Refund Abuse — The 2.0 fraud
Refund is the new trend
It’s March 16 and tomorrow, I turn 37. What an insipid age! I am no longer part of the youthful caste, nor am I old enough to have my mid-life crisis. So what to do? Fraud? Absolutely not, especially since I can celebrate another, much more exciting birthday: my 10th year in the fantastic world of fraud management. Isn’t this the perfect timing to talk about fraud? Definitely, yes!
For the last 10 years, I have seen it all; account takeovers, card fraud, chargebacks, collusion fraud and much more. They were more or less difficult to digest when I was facing them, but in my 10-years career, I have never been so affected by the latest one: the Refund Abuse.
However, I saw it coming from afar, and I have been talking about it internally and with my partners for a few months already, but when this pattern fell on us at the end of the year, I had cold sweats.
Refund abuse is a fraudulent practice of requesting a refund from a seller after an order has been placed, using loopholes in its processes and T&Cs. In its harshest version, the fraudster gets financial compensation while keeping the previously purchased product. It can take place at the time of delivery or during the return process.
This is not a payment fraud, as the fraudster uses legitimate payment methods. The same applies to his/her postal address, email address, device, IP address, etc.
It is not a “tech” fraud either, because it does not require any technical skills or hacking knowledge. On the other hand, it requires a perfect mastery of the e-merchant’s processes and its T&Cs. It is on the e-merchant’s site that the fraudster will study its prey.
First step of the fraud: the theory
The fraudster will start by reading carefully the refund policy of the e-merchant to find out at what stage of the purchase he can make the claim. On which models? What amount? And above all, for what reasons?
The fraudster will also be interested in the time frame in which the seller undertakes to deliver the order. Be sure that at the slightest delay, the fraudster will start the refund process. In addition, he will study the return policy. He will examine the reasons for which he could open a dispute (obviously the non-receipt of the order, but also the shipment of a product not conforming to the description, a defective product or a simple change of mind).
Once he knows the general conditions of the e-merchant to the letter, he will attempt to make a purchase and will apply its action plan…
Second step of the fraud: the practice
No matter how well thought your plan is, we don’t know how well it works until it’s done. The fraudster (who is not yet technically a fraudster) makes its purchase and waits patiently for its order to be delivered. Once the package is in its hands, he has two options for refund abuse:
- Request for immediate refund — refund abuse on delivery
- Request for refund once the product is returned — refund abuse on return
Refund Abuse on delivery
This is the simplest. It consists of reporting an order not received even though the carrier claims the contrary. We are dealing here with a buyer (who technically becomes a fraudster) acting in bad faith. He will repeat to the customer service of the e-merchant that he did not receive the product and that he wants an immediate refund. He will use the T&Cs of the e-merchant against him, reminding him of its refund and return policy and its promises in terms of delivery time.
The fraudster will also not hesitate to tell them about the rules in force in the country protecting consumers’ rights. He will bombard Customer Care with messages to keep up the pressure on. When he finally gets its refund, he will create a clear and precise workflow about the refund process of the e-merchant. He will improve it, he will re-apply it, but most of all, he will share (or sell) it on the dark net.
NB: Declaring an empty package is another possibility to request a refund on delivery.
Refund Abuse on return
Here, the fraudster has received its order and does not report any delivery anomaly, but he will declare that he wants to return the product, and he may give several reasons to do so:
“I didn’t buy a yellow iPhone 14, but a gold one” — Wrong item
“My iPhone doesn’t charge” — Damaged item
“The phone arrived way too late. It was a gift for my uncle’s 37th birthday” — Late delivery
“I would like to use my 14-day right of withdrawal as stated in your T&Cs” — Change of mind
It’s once the goods are returned that it gets interesting. Depending on the e-merchant’s process, the fraudster will adapt its strategy, because if you know fraudsters, you know they are not newcomers: he will try a return with the right product, with an almost similar but defected/different product, or with a counterfeit product (hello luxury world).
The scammer will know if the e-retailer returns the money as soon as they receive the goods or if they give themselves some time before the operation. He will also guess if the company has a quality control team that checks the conformity of the returned item.
If there is a loophole, you can be sure that in the following days you will have hundreds of new fraud cases, because once again, when the fraudster finally gets its refund, he will create a clear and precise workflow about the refund process of the e-merchant.
He will improve it, he will re-apply it, but most of all, he will share (or sell) it on the dark net.
NB: The fraudster has a well-oiled technique to get a guaranteed refund on a return. Do you know about the 8R? Colissimo, yes! But we are still waiting for the solution !!!!
For the novices, the refund abusers manage to send the packages to another address than the e-merchant’s one, but Colissimo shows it was returned to the right address. You can imagine the mess for the e-merchant.
Third step of the fraud: sharing
I can already hear the front-runners saying: “Do we need to read this again? You repeated it twice already…”
Of course yes!
I have to insist. The fraud community is the most altruistic in the world (I’m hardly exaggerating). If there is a loophole, they will all know about it.
There are “FAAS” that you will be able to pay on the dark net so that they will advise you until the refund is effective #FraudsterAsAService
The fraudster will also sell its little well-written PDF on the dark net. This document would make more than one e-merchant product manager swoon. Of course, you’ll also have the refund abuser who will share its experience with its community.
In any case, if the e-merchant is not ready, it might sting a little.
Now that you know all this, what can you do?
You need to start by establishing a return policy within a clear framework. You need to make sure your refund rules are clearly stated and easily accessible to your customers. State in black and white the eligibility requirements, the requesting time frame and the return process. It’s important to be strict about these rules and to refuse refunds that do not comply with your T&Cs.
You also need to put some friction into the refund process. A good old-fashioned KYC can help. The fraudster doesn’t like to give out its ID. #ItIsKnown
But be careful with this verification. You don’t want to see your legitimate customers complaining on social media!
Don’t skimp on creating a team that is expert in the products you offer — and that get returned to you, as a result. Otherwise, fraudsters will send you counterfeits that you will potentially resell to legitimate customers (hello again, luxury world).
Finally, you need tech. Devices that will help you to compile data to identify profiles of crooks. On the other hand, it seems to me that the anti-fraud industry is not yet mature enough to provide us tools against refund abuse. It will be a jackpot for the first provider who will pull one out of its hat, but for now… there is nobody, even though they will tell you otherwise. Want to bet ?
