Fake Amazon Receipt Generator Targets Unsuspecting Online Merchants
Smaller retailers, swamped by the holiday shopping surge, may be particularly vulnerable to social engineering scam that attempts to obtain fraudulent refunds.
There's a new online swindle afoot this holiday season, but it's not after consumer pocketbooks. Rather, it targets a very specific group: Businesses that sell their wares on Amazon.com. The would-be grift is a bit of software that generates authentic-looking Amazon receipts -- for orders that were never placed -- in hopes of acquiring fraudulent refunds.
More Personal Tech Insights
White PapersMore >>
Christopher Boyd, senior threat researcher at GFI Software, which recently uncovered the social engineering device, wrote in the company's blog: "It's a pretty good facsimile of a genuine Amazon receipt." He compared a fake receipt with a real one from his own Amazon account and found them "identical." He noted that the deceitful receipt gets the seemingly little details right, such as the "Total Before Tax" and "Sales Tax" line items, increasing the appearance of authenticity.
Though vigilant merchants do not have too much to be concerned about -- it's not that difficult, after all, to determine whether or not an order was ever placed -- the receipt generator does put at risk smaller sellers that do sizeable volume but don't have strong return policies or automated processes to prevent fraud.
"Most sophisticated merchants would have caught this pretty easily," said Scot Wingo, CEO of ChannelAdvisor, a software firm that helps retailers sell online. "This kind of fraud can be caught with just a process in place."
But the receipt generator does threaten sellers unprepared for such scams, or those who are simply stretched too thin by heavier transaction volume during the holiday rush. As Boyd asked in his blog post: "After all, how many sellers would be aware somebody went to the trouble of creating a fake receipt generator in the first place?"
Wingo said that the real risk lies with a group that does somewhere between $2,000 and $20,000 in monthly sales, but doesn't have a staff or vendor that helps manage post-transaction issues. He gave as an example a merchant that moves 200 items a month at about $75 per transaction, or $15,000 in monthly sales -- not Fortune 500 revenues, by any stretch, but enough that a time-poor small business owner would likely not be able to remember every order placed. This type of buyer fraud is the biggest threat to Amazon marketplace merchants, said Wingo, who noted that sellers there are generally well-protected from credit card fraud and that most problems come after the sale.
"It's the back-end stuff that you have to worry about," Wingo said. He said the con usually involves more than one point of contact with the seller, such as "a phone call from an upset grandmother who pulls at your heartstrings" followed by the dupe receipt via email or fax.
The holidays are a time of traditions: Heavy shopping, for one, and online fraud , for another. Wingo advised merchants -- particularly those that track orders manually, to take basic steps to protect themselves. For starters, every seller should have a return policy and publish it, regardless of size or sales volume. Wingo suggested offering only store credit for returns to further limit risk.
GFI's Boyd expects the receipt rip-off to be popular this holiday season, and urged extra caution in his blog post: "If a 'customer' seems a little peculiar, ensure you take a good look at their receipt -- you probably don't want to have a Homer Simpson moment after you've sent three Playstations to their drop off address."
Amid many threats, the feds are shorthanded. Here's how they're acquiring hard-to-find skills. Download this issue of InformationWeek Government now (registration required).