01:56 PM
Connect Directly
Repost This

Fake Amazon Receipt Generator Targets Unsuspecting Online Merchants

Smaller retailers, swamped by the holiday shopping surge, may be particularly vulnerable to social engineering scam that attempts to obtain fraudulent refunds.

Strategic Security Survey: Global Threat, Local Pain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)

There's a new online swindle afoot this holiday season, but it's not after consumer pocketbooks. Rather, it targets a very specific group: Businesses that sell their wares on The would-be grift is a bit of software that generates authentic-looking Amazon receipts -- for orders that were never placed -- in hopes of acquiring fraudulent refunds.

Christopher Boyd, senior threat researcher at GFI Software, which recently uncovered the social engineering device, wrote in the company's blog: "It's a pretty good facsimile of a genuine Amazon receipt." He compared a fake receipt with a real one from his own Amazon account and found them "identical." He noted that the deceitful receipt gets the seemingly little details right, such as the "Total Before Tax" and "Sales Tax" line items, increasing the appearance of authenticity.

Though vigilant merchants do not have too much to be concerned about -- it's not that difficult, after all, to determine whether or not an order was ever placed -- the receipt generator does put at risk smaller sellers that do sizeable volume but don't have strong return policies or automated processes to prevent fraud.

"Most sophisticated merchants would have caught this pretty easily," said Scot Wingo, CEO of ChannelAdvisor, a software firm that helps retailers sell online. "This kind of fraud can be caught with just a process in place."

But the receipt generator does threaten sellers unprepared for such scams, or those who are simply stretched too thin by heavier transaction volume during the holiday rush. As Boyd asked in his blog post: "After all, how many sellers would be aware somebody went to the trouble of creating a fake receipt generator in the first place?"

Wingo said that the real risk lies with a group that does somewhere between $2,000 and $20,000 in monthly sales, but doesn't have a staff or vendor that helps manage post-transaction issues. He gave as an example a merchant that moves 200 items a month at about $75 per transaction, or $15,000 in monthly sales -- not Fortune 500 revenues, by any stretch, but enough that a time-poor small business owner would likely not be able to remember every order placed. This type of buyer fraud is the biggest threat to Amazon marketplace merchants, said Wingo, who noted that sellers there are generally well-protected from credit card fraud and that most problems come after the sale.

"It's the back-end stuff that you have to worry about," Wingo said. He said the con usually involves more than one point of contact with the seller, such as "a phone call from an upset grandmother who pulls at your heartstrings" followed by the dupe receipt via email or fax.

The holidays are a time of traditions: Heavy shopping, for one, and online fraud , for another. Wingo advised merchants -- particularly those that track orders manually, to take basic steps to protect themselves. For starters, every seller should have a return policy and publish it, regardless of size or sales volume. Wingo suggested offering only store credit for returns to further limit risk.

GFI's Boyd expects the receipt rip-off to be popular this holiday season, and urged extra caution in his blog post: "If a 'customer' seems a little peculiar, ensure you take a good look at their receipt -- you probably don't want to have a Homer Simpson moment after you've sent three Playstations to their drop off address."

Comment  | 
Print  | 
More Insights
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.