Skip to content

The Southeast Asian fraud ring resumes its relentless attack

Read “The State of Fraud 2023” report

“The State of Fraud 2023” report

Cover of the Signifyd State of Fraud 2023 report

The Southeast Asian Fraud ring that waged a massive attack against U.S. merchants during the 2022 holiday season is back in the spotlight after a period of relative dormancy within the Signifyd network.

Most of the evidence points to this fraud ring being run out of Vietnam. They’re very well organized and first appeared on risk professionals’ radar in November 2022, when they stole an estimated $660 million in that month alone.

How do SEA fraud rings operate?

Compared to other fraud rings or groups, the SEA fraud ring is highly organized. They appear to have significant resources and carefully plan their attacks. Recently they have re-emerged across Signifyd’s Commerce Network — mostly targeting perfume, mid-value consumer electronics, tools and clothing. Their versatility is one of the things that sets them apart: These fraudsters use a mixture of mules forwarding parcels, triangulation fraud and reshippers to target their victims. Recent attacks have shown consistent patterns, combining traditional fraud signals with their own distinct tactics to mask their intentions.  

Attacks happen quickly and are difficult to detect

SEA fraud trends tend to be all over the map. The sophistication and scale vary based on the vulnerability of the target. When they find an easy target with an exploitable vulnerability, they have the ability to scale quickly: Some victims have seen flash fraud attacks exceeding well over $100,000 in transactions attempted in under 24 hours. This means close monitoring and fast mitigation has become increasingly important to battle these attacks.

Sometimes it can appear that their techniques are lazy, but don’t be fooled. They can still be effective. They know what they’re doing and, most importantly, they seem to know what fraud and risk professionals are doing. Where other fraud groups might move on after realizing they got caught, the SEA fraud ring continuously adjusts their tactics by switching between different types of assets — making it more difficult to track and detect. More recently, we have also seen the usage of deliberately aged assets that were previously seen across our network  – showing planning and patience which is a big part of their modus operandi.

This not only shows the vast resources they have at their disposal but also indicates how much organization goes into their attacks. It also shows their knowledge of the fraud prevention landscape. All this makes their attacks extremely difficult to mitigate and requires fraud analysts to anticipate changes in fraud MO. 

Switching between commercial and residential addresses is part of the game

An intriguing example, and this really sets them apart from other fraud rings, is that they are often found to attack a merchant from two angles: These groups will attempt to send orders to both residential addresses and reshipper addresses, within the same attack. The volume of orders sent to reshippers, typically for highly resellable products, is relatively low and wouldn’t arouse immediate suspicion. However, orders to residential addresses usually target often lower-value items: think golf balls, safety goggles, running shoes, etc. There’s no specific geographic concentration — they’re scattered across the U.S. — and are often bearing manipulated addresses.

One merchant, a retailer that sells a wide variety of home goods and more, fell victim to one such large-scale attack in the days before Black Friday and saw a 400% increase in traffic at the peak of the attack – which lasted four days.

Of the several thousand fraudulent orders that were placed, 25% of them – mostly for power tools – had a higher average order value and were sent to reshipper addresses in Oregon. The remaining 75% of orders were sent to residential addresses. Those items were lower-value – for example, disposable paper cups or dog toys. The merchant asked the question: “What’s the point of placing these residential orders?” 

Triangulation fraud, mule fraud or layering?

There are several existing theories behind the inclusion of these residential orders. One is triangulation fraud — the fraudster places a fake listing on a marketplace, legitimate buyer orders the item, the fraudster then uses a stolen credit card to buy the product elsewhere and have it shipped to the buyer.

However, some residential addresses were set to receive more than 300 orders, ruling out a legitimate buyer at that address. Another theory is mule fraud — essentially an employment scam, where “mules” are recruited to receive and forward parcels until they realize they will never actually be paid for their work. Mule fraud is also an unlikely theory to explain the residential delivery addresses since the resale value of the targeted products is practically zero.

So what is the point of placing these orders? Perhaps it’s a form of layering, which is a common practice in money laundering: stacking up transactions, benefactors, owners, etc, to a point where it becomes very difficult to find out who eventually benefits. This might be the SEA fraudsters’ approach — bury the merchant — and their fraud service provider — in such a high quantity of orders, that it becomes an overwhelming distraction from the reshipper orders.

How do SEA fraud rings influence Signifyd’s approach to fraud

Large-scale attacks are painful, but the real challenge is to learn from them. These SEA fraud attacks meant we had to learn the fraud ring’s “playbook” and also look at trends at a higher level. Rather than speaking of a fraud “trend,” we started looking at it as a fraud ‘“type” — essentially looking at all the separate fraud trends as a group.

Once you line up these SEA fraud attacks, patterns and commonalities start to emerge, especially on a traffic level. Some traditional signals that are no longer considered relevant in terms of fraud detection on an order level, suddenly show significance at a traffic level. Large, unexpected percentage shifts in these signals have proved to signal a potential SEA fraud trend.

The same holds for the use of particular assets. For example, two of the larger attacks in our network saw an increase of more than 300% in the number of orders using the same specific bank. Understanding these behaviors is an important first step in detecting — and ultimately mitigating —  these large-scale attacks.

Combating SEA fraud with Signifyd

These fraudsters are keeping us on our toes, and underline the fact that our work is never done. Several merchants in our network have been the targets of this type of fraud and there are plenty more and different attacks to come. Fast intervention through our detection and prevention efforts, as well as our financial guarantee on approved orders, reduced the economic impact on our customers. Signifyd’s fraud teams continuously monitor these fraudsters and analyze their methods to learn more about their behavior and high-level fraud signals. These learnings are continuously fed into our detection and prevention efforts, helping to further reduce the impact for our customers. 

No doubt these fraudsters are —  like us — thinking of “out of the box” solutions and plotting their next attacks. We can expect this battle to turn into a marathon, with different runners taking the lead in the next few years. 

To be continued — no doubt. 

Photo by Getty Images


Looking to better protect your business from fraud attacks? Let’s talk.

Latest posts
Alex de Kroon

Alex de Kroon

Alex de Kroon is a lead risk analyst at Signifyd who focuses on risk detection and mitigation.