loss prevention

Paul Curwell, CPP, CFE, CISSP

7 minutes

What is Returns Fraud?

Returns fraud is a deceptive practice where customers purchase a product from a retailer so as to either temporarily ‘borrow’ the item, or to obtain a refund or store credit. Returns Fraud involves deception on the part of customers, who seek to return a product under ‘false pretences’. Common returns fraud typologies include:

Online returns fraud – where customers make a false claim in order to obtain a refund or store credit. Typically, these customers claim that they did not make the purchase (when buying using a credit card), that the goods did not arrive, or that the goods which arrived were faulty, damaged or did not match the description when purchased. Many customers do not return these products whilst also claiming a refund, meaning they actually keep the goods and profit from the refund.
Product substitution with lower cost items – customers purchase a high-quality item from one store / brand, and a similar but low quality item from another store. They may remove product tags or labels, or place the substitute product in the high quality product’s packaging before returning. Often returned goods are not properly scrutinised, or may be returned to third party service providers, and by the time the fraud is detected it is too late.
Product substitution with counterfeit items – this typology is the same as with lower cost items above, except the substituted product is a counterfeit item. This creates issues for retailers if the counterfeit item is repackaged and released for resale without proper inspection, and can result in brand damage or create consumer safety issues.
Wardrobing – a common problem especially for online retailers, consumers purchase items of clothing for a specific event (such as a party), use the item of clothing, then return it for a refund or exchange without declaring this use to the retailer.
Use of fraudulent receipts – some consumers alter or forge sales receipts and use these along with often substituted or second hand goods to attempt a refund without having purchased the item. Physical retailers without robust returns processes, who do not verify information on receipts against their records, or who place returned items to one side to process in quiet periods, are particularly vulnerable.

Returns Fraud can be perpetrated by external parties (i.e. opportunistic individuals and actual customers), employees (i.e. trusted insiders), and external parties in collusion with trusted insiders.

elegant male outfits on dummies in modern boutique — Photo by Andrea Piacquadio on Pexels.com

How does Returns Fraud impact retailers?

If not properly managed, Returns Fraud can have significant implications for retailers and may even send struggling businesses to the wall. Returns Fraud will impact profits, operating costs and brand in the market. Examples of the impact of Returns Fraud on retailers include:

Increased Operating Costs – Retailers may need to employ additional staff to manage and process returns, as well as spending more on loss prevention or fraud protection programs. In some cases, specialist expertise may be required, particularly for high value or complex disputes which retailers are not equipped to handle.
Card Scheme penalties – Card Schemes such as Visa and Mastercard apply financial penalties to retailers (merchants) where a customer disputes a transaction, such as in the case of ‘online returns fraud’ (above).
Customer Experience and Trust – Retailers who implement stringent policies risk frustrating or offending legitimate customers, resulting in complaints, negative ratings online, or refusal to deal with the brand again. Balancing customer experience with retail security is a huge challenge.
Returned Inventory Management – The ‘reverse supply chain’ is challenging for any retailer, but it needs proper attention to mitigate risks of substituted, damaged, soiled, or counterfeit product being accepted, repackaged, and resold as legitimate by a retailer with potentially disastrous results.
Financial losses – As mentioned in my previous post ‘Product Security is fundamental to Product Management‘ (see “Security and integrity risks need to factor in pricing decisions“, link below), once a product has been stolen or diverted a retailer needs to sell significantly more product units to recover those losses. Over time, these losses erode revenue and impact profit margins, potentially making the business unviable.

Often overlooked, Product Security is fundamental to Product Management

The challenge with Returns Fraud, as with any other security program, is the need to balance the inherent risk of Returns Fraud with customer service and customer experience. Some retailers have accepted a high incidence of Returns Fraud, only to find it has eventually sent the business bankrupt as word gets around the retailer is an easy target and the incidence of fraud increases.

Three simple steps to mitigating Returns Fraud risk

Recent media reporting indicates the incidence of Returns Fraud is increasing worldwide, particularly wardrobing and online returns fraud; however, there are three steps businesses can take to mitigate the risk:

Return policies – Policies must be clear, legal, compliant with card scheme rules (for credit card payments), and transparent to allow consumers to understand retailer expectations and conditions of sale. Policies should be displayed prominently on the website and in-store, and customers should acknowledge conditions of sale in writing prior to payment. Evidence that a customer has read and acknowledged these policies should be retained by retailer systems and processes in the event of a legal dispute.
Using data analytics for fraud detection – data is essential for detecting unusual patterns or behaviours indicative of returns fraud. Provided the required data is collected, typologies can be developed and dashboards built to quickly facilitate detection. Examples of indicators retailers might look for in their typologies include customers who frequently return items (analysed data should include customer name, address, phone number, or email address to identify common purchases using fictitious names); returns of specific products or product categories within 48-72 hours after purchase; and returns of ‘prestigious’ items which consumers might not be able to afford. Early detection, proper investigation, and collection of evidence is crucial to minimising a loss.
Build high levels of employee awareness and a strong security culture – Employees are one of the most important elements of any security or fraud program. Poor awareness of fraud and security creates ignorance of the risk, preventing staff from being able to recognise problems and respond in a timely manner. Staff should be trained both on commencement and periodically (at least annually) throughout their employment, with targeted training being undertaken in response to new trends or criminal tactics. Further information on improving security culture can be found below.

6 steps to improving security and integrity culture in the workplace

As you can see, the risk of Returns Fraud is real and must be properly understood, assessed and managed by retailers to mitigate unplanned losses and vulnerabilities. Failure to properly consider and plan for Returns Fraud in any retail business is likely to result in substantial financial loss, legal disputes, and brand damage, and may even send the business into insolvency.

Three challenges in eCommerce Fraud Protection

One of my side hustles is lecturing postgraduate university students on financial crime intelligence – this is all about how to identify and detect fraud and illicit activity in your data. I regularly tell my students (and clients) that fraud is really a ‘process-based crime’ – it arises because of internal control gaps in your business processes which equate to vulnerabilities for your business, and opportunities for fraudsters and criminals.

shoes in boxes on shelf — Photo by Stanislav Kondratiev on Pexels.com

Different types of fraud arise at different points in the eCommerce process. Every fraud scheme has its own unique characteristics, which means we can prevent and detect it! From my perspective, there are three challenges in eCommerce fraud protection:

Detecting customer profiles or transactions which are highly likely to be fraudulent with a low false positive rate (see here for explanation); and,
Detecting the fraud in time to avoid incurring a loss (this is particularly hard with realtime payments, outourced and / or automated fulfilment); and,
Striking the right balance between enough loss prevention measures to mitigate the risk (your ‘risk appetite’) and too many controls (which makes for a bad customer experience, impacting sales conversions and customer retention).

To illustrate this for eCommerce, I have used the four-phased eCommerce marketing lifecycle promoted by SmartInsights.com and overlaid where different fraud schemes can arise:

Three categories of eCommerce fraud schemes

Let’s deep dive into the three main eCommerce fraud schemes:

Account related frauds

Some eCommerce fraud schemes revolve around a users identity or account. Examples of ways in which this may happen, either at account creation or account login include:

Phishing – social engineering attempts to compromise users and their accounts
Credential stuffing – attempts to use credentials stolen from another breach to login
Account takeover – where a user’s account credentials or browser session is hijacked
Identity theft – a victim’s identity is stolen and used to obtain loans, goods, etc.

Payment Frauds

The second category of eCommerce frauds revolves around the payment or transaction itself, including:

Use of stolen / purchased credit card details
Card testing – where criminals place small charges on a card to see if it is valid which could be disputed by the cardholder
Chargeback fraud – shopper makes a purchase on their own card, then requests a chargeback after receiving the goods
Refund Scams – shopper purchases something and ask for a refund before the product is delivered
Payment frauds – including card present and card not present transactions

black payment terminal — Photo by energepic.com on Pexels.com

The final category of eCommerce frauds is perpetrated by a user post-payment. Common fraud typologies include:

Change of address scams – delivery address is changed after payment but before shipping so goods are not sent to cardholders residence
Returns fraud – consumer receives goods, uses it, and sends it back (effectively ‘renting’)
Product diversion – where goods are basically stolen by trusted insiders (employers, contractors, suppliers)

Did you know that organised fraud, product diverters and shoplifting rings typically target specific products over others?

Products that are CRAVED are at greatest risk.

I have provided more information on which products are most likely to be targeted by organised fraud, product diversion and shoplifting rings in my article “product security risk assessments for tangible goods”.

Product security risk assessments for tangible goods

Identifying your core business activities, systems and processes is key to understanding and managing your risk profile. I will review how to do this in a future article, but if you are looking for somewhere to start try www.juliantalbot.com and this article on ‘risk appetite and risk tolerance‘.

Further Reading

Curwell, P (2021). Product security risk assessments for tangible goods
Curwell, P. (2022). Alert management and insider risk continuous monitoring systems
Curwell, P. (2023). Towards a taxonomy for product diversion
Manoukian, J. (2016). Risk appetite and risk tolerance: what’s the difference?
Julian Talbot – https://www.juliantalbot.com/
SmartInsights (n.d.). Lifecycle Marketing Model in Digital Marketing for the Ecommerce Sector, https://www.smartinsights.com/ecommerce-lifecycle-marketing/

ForewarnedBlog.com

Actionable insights on security, fraud, integrity and resilience for innovative industries

Tag Archives: loss prevention

Returns Fraud – a risk for eCommerce companies