J. Bennett, vice president of operations and corporate development, Signifyd

Retail professionals who study and prevent online fraud don’t need a reminder of how determined and diabolical fraudsters can be when it comes to ripping off online merchants.

But every now and then, a scheme comes along that is so heartless that it gives even the most worldly fraud professional pause. Consider the case that Signifyd’s chargeback investigators and fraud analysts recently uncovered: Fraud rings preying on human emotions by using online dating sites to recruit go-betweens who helped them commit large-scale fraud.

The odd orders began shortly after the Capital One breach — single purchases of multiple mobile phones, cameras, electronics and large orders of precious metals being placed by consumers whose transaction history and behavior didn’t match up with their new voracious appetites.

And why would they match up? Those doing the buying, it turns out, were entangled in the 2019 version of romance fraud, an old scheme with a new ecommerce twist.

Maybe you’ve read about the FBI’s August takedown of organized fraudsters who impersonated suitors to build trust with their victims before asking for money for some emergency, for instance. One woman sent $200,000 to a fraudster who befriended her online, posing as a U.S. Army captain in Syria.

In fact, the Federal Trade Commission says romance fraud is the leading fraud scheme in the United States, costing victims $143 million in 2018 alone.

Fraud rings change their tactics

But once a scam is exposed, it is less likely to work in the future. And so, fraudsters tweak the old and test the new.

The cruel creativity of the fraud rings Signifyd recently encountered is a reminder that fraud is constantly changing and that those who make their living through deception are persistent and ingenious. Once retailers discover one fraud scheme and fashion ways to stop it, fraudsters often move on to a new technique or target — or both.

Fraudsters’ rapidly changing methods have inspired those seeking to prevent ecommerce fraud to turn to machine learning models that can identify suspect orders almost instantaneously. And the fraudsters’ ingenuity has led to anti-fraud strategies that couple those learning machines with intelligent humans who can use their expertise, experience and intuition to amplify the efforts of AI models to stymie forms of fraud that they hadn’t encountered before.

In fact, the escalating arms race between fraudsters and those who work to protect retail businesses from fraud is beginning to reshape the threat. As machine learning models achieve unprecedented sophistication in identifying fraud, fraudsters are looking to exploit the weakest point in the ecommerce buying process—the human who is doing the buying.

Social engineering and romance fraud

The new reality portends a future in which retailers will have to be better prepared to counter attacks that rely on social engineering, the dark art of turning innocent consumers into unwitting accomplices in fraudulent activity.

In the recent cases that Signifyd uncovered, fraudsters working for rings in Malaysia and Nigeria used online dating sites and social media to spark online romantic relationships, often with elderly women. They would nurture the phony relationships by text and direct online messages for months or even years.

Once the fraudsters had established affection and trust, they would go to work. Sometimes the fraudsters would convince their supposed love interests to use their own valid credit accounts to send the fraudsters expensive gifts. When the victim’s credit limited was maxed out or their cash on hand was depleted, the fraudsters would change tactics and ask the victims to buy items using the victim’s home address and credit card credentials that the fraudsters provided.

Yes, the credit cards were stolen. And once they were stolen, the fraudsters presumably changed the addresses on the accounts, so the billing and delivery addresses would match—one detail that indicates an online order is legitimate.

The fraudsters even went so far as providing shipping labels, so their victims could forward the goods to them, turning them into “mules,” as fraud rings call their go-betweens.

“The fraudsters are very patient getting ready for a strike,” Signifyd head of risk operations Ping Li told me when we talked about the most recent attack. “The mules have been in contact with the fraudsters for quite a long time. The fraudsters keep them engaged, gain their trust and get them to a place where they are ready to do anything for the fraudsters.”

Fraudsters hook victims with sob stories

Li said that many of the victims were elderly women, often in their 80s. The fraudsters would create personas and problems—I’m stationed in Iraq. I moved to Kenya to become a businessman. I was in a car accident and rushed to the hospital. I work in an orphanage and the children have needs.

And the victims?  There was the woman in the southeastern United States who was in contact with her fraudster for a year. He said he was in the oil business in Cyprus. After several months, he asked her to lend him $18,000 for a business idea. She sent him the money.

Then, after presumably exhausting her surplus cash, the fraudster asked the victim to start buying expensive goods for him online with credit card information that he provided. Sometimes the fraudster would set up shared-screen sessions, so he could point out exactly the items he wanted. The woman shipped the goods. She never saw her $18,000 again.

And there was the West Coast woman who was befriended online by a man who said he worked as a nurse in an orphanage in Malaysia. He asked her to place orders with credit card details he gave her. The high-end electronics and mobile phones and cameras were gifts from donors, he explained, for the children.

She placed the orders and, when they arrived, she forwarded them to Maylasia.

Some of the fraudsters set up their own online stores to sell the goods they had stolen.

Romance fraudsters’ attempts total nearly $1 million

The two fraud rings repeated the scam an untold number of times. On Signifyd’s Commerce Network alone, the romance fraudsters attempted more than a million dollars in fraudulent orders.

Signifyd was able to disrupt the scheme shortly after it surfaced and ensure that the merchants it works with suffered no financial harm. And while the threat has been thwarted, there are some important lessons in what is both an ecommerce story and a heartbreaking story of criminals preying on loneliness, misplaced trust and digital naivete.

How retailers can combat romance fraud

As fraudsters more frequently and ingeniously exploit the consumers who do the buying to take advantage of merchants who do the selling, retailers need to:

• Turn to fraud defenses that rely on vast data and intelligent machines to spot anomalous purchasing patterns and determine whether the orders are legitimate or fraudulent.
• Understand that the strongest defense combines machines that can identify new suspicious behavior and human fraud and data experts, who can dig into what’s behind the anomalous behavior.
• Up-level the fraud domain expertise they have available to investigate new fraud patterns in order to establish the social engineering behind them and to draw connections among fraud rings that are deploying similar tactics.
• Contemplate ways to expand beyond their own transaction data when assessing the legitimacy of any given order. Fraud rings strike quickly and move from one target, as it blocks transactions, to the next target that is still vulnerable. Sharing data with a broader pool of retailers can provide advanced notice of coming attacks.

And perhaps more than anything, retailers need to keep in mind that the work is never finished. Fraudsters understand that they must constantly evolve their methods and hunt for new targets. The job of a retailer, then, is to stay one step ahead.

Signifyd provides fraud-prevention services to online retailers.