify the tactics of the Southeast Asian fraud ring that fraud experts are calling the Master Manipulators. 

And while the human eye can detect the address manipulation that the Southeast Asian fraud ring deployed, such manual review is not scalable. Consider that at its height, the Southeast Asian fraud ring placed more than one fraudulent order per minute at one major retailer. 

But as with every innovation in the cat-and-mouse game that is online fraud, a new attack, technique or tactic leads to an advance in Signifyd’s machine-learning solutions. Signifyd has updated its fraud models and improved its human intelligence around these tactics. 

From here, Signifyd will continue its vigilance and innovation, just as fraudsters are surely back at the drawing board, searching for their own next, big thing. 

Photos by Getty Images / Graphics by Signifyd

Struggling with address manipulation? We can help.

Mike Cassidy

Mike Cassidy

Mike is the head of storytelling at Signifyd. A former journalist and a retail geek, he covers ecommerce and the way technology is transforming digital commerce. Contact him at [email protected].