Online retailer The Vitamin Creek says 25% of its orders in the past two weeks have been from a fraud ring that places orders using legitimate credit card numbers and addresses and takes advantage of package-tracking services.
Online retailer The Vitamin Creek is in the midst of battling a crime ring that is committing fraud by taking advantage of access to card and address information for legitimate consumers and the package tracking services of delivery companies like UPS and the U.S. Postal Service.
The criminals evidently have obtained full information about many consumers, including an individual’s credit card number, address and the three-digit security code on the back of a payment card. They place an order using a legitimate card number including the security code and have it sent to the cardholder’s actual address. In most cases, the unsuspecting consumer rejects the order, because he didn’t place it.
The criminals then use the tracking systems of UPS and U.S.P.S. to follow the package back to the retailer, then call the retailer asking that it be resent. “They say, I wasn’t home or I’m traveling. Could you send it to this address?” says Sabir Semerkant, president of The Vitamin Creek. “They’re preying on the customer service-friendliness of many online retailers who bend over backwards to get customers their packages anyway they like.”
Semerkant says 25% of his orders in the past two weeks appear to be related to this fraud scheme. He picked up on the fraud because of the sudden increase in returns and because of a call from what he calls “one smart consumer.” “He called and said, ‘I received this package from you. This is my address and credit card number, but I never ordered this. How is this possible?’” Soon afterwards, Semerkant says, he received a call from a participant in the fraud ring asking that this same package be redirected, and Semerkant realized a scam was afoot.
In response, the e-retailer has instituted a policy that it will not reship returned items. Instead, it requires any consumer asking that an item be reshipped to place a new order. The Vitamin Creek, which began selling online in October, sells through its own web site, VitaminCreek.com and through Amazon.com.
Semerkant says some of the fraudulent orders are coming through Amazon, and that he has notified Amazon of the fraud. He says he is concerned because he could be penalized by Amazon for high rates of returns or order cancellations.
The criminals are placing small orders, mostly $25 or less, to avoid setting off fraud alarms, and they’re not ordering any particular product, Semerkant says. But he has detected one pattern: They are asking that the orders be reshipped to addresses in Texas, even though the original shipping addresses are all over the country.
This scam is not new, and it can easily be addressed, says Mike Long, chief product strategist at Accertify, a company that specializes in helping e-commerce companies prevent online fraud.
“Most merchants have a process in place that when the receiving department gets something back that’s been refused they’re contacting the fraud team and alerting them that something’s been returned,” Long says. “Someone calling and asking that a package be shipped to this address instead, that’s a huge red flag, obviously.”
The scam underscores that online retailers cannot rely solely on matching bill-to and ship-to addresses or asking for the security codes on the backs of cards to deter fraud, Long says. He says criminals can easily obtain full card and address data for legitimate consumers on the web. He says the going rate is about $10 for full data on 100 consumers. “For partial data, it’s cheaper,” he says. “It’s pretty simple to get the data.”