Refund Fraud Risks on E-Commerce Platforms

Threat Hunter has identified that businesses were targeted frequently by perpetrators conducting refund fraud during the customer service process, involving a wide range of companies. Therefore, Threat Hunter conducted in-depth research into the refund fraud industry.  Our investigations revealed that the industry was highly mature with a vast network of criminals operating with a clear division of labor, carrying out widespread attacks and causing substantial financial losses.

• A Massive Criminal Network Underlies Refund Fraud: The refund fraud industry is supported by a highly organized, specialized criminal network. Threat Hunter has discovered that numerous criminal groups are launching refund fraud attacks on e-commerce companies by providing refund fraud tutorials or proxy refund fraud services. This indicates that not only are there dedicated refund fraud criminal groups, but also a large number of ordinary users who, tempted by profits, are participating in malicious activities. They discuss and transact through forums, anonymous channels, and other platforms, collectively driving the development of refund fraud.

• Widespread Fraud: Fraudulent activities are not confined to specific industries or regions. Threat Hunter intelligence data reveals that nearly 200 e-commerce platforms are being targeted by refund fraud attacks in over 1700 anonymous chat groups and related channels. These attacks demonstrate that any industry ranging from fashion apparel to electronics, outdoor sports, and beauty products as long as considered 'profitable', is susceptible to fraud.

• Substantial Fraudulent Transactions: According to refund case amounts data provided by underground criminals, refund fraud has been identified to involve a substantial amount of funds. Data from a refund fraud-related channel revealed that cybercriminals launched multiple refund fraud attacks against a specific e-commerce platform in 2024, resulting in total fraudulent refunds amounting to $213,069.45. The average value of each fraudulent refund was $2088.91, with the highest unit price at $11,191 and the lowest unit price at $318.

This article aims to introduce users to the current state and hazards of refund fraud, based on Threat Hunter's in-depth research into the refund fraud industry. We aim to provide references for businesses to prevent malicious refund attacks.

01 What is Refund Fraud ?

1. The Definition and Risks of Refund Fraud

Refund fraud, also known as malicious refund, is a dishonest and even illegal act. It refers to individuals or groups using various improper means to apply for product refunds from merchants or platforms in order to obtain unjustified refund amounts or products.

This behavior violates the principle of good faith in transactions, harms the legitimate rights and interests of both merchants and consumers, and severely disrupts the normal order of the e-commerce market.

1）Financial Loss and the Risk of Bad Debt

Whenever a platform approves a fraudulent refund request, it not only loses sales revenue but may also lose the product. This results in a loss of both money and goods. In addition, enterprises are forced to increase their operating expenses to combat fraud such as expanding customer service teams and introducing anti-fraud systems. The presence of a large number of fraudulent refunds may also make it difficult for enterprises to collect accounts receivable. This results in bad debt, affecting cash flow and even leading to tight cash flow.

2）Tarnished Platform Reputation and Brand Image

The company's reputation will be damaged if the frequent occurrence of refund fraud is not handled properly. This causes consumers to question the management capabilities and service standards of the company's management, thereby reducing consumers' trust and goodwill in the company. Negative news can also spread rapidly through social media and consumer forums, expanding the scope of brand damage and leading to the loss of potential customers.

3）Legal Risks and Compliance Costs

If a company fails to effectively prevent refund fraud, it may face legal proceedings and be held liable for damages and fines. At the same time, regulators may increase their oversight of the company and require it to implement stricter compliance measures, increasing the company's compliance costs.

2. Types of Refund Fraud Services

Threat Hunter has uncovered that there are primarily two types of refund fraud services offered: the sale of refund fraud tutorials and the proxy refund fraud services.

1）Refund fraud tutorials refer to the compilation of methods, steps, and techniques by criminal groups to maliciously defraud merchants, which are organized into "tutorials" and "sold" to others for profit. These tutorials typically cover how to exploit loopholes in merchants' refund policies, forge evidence, fabricate false reasons, with the aim of deceiving merchants to obtain refunds.

Threat Hunter have also discovered that there are different pricing strategies for tutorials targeting single or multiple platforms:

• Single-platform refund tutorial: A compilation of refund strategies tailored to a specific platform, priced at 49 euros, providing detailed instructions on how to perform refund operations on that particular platform.

• Multi-platform refund tutorial: A comprehensive refund solution covering multiple platforms, priced at 99 euros.

  
  

2) Proxy refund fraud services refer to the situation where criminal organizations or individuals claim to provide proxy refund application services. In reality, they manipulate the refund process through fraudulent means to deceive merchants into issuing refunds and obtain illegal gains. This is the prevailing method of refund fraud today.

The specific process includes the following characteristics:

• Service Fee: Criminal organizations typically charge a certain amount of service fee and promise to handle refund matters on behalf of the user.

• Fraudulent Tactics: Criminal organizations employ tactics such as fabricating facts, concealing the truth, and submitting false documents to induce merchants to approve refunds.

• Team Operations: Proxy refund fraud services are often supported by well-organized teams with clear divisions of labor. These teams consist of individuals from various fields, working together to carry out different fraudulent activities.

  
  

Threat Hunter have found that teams providing proxy refund fraud services tailor their fraudulent strategies to the risk control measures of different platforms. They employ various tactics to ensure successful refunds. Therefore, during the refund testing phase, the following actions are typically carried out:

• Determine the maximum refund amount allowed per order

• Confirm the number of refund fraud attempts per account

• Identifying the refund arrival time

• Verify the availability of the refund service in a particular area

  
  

02 The refund fraud industry is characterized by highly organized and professional operations

1. Refund fraud service organizations are highly organized and have clear divisions of labor

The refund fraud industry has formed a highly organized and professionalized system. Within this system, different teams work closely together to carry out fraudulent activities.

• Customized Refund Fraud Services: This is the core link to the entire refund fraud operation. By collecting relevant platform refund policies, vulnerability information, and other data, customized fraud services are tailored for specific platforms according to the policies within these platforms, such as the aforementioned proxy refund fraud services and refund fraud tutorials.

• Promotion of Refund Fraud Services: Refund fraud services are promoted through various channels such as forums and anonymous chat groups to attract users who meet the refund criteria.

• Delivery of Refund Fraud Services: This stage primarily involves fulfilling the customer's request, such as assisting the customer in completing a refund through illicit means or providing tutorials to the customer.

This clear division of labor makes refund fraud operations more efficient and covert.

2. The refund fraud syndicate is large-scale and operates in a covert manner

Looking into the operating mode of refund fraud activities, in addition to professional fraud syndicates, a large number of ordinary users, tempted by profit and guided by black market organizations, actively participate in refund fraud activities. They discuss and trade through forums, anonymous channels, and other platforms, jointly promoting the development of refund fraud.

These private channels are usually not searchable and users can only access these channels through internal invitation links. Within these private channels, fraud syndicates release refund fraud cases daily, with each case typically involving hundreds of dollars or more, attracting more users to participate. For example, on Telegram, refund fraud teams like Psylocyba Channel and Toy Refund Service have attracted thousands of subscribers, and the influence of refund fraud activities is continuously expanding.

03 Analysis of the Risk Landscape of Refund Fraud

As the refund fraud industry continues to evolve, the risk landscape is also exhibiting new characteristics. Understanding these characteristics can help enterprises better identify and prevent potential fraud risks.

1. The Target Range of Refund Fraud is Wide

Refund fraud syndicates do not limit their targets to specific platforms but engage in fraudulent activities across multiple platforms. In addition to comprehensive e-commerce platforms, well-known official brand websites for fashion apparel, electronics, outdoor sports, beauty and skincare products face significant risks for fraud.

Well-known brands typically have a wide geographical reach, meaning that if criminal organizations find vulnerabilities in their refund services, they can launch widespread attacks across all business regions, causing significant damage to the brand.

2. High-Value Goods are the Primary Targets of Refund Fraud

Threat Hunter's intelligence information has revealed that refund fraud syndicates implement detailed order restrictions when providing proxy refund fraud services. These restrictions include maximum refund amounts per order, number of orders per account, refund arrival time, and applicable refund scope.

Based on the refund amount, products can be categorized into three types: high refund amount products, medium refund amount products, and low refund amount products.

Threat Hunter found through statistics of refund amounts and the site regions involved have showed that:

• High refund amount products: Refund amount ≥ $5,000 USD, primarily consisting of electronic products and clothing, with a focus on electronic products and involving primarily US, Canadian, and European sites;

• Medium refund amount products: $1,000 USD < Refund amount ≤ $5,000 USD, primarily fashion brands, with a focus on European sites;

• Low-refund-amount products: Refund amount < $1,000 USD, primarily fashion brands, with a focus on European sites.

Among these, there are 7 categories of products with refund amounts exceeding $1,000 with electronics and fashion brands contributing the largest percentages. Given their high refund value, these items can be quickly liquidated, making them highly attractive for fraudulent activities.

3. Low-Value Goods are Processed through Offline Channels to enhance Monetization Efficiency

For low-value goods, refund fraudsters adopt a strategy of processing them through offline channels, quickly reselling these items to offline suppliers or supermarkets and other shopping malls to accelerate cash conversion.

This practice not only avoids the regulatory risks associated with online transactions but also allows for the rapid recovery of fraudulent proceeds, facilitating subsequent fraudulent activities.

04 Analysis of Typical Refund Fraud Schemes

Threat hunter's research has revealed that refund fraud syndicates often exploit vulnerabilities in logistics processes to perpetrate fraud by forging logistics information or fabricating false logistics statuses to fraudulently obtain refunds. Additionally, some criminal groups resell acquired goods, thereby realizing secondary profits. Understanding these tactics can help businesses better identify and prevent fraudulent activities.

1.  Analysis of Logistics Fraud Techniques in Refund Fraud

Refund fraud syndicates often employ false tracking numbers (Fake Tracking IDs, FTIDs) to commit logistics fraud, with FTIDv3 and FTIDv6 being the two most common methods.

1） FTIDv3: Obtaining a fake logistics tracking ID to falsely claim that the returned item has been delivered to the merchant

In the market where cybercriminal transactions are made, FTID often refers to FTIDv3, which means that criminals exploit vulnerabilities in the logistics information verification process of e-commerce transactions. By illegally obtaining fake logistics tracking IDs, they can fabricate the illusion that returned goods have been delivered to the merchant, and then apply for refunds from the merchant or e-commerce platform. The purpose is to defraud goods and purchase funds, seriously damaging the interests of merchants and disrupting the normal operation of the e-commerce industry.

Here's how FTIDv3 works:

The following is a screenshot of the fake logistics shipping labels created by criminals using the FTIDv3 fraud method, which are being offered for sale on Telegram channels:

2） FTIDv6: Creating "lost in transit" labels using a thermal printer

FTIDv6 is also known as "Lost In Transit" (LIT), meaning "lost during transportation". Criminals typically use the following two methods to carry out this fraud:

1. Intentional Damaging Packages: Criminals deliberately damage packages before sending them to the post office. If the logistics personnel discover the damage and discard the package, the logistics system will show the package as "lost in transit.".

2. Thermal Print Labels: Criminals use thermal printers to print shipping labels where the recipient's address fades within 24-48 hours. When delivery personnel are unable to locate the address, the logistics system will mark the package as "lost in transit." Criminals must use thermal printers to ensure that the recipient's address disappears before delivery.

   
   

The first method is more suitable for beginners but has a lower success rate, and is therefore less frequently used by criminals. The second method, however, is the most common fraudulent tactic. By utilizing thermal printers to make the labels fade within a certain timeframe, criminals can obscure the package's true destination and successfully carry out refund scams.

Here's a basic breakdown of how fraud is carried out:

Below are screenshots of the logistics shipping labels created using the LIT fraud method, as shared by criminals on Telegram channels:

2. Fraudulent Refund Merchandise Sales Method

After obtaining refunded products and refunds, criminals often resell these products. To quickly convert these products into cash, they usually sell them at extremely low prices.

It is noteworthy that criminal groups typically do not commit refund fraud on individual items but rather engage in large-scale operations to maximize their profits.

• Increase Profit Funds： After receiving the refund, criminals usually sell the goods at the original price or at a lower price to make more profit.

• Quick Recovery of Funds：By selling the returned goods at a low price, criminals can quickly recover funds, paving the way for the next round of refund fraud.

• Establish an Illegal Business Chain: Provide proxy refund fraud services and stolen goods sales services, expand the business scope, and obtain greater profits.

The following are screenshots of a perpetrator selling refund products in private channels:

In summary, refund fraud has become one of the major risks faced by e-commerce platforms. Understanding the current situation, methods, and risks of refund fraud helps e-commerce brands take effective measures to prevent malicious refund attacks and protect their own interests. Threat Hunter will continue to monitor refund fraud dynamics and provide enterprises with the latest intelligence support and prevention advice.