Today, online retailers feel trapped between maintaining policies – which are often abused by buyers – and dwindling profits.
Has your business encountered policy abuse by customers and resellers?
A study by Riskified showed that a whopping 90% of online retailers are losing money to policy abuse and believe that it is a significant threat to their bottom line. 93% say they must maintain generous policies to keep customers.
Policy abuse refers to consumer misuse of retail policies such as return policies, coupon and loyalty programs. It includes behaviors such as excessive returns, refund scams such as claiming an item was not received or returning empty boxes, abusing promotions like coupon codes or loyalty program rewards, or reselling limited-inventory items.
CybersecAsia discussed this growing aspect of cyber-fraud with Tasneen Padiath, VP & GM APAC, Riskified:
What are the different types of policy abuse merchants often encounter?
Tasneen Padiath (TP): Policy abuse involves bad actors taking advantage of a merchant’s customer policies. Policy abuse is growing in scale and can have a massive impact on a merchant’s bottom line. It includes behaviors that are harmful to the business such as excessive returns, refund scams such as claiming an item was not received or returning empty boxes, abusing promotions like coupon codes or loyalty program rewards, or reselling limited-inventory items.
Broadly, policy abuse can be categorized under three buckets:
- Refund and Return Abuse: This is the most common form of abuse and includes returning empty boxes or claiming items were not received. Another form of refund and return abuse is wardrobing i.e. returning a clothing item after use but within the returns window.
- Promo and Referral Abuse: This primarily involves users creating fake accounts to use rewards and promotions. Even though it appears innocent, this abuse can have a much more significant impact on a business’ bottom line, because it directly affects merchants’ promotional budgets.
- Reseller Abuse: This involves resellers who circumvent item limits – usually by creating fake accounts to get more than the per-customer policy number of products – negatively impacting a company’s customer acquisition and overall brand reputation.
How is the policy abuse threat landscape evolving globally and in Asia?
TP: Policy abuse is becoming a serious business and profitability issue for merchants of all sizes. Over time, fraudsters have come to recognize the huge opportunity in policy abuse and identify new vulnerabilities in a retailers’ policy management.
Today, there is a wide spectrum of policy abuse. There are friendly abusers – genuine users who may sporadically engage in excessive returns or abuse a coupon code. There are also the trickier serial abusers who might undertake more elaborate scams like photoshopping labels or unauthorized reselling. Finally, we have the professional abusers. These abusers use their technology prowess to offer Policy-Abuse-as-a-Service offerings on the dark web, including training others to exploit policies.
While policy abuse tactics continue to evolve, it’s important to note that policy abuse is now more than just an opportunity to gain a few freebies. It is evolving into a movement, and abusers see it as social justice or a way to claw back funds from large businesses. Policy abusers chat on the dark web or in private forums and chat apps, sharing their insights and tips for success with others.
Another element of policy abuse is timing. Policy abusers tend to look for peak periods, such as after Christmas, Chinese New Year, Singles Day, when customer service agents are likely to be overwhelmed and exploit them to try and slip through the cracks.
Could you give us some perspective of how abuse is conducted on the dark web? What is the modus operandi of fraudsters on the dark web?
TP: We have seen a steep rise in the targeted and professional grade abuse on the dark web. There are two specific ways in which abuse is facilitated on the dark web – firstly it is through operators who run professional refunding services and can claim refunds on behalf of customers with a 20% cut.
The second category is that of experienced refund abusers who coach and tutor beginners on how to successfully manage returns and refunds. This community is collaborative and helps each other with resources around abuse. In some cases, we have seen these communities share an end-to-end process including information like the names of retailers and timing of abuse for free.
They come from a mindset that retailers have profited enough, and they are justified in committing such a fraud. The starting point most often is getting abusive parties to create aliases which seem legitimate and initiate a scam only after the third or fourth transaction. For some people running these kinds of services it is a full-time job and something that has been quite effective sadly.
In addition to coaching and tutoring, we are also seeing specific directions from fraudsters on which scams to commit with which retailer. They are constantly perfecting their skills and sharing their experience of what worked for them.
There are two methods that are most common with fraudsters – the first one is Item Not Received (INR) which occurs when a bad actor falsely claims that a package never arrived or was stolen upon delivery. They then request a full refund, which puts merchants in a difficult position as they don’t want to upset or add additional friction to the experience of good customers. The second one is FTID (fake tracking ID) where the customer downloads and puts a label for return but manipulates the address, so it doesn’t go to the retailer. They lodge it with the post and tracking ID is recorded to look like they tried to send. A few days later they ask for a refund claiming that their tracking ID is showing that the package is back at the warehouse.
What is the business impact of policy abuse? What types of organizations are most susceptible to policy abuse?
