Fraud mule schemes—in which criminals fool everyday consumers into helping them steal goods—increased during the pandemic, as more consumers looked for work at home, according to fraud prevention vendor Signifyd Inc.

Since April 2020, Signifyd says it has discovered about five to eight orders per day that appear like fraud-mule purchases, up from only one or two purchases with these markers prior to the pandemic, says Colin McCloskey, lead risk analyst at Signifyd.

“The pandemic has obviously caused a lot of stress and financial strain. It’s also encouraged people to work from home. A mule fraud scheme, especially when advertised in a way that looks like a legitimate job, can look pretty inviting, and steady income while working from home,” McCloskey says.

Signifyd recently uncovered a fraud mule scheme, in which criminals pretending to be a logistics provider fooled a victim into “working for the company” by receiving stolen goods and shipping them to the criminals. On the conservative end, the scheme involved stealing more than $15,000 worth of goods from roughly 25-30 retailers in just one and a half months’ time.

How the fraud mule scheme worked

The victim clicked on an employment advertisement she saw on social media, which directed her to a job posting, says McCloskey, who uncovered the scheme.

The job posting was for a firm called Jerry & Sam Logistics, which had a professional-looking website, complete with images and a page listing all employees with titles and headshots. In reality, the criminals replicated a legitimate logistics website and changed a few things. The job posting promised to pay $2,800 a month, plus $50 a package and a $325 bonus if all the packages ship on time.

The victim had a phone interview, then received a confirmation email that she passed the interview step. She filled out a contract in which she provided a picture of a state-issued ID. She also watched a training video on how to be a packing specialist.

Here’s how the scheme worked: The criminal used stolen credit card data to purchase high-value goods including drones, cameras, bullion (such as gold), dishwashers and laundry machines and shipped these items to the victim. Signifyd approved the retailer transaction because enough factors about it appeared legitimate. For example, the name and billing address information on the credit card matched (even if it was stolen). Plus, Signifyd knew that this was the victim’s home address based on other legitimate purchases she made in the past.

Once the victim received the goods, she opened them, took pictures of the goods to upload to an online portal for Jerry & Sam Logistics. This was likely so the criminals could have a catalog and build an inventory of items they were soon to receive.

The victim then repackaged the items, printed a pre-paid shipping label the criminals provided and shipped the goods via a standard shipping carrier, such as FedEx, to the criminal. The location was often in Malaysia, although there were a few instances of addresses within the U.S., McCloskey says.

Using chargebacks to uncover the scheme

After about a month, the person whose stolen payment credentials were used on the purchase typically notices the charge on her account for a product she did not buy and contacts her bank to reverse the charge. This is what is known as a chargeback. There are multiple reasons why a retailer may have a chargeback and one of them is fraud.

Typically, credit card providers side with the consumer in order to keep her happy and retailers then have to pay the consumer back. And so, the merchant loses the product and has to refund the customer. What’s more, if retailers have a high rate of chargebacks—around 1%, McCloskey says—credit card companies may no longer process payments from that merchant.

So if a retailer has a chargeback, it looks to its fraud prevention provider—Signifyd in this case—as to why the transaction was approved. Signifyd will cover the cost for the merchant, but it still looks into why its algorithm didn’t catch the fraud to prevent further criminal transactions.

When multiple chargebacks started coming in, McCloskey went to work to find the patterns and look for the “bigger picture for what’s happening,” he says. “Once we see the chargeback, we can begin to sort of reverse engineer that order,” he says.

“One consistent thing I’ve noted was back in 2017, there were a lot of orders placed with the billing and delivery matching, as well as other information like same IP address, same phone number,” McCloskey says. “I kind of thought she’s obviously the occupier of the delivery address if she is receiving all these items.”

But many of those previous purchases were for orders $20 or less. For her to suddenly receive multiple packages of goods with average order values of more than $1,000 is a significant change in behavior. Plus, the AOV for goods in the ZIP code area in which she lived also was much lower than the AOV for the goods she received. In addition, the purchases that were being delivered to her house were coming from multiple billing addresses and cardholders.

While this may seem obviously fishy, these types of schemes can be hard for one merchant to catch on its own. For example, this purchasing behavior could be similar to a person receiving gifts for a wedding—as many different cardholders are sending expensive goods to one person.

After calling the victim in October 2020, McCloskey learned of how she was duped into thinking she was employed at a legitimate logistics company. She was never paid as her “contract” indicated, and when she reached out to her contact at the company to complain, the criminals stopped communicating with her.

The victim worked for a month and a half without being paid. Plus, she incurred expenses for taking a cab to the shipping carrier to ship out the bulky items, like the dishwasher, because she doesn’t have a car. She also quit her previous job to become the packing specialist because she believed the money would be better. After the victim repeatedly called about her lack of payment, the criminals shut down the Jerry & Sam.

“They don’t want to believe it’s not real,” McCloskey says regarding the victim continuing to work despite not being paid. “They believe that false promise, that the $200 or $300 promised is coming tomorrow.”

Once multiple chargebacks come in all tied to the same address, Signifyd can flag purchases shipped to that location to closely monitor them to avoid additional fraudulent purchases. Then, once it determines the pattern of fraudulent behavior, Signifyd feeds the pattern back into its algorithm so it can quickly spot a similar scheme in the future, he says. Signifyd declined to share specific details on how it updates its algorithm so as not to tip off criminals.

Feeding the fraud pattern into the algorithm will hopefully catch similar fraud mule schemes sooner in the process or before they start at all. Unfortunately, it’s likely that these schemes will only continue, McCloskey says.