Returns Fraud – a risk for eCommerce companies

7 minutes

What is Returns Fraud?

Returns fraud is a deceptive practice where customers purchase a product from a retailer so as to either temporarily ‘borrow’ the item, or to obtain a refund or store credit. Returns Fraud involves deception on the part of customers, who seek to return a product under ‘false pretences’. Common returns fraud typologies include:

  • Online returns fraud – where customers make a false claim in order to obtain a refund or store credit. Typically, these customers claim that they did not make the purchase (when buying using a credit card), that the goods did not arrive, or that the goods which arrived were faulty, damaged or did not match the description when purchased. Many customers do not return these products whilst also claiming a refund, meaning they actually keep the goods and profit from the refund.
  • Product substitution with lower cost items – customers purchase a high-quality item from one store / brand, and a similar but low quality item from another store. They may remove product tags or labels, or place the substitute product in the high quality product’s packaging before returning. Often returned goods are not properly scrutinised, or may be returned to third party service providers, and by the time the fraud is detected it is too late.
  • Product substitution with counterfeit items – this typology is the same as with lower cost items above, except the substituted product is a counterfeit item. This creates issues for retailers if the counterfeit item is repackaged and released for resale without proper inspection, and can result in brand damage or create consumer safety issues.
  • Wardrobing – a common problem especially for online retailers, consumers purchase items of clothing for a specific event (such as a party), use the item of clothing, then return it for a refund or exchange without declaring this use to the retailer.
  • Use of fraudulent receipts – some consumers alter or forge sales receipts and use these along with often substituted or second hand goods to attempt a refund without having purchased the item. Physical retailers without robust returns processes, who do not verify information on receipts against their records, or who place returned items to one side to process in quiet periods, are particularly vulnerable.

Returns Fraud can be perpetrated by external parties (i.e. opportunistic individuals and actual customers), employees (i.e. trusted insiders), and external parties in collusion with trusted insiders.

elegant male outfits on dummies in modern boutique
Photo by Andrea Piacquadio on

How does Returns Fraud impact retailers?

If not properly managed, Returns Fraud can have significant implications for retailers and may even send struggling businesses to the wall. Returns Fraud will impact profits, operating costs and brand in the market. Examples of the impact of Returns Fraud on retailers include:

  • Increased Operating Costs – Retailers may need to employ additional staff to manage and process returns, as well as spending more on loss prevention or fraud protection programs. In some cases, specialist expertise may be required, particularly for high value or complex disputes which retailers are not equipped to handle.
  • Card Scheme penalties – Card Schemes such as Visa and Mastercard apply financial penalties to retailers (merchants) where a customer disputes a transaction, such as in the case of ‘online returns fraud’ (above).
  • Customer Experience and Trust – Retailers who implement stringent policies risk frustrating or offending legitimate customers, resulting in complaints, negative ratings online, or refusal to deal with the brand again. Balancing customer experience with retail security is a huge challenge.
  • Returned Inventory Management – The ‘reverse supply chain’ is challenging for any retailer, but it needs proper attention to mitigate risks of substituted, damaged, soiled, or counterfeit product being accepted, repackaged, and resold as legitimate by a retailer with potentially disastrous results.
  • Financial losses – As mentioned in my previous post ‘Product Security is fundamental to Product Management‘ (see “Security and integrity risks need to factor in pricing decisions“, link below), once a product has been stolen or diverted a retailer needs to sell significantly more product units to recover those losses. Over time, these losses erode revenue and impact profit margins, potentially making the business unviable.

The challenge with Returns Fraud, as with any other security program, is the need to balance the inherent risk of Returns Fraud with customer service and customer experience. Some retailers have accepted a high incidence of Returns Fraud, only to find it has eventually sent the business bankrupt as word gets around the retailer is an easy target and the incidence of fraud increases.

Three simple steps to mitigating Returns Fraud risk

Recent media reporting indicates the incidence of Returns Fraud is increasing worldwide, particularly wardrobing and online returns fraud; however, there are three steps businesses can take to mitigate the risk:

  • Return policies – Policies must be clear, legal, compliant with card scheme rules (for credit card payments), and transparent to allow consumers to understand retailer expectations and conditions of sale. Policies should be displayed prominently on the website and in-store, and customers should acknowledge conditions of sale in writing prior to payment. Evidence that a customer has read and acknowledged these policies should be retained by retailer systems and processes in the event of a legal dispute.
  • Using data analytics for fraud detection – data is essential for detecting unusual patterns or behaviours indicative of returns fraud. Provided the required data is collected, typologies can be developed and dashboards built to quickly facilitate detection. Examples of indicators retailers might look for in their typologies include customers who frequently return items (analysed data should include customer name, address, phone number, or email address to identify common purchases using fictitious names); returns of specific products or product categories within 48-72 hours after purchase; and returns of ‘prestigious’ items which consumers might not be able to afford. Early detection, proper investigation, and collection of evidence is crucial to minimising a loss.
  • Build high levels of employee awareness and a strong security culture – Employees are one of the most important elements of any security or fraud program. Poor awareness of fraud and security creates ignorance of the risk, preventing staff from being able to recognise problems and respond in a timely manner. Staff should be trained both on commencement and periodically (at least annually) throughout their employment, with targeted training being undertaken in response to new trends or criminal tactics. Further information on improving security culture can be found below.

As you can see, the risk of Returns Fraud is real and must be properly understood, assessed and managed by retailers to mitigate unplanned losses and vulnerabilities. Failure to properly consider and plan for Returns Fraud in any retail business is likely to result in substantial financial loss, legal disputes, and brand damage, and may even send the business into insolvency.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Defining your ‘Threat Universe’ as a building block of your intelligence capability

Author: Paul Curwell

The role of a threat universe in your intelligence capability

The focus of intelligence is generally on what is happening (and likely to happen in the future) external to your organisation. In the commercial world, risk and compliance teams are often inwardly focused, looking at who is doing what and identifying potential implications, rather than focusing on the external source of the risk (i.e., the threat).

Identifying and categorising your actual and potential threats is a first step in building a new intelligence capability. The threat universe is a taxonomy of all possible threats and their associated vectors which could target your organisation, products or supply chain. Defining your universe of threats creates the boundaries for what your intel function does and does not need to focus on, including any strategic intelligence progams such as horizon scanning.

Photo by Kaique Rocha on

The dangers of intelligence ‘silos’ across your organisation

Depending on your role, you may only be interested in threats associated with a specific functional area, such as fraud, cyber-crime or physical security, as opposed to having an enterprise wide focus. However, silos create problems when threats overlap (e.g. criminals who started with opportunistic theft of physical goods move on to defrauding your organisation through its services).

If you don’t have the right mechanisms in place, your organisation will be blind to these overlaps and you will not realise you are being targeted. An example here is fraud in banks – teams working on credit card fraud might not share their data with teams working on motor vehicle insurance fraud, yet the actual criminal targeting them might be the same person.

The first step in building a threat universe is identifying your most important assets, as this helps inform both a threat actor’s motive and any threat vectors they are likely to use (how a threat actor might successfully defraud or attack you).

Work out what is valuable to your business

A basic rule of security is that you can’t protect your assets if you don’t know what you’re supposed to protect. There are many ways of doing this, but I start with a simple taxonomy and then get into further levels of detail with my clients. When I think of assets, I start with five main categories:

Asset CategoriesDescription
PeopleIncludes your employees and customers
FacilitiesBuildings such as offices, plants, warehouses, laboratories
InformationIncludes Intellectual Property (IP such as patents, copyright, personal or private information (generally covered under privacy legislation), and confidential business information (proprietary information) such as marketing plans, strategies, pricing models
SystemsComprises the computer networks, servers and related technology that keeps the business functional
Brand & ReputationRepresents the premium the market places on your products and services as a result of how you do business

Your products & services are assets too!

Products are all too often overlooked by many security and fraud professionals. There are two things you need to consider. Some threat actors make money by abusing your products or services. Pharmaceutical counterfeiting and loan fraud syndicates are two examples, both of which profit by directly targeting a company’s products or services.

Perhaps more pernicious are those who use of your products or services as a criminal enabler. This means that your company may not lose money by having criminals use your products or services, indeed, some companies might even make money in the form of sales revenue, but your products or services are used to facilitate criminal business operations. Money laundering and identity crime are two common examples. A less obvious one is drug trafficking rings that smuggle illicit product into a legitimate shipment to transport their illicit product.

Photo by Ketut Subiyanto on

Identifying the threat actors likely to target your assets

Once you have identified what is likely to be targeted in your business, the next step is to understand who is likely to target you. You will likely not have all the information you need to complete this step without some research, but you will probably be able to complete a high level summary quite quickly. Remember that criminals might be considered to lie on a spectrum, from opportunistic through to serious organised crime.

Use this simple taxonomy for threat actors to get you started:

Threat ActorDescription
Opportunistic CriminalsOpportunistic criminals are only engaging in crime because they think they won’t get caught. For example, perhaps you are a retailer who sells expensive clothing, and your products can easily be slipped into a bag without paying?
Unsophisticated CriminalsI use this category to describe people who might be engaging in crime more than just opportunistically, but are either just starting out or really aren’t any good. History has plenty of examples here, and this category (particularly those that aren’t any good), are probably the ones most likely to get caught.
Organised criminalsOrganised criminals are just that – organised. That implies some level of competence, which likely translates into them being harder to find and catch. This is particularly the case with fraud syndicates. If you have something which is attractive to criminal groups, or can provide them with access to something that is valuable which they couldn’t get any other way (e.g. a way to launder their money or use someone else’s identity), you may be a target. Fraud syndicates and cyber-crime rings are frequently encountered examples here, although there are overlaps between these examples and all other categories.
Organised Crime GroupsWe need to make a distinction between ‘organised criminals’, basically sophisticated groups of people engaged in criminal activity, and true ‘organised crime groups’ like the Mafia and Yakuza. Successful criminals are all organised, but not all organised criminals are members of transnational organised crime groups. Organised crime groups these days are generally transnational, and involved in a broad spectrum of legitimate and illegitimate enterprises.
Nation States & their associatesNation states and their associates (such as front companies and intermediaries) can be involved in a range of activities including Intellectual Property Theft, technology transfer, weapons profileration, economic espionage, foreign interference, information operations (e.g. cyber attacks, misinformation / disinformation campaigns), supply chain attacks and sabotage (physical and cyber).
Terrorism &
Politically Motivated Groups
An unfortunate reality of life is that some crimes are politically motivated – Terrorism is one example. Companies and their assets (including employees) may be directly targeted for some reason – perhaps they are high profile and an easier target than say a police station or government building – or they may just be in the wrong place at the wrong time. If your office is in the same building as a government agency or other high profile business, you would be wise to ensure this is on your threat universe.
Issue Motivated GroupsIssue Motivated Groups might sound a bit strange, but these are effectively groups of people who are willing to commit crimes (sometimes serious crimes such as murder) in the name of what they feel is important. Examples include environmental activists, anti-abortion activists, religious motivations, animal rights activists and others. They range from peaceful and benign (e.g. peaceful protests) through to very serious – such as the bombing of anti-abortion clinics or the murder of staff associated with them. You need to know if your company operates in an industry that is targeted by IMGs.
Street criminals / gangsThis might seem a strange addition to the list depending on where you live or operate, but it is important to remember the threats facing corporate travelers as companies have a duty of care towards their employees. Theft (including cargo theft), robbery, random acts of violence, and even opportunistic kidnappings perpetrated by common criminals or organised groups may need to feature on your risk register if you send employees to high risk locations.
Insider ThreatsRefers to any person who has the potential to harm an organisation for which they have inside knowledge or access, including employees, contractors, consultants, and employees / contractors of suppliers and business partners. An insider threat can have a negative impact on any aspect of an organisation. Insiders can also collude or collaborate with external threats such as organised crime groups.

As you start to define your threat universe, you can develop sub-categories which will help you further identify and manage the threat. For example, if your organisation is exposed to organised crime, start to categorise them. Add sub-categories such as middle east organised crime, outlaw motorcycle gangs etc. Then you can undertake research to find out what sort of activities they typically engage in, and whether your business, products or supply chain are typically targeted by each group in your region. Having done this exercise once, you can keep it up to date by building a media monitoring capability to identify emerging trends.

Applying your threat universe in practice

A threat universe could comprise something similar to an an organisational chart, and be supplimented with prorfiles and information you gather on each group. Advanced versions will be in a database or similar system. Your threat universe should be a living document, which develops as both your business evolves and the external environment in which your business operates changes.

Once complete, you can start to focus your intelligence resources. Not everything on your threat universe is going to be a problem right now (i.e. be a ‘current threat’) – indeed, there may not be any threats targeting you within a specific category right now, but this can change without warning. When something strange happens or the beginnings of a new trend start to emerge, you can easily look to your threat universe and assess whether this is something you need to be worried about.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.