01:56 PM

Fake Amazon Receipt Generator Targets Unsuspecting Online Merchants

Smaller retailers, swamped by the holiday shopping surge, may be particularly vulnerable to social engineering scam that attempts to obtain fraudulent refunds.

Strategic Security Survey: Global Threat, Local Pain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)

There's a new online swindle afoot this holiday season, but it's not after consumer pocketbooks. Rather, it targets a very specific group: Businesses that sell their wares on The would-be grift is a bit of software that generates authentic-looking Amazon receipts -- for orders that were never placed -- in hopes of acquiring fraudulent refunds.

Christopher Boyd, senior threat researcher at GFI Software, which recently uncovered the social engineering device, wrote in the company's blog: "It's a pretty good facsimile of a genuine Amazon receipt." He compared a fake receipt with a real one from his own Amazon account and found them "identical." He noted that the deceitful receipt gets the seemingly little details right, such as the "Total Before Tax" and "Sales Tax" line items, increasing the appearance of authenticity.

Though vigilant merchants do not have too much to be concerned about -- it's not that difficult, after all, to determine whether or not an order was ever placed -- the receipt generator does put at risk smaller sellers that do sizeable volume but don't have strong return policies or automated processes to prevent fraud.

"Most sophisticated merchants would have caught this pretty easily," said Scot Wingo, CEO of ChannelAdvisor, a software firm that helps retailers sell online. "This kind of fraud can be caught with just a process in place."

But the receipt generator does threaten sellers unprepared for such scams, or those who are simply stretched too thin by heavier transaction volume during the holiday rush. As Boyd asked in his blog post: "After all, how many sellers would be aware somebody went to the trouble of creating a fake receipt generator in the first place?"

Wingo said that the real risk lies with a group that does somewhere between $2,000 and $20,000 in monthly sales, but doesn't have a staff or vendor that helps manage post-transaction issues. He gave as an example a merchant that moves 200 items a month at about $75 per transaction, or $15,000 in monthly sales -- not Fortune 500 revenues, by any stretch, but enough that a time-poor small business owner would likely not be able to remember every order placed. This type of buyer fraud is the biggest threat to Amazon marketplace merchants, said Wingo, who noted that sellers there are generally well-protected from credit card fraud and that most problems come after the sale.

"It's the back-end stuff that you have to worry about," Wingo said. He said the con usually involves more than one point of contact with the seller, such as "a phone call from an upset grandmother who pulls at your heartstrings" followed by the dupe receipt via email or fax.

The holidays are a time of traditions: Heavy shopping, for one, and online fraud , for another. Wingo advised merchants -- particularly those that track orders manually, to take basic steps to protect themselves. For starters, every seller should have a return policy and publish it, regardless of size or sales volume. Wingo suggested offering only store credit for returns to further limit risk.

GFI's Boyd expects the receipt rip-off to be popular this holiday season, and urged extra caution in his blog post: "If a 'customer' seems a little peculiar, ensure you take a good look at their receipt -- you probably don't want to have a Homer Simpson moment after you've sent three Playstations to their drop off address."

Comment  | 
Print  | 
More Insights
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
Increasing IT Agility and Speed To Drive Business Growth
Learn about the steps you'll need to take to transform your IT operation and culture into an agile organization that supports business-driving initiatives.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.