A second wave of attacks began midday Friday after much of the eastern United States was affected in the morning. Sites affected included Etsy, ...
When an unusually large number of packages came back to The Vitamin Creek, receiving staff let other personnel know. That helped the e-retailer avoid losses from a scheme involving orders that criminals asked to have reshipped to illegitimate addresses.
Online retailer The Vitamin Creek appears to have avoided significant losses even though it was targeted by a criminal ring seeking to commit fraud. Following best practices and good internal communication were the keys to foiling the fraud, says president Sabir Semerkant.
The retailer spotted suspicious activity about a month ago when an unusually large number of packages started being returned. The receiving department informed the I.T. and customer service staffs about the surge. Then the retailer began receiving calls from individuals who claimed to be legitimate customers. They said they were out of town or at a doctor’s appointment when the delivery service came, said they were now out of town or on vacation, and asked that the package be sent to another address, usually in Texas.
But Vitamin Creek followed the policies recommended by UPS, which it uses for many of its deliveries, and PayPal, the eBay Inc. unit that processes payments for the e-retailer. Both UPS and PayPal say that when a package is returned the retailer should not reship it to an address other than the shipping address indicated in the original transaction. Following that rule, Vitamin Creek told callers it could not reship the items, and that they had to place new orders.
The unusual activity prompted Vitamin Creek staffers to look into what was going on, and Semerkant says they quickly learned about a common fraud scheme involving the redirection of rejected goods. Here’s how it works: The criminals obtain legitimate credit and debit card numbers, including the consumer’s address and the card’s security code, usually online. They place an order and have it sent to the cardholder’s address; the consumer usually rejects it; then the criminals use online tracking systems to monitor when the item comes back to the retailer and call as soon as the retailer gets the package to ask that the item be reshipped. If the retailer complies, the criminals get the goods, which they then resell.
For a couple of weeks, 25% of the orders Vitamin Creek was shipping were being returned, Semerkant says. But because Vitamin Creek didn’t fall for the scam, it appears the criminals may have given up. While he can’t be sure the scam has stopped because it takes up to two weeks for a package to make a return trip from his warehouse to a consumer and back, he’s getting fewer calls asking for items to be redirected. “That stream of communication has slowed down quite a bit,” he says. “Hopefully, the criminals have moved on to some other scam.”
He is grateful to UPS for providing specific information about why a package is being returned. The carrier informs the retailer if a package has been rejected as opposed to it being returned because of three failed delivery attempts. That helps Vitamin Creek understand whether a scam is taking place-which would be suggested by many rejections. The U.S. Postal Service does not provide that level of detail, he says.
Another clever aspect of the fraud was that the criminals typically kept their orders under $25, knowing that retailers are less likely to flag low-value orders. That fraud tactic is increasingly common, as criminals use it to accumulate large quantities of merchandise that they sell on the street or at flea markets, says Carl Clump, CEO of fraud-protection company Retail Decisions Inc. And it’s not only retailers that may not pay attention to such small transactions-often cardholders don’t scrutinize small charges on their credit card statements, which allows the criminals to avoid detection for a longer time, he says.
If a retailer is asked to reship a returned item and doesn’t want to require the customer to place another order, the retailer should submit the order to another fraud screen using the new address, Clump says. While fraud-detection services like Retail Decisions charge a few pennies for each check, Clump says, “the potential loss far outweighs the price of a screening.”