09/20/2021

How Weak Passwords Fuel Package Mule Scams for Retailers

Pattie Dillon

Cybercriminals have also started taking advantage of the BOPIS trend.

Shopping online has always been a nice convenience, but it became a virtual lifeline for both businesses and consumers during the pandemic. Unfortunately, it also led to an increase in fraud.

Account takeover (ATO) is skyrocketing for e-commerce customers and reshipping scams have been prevalent for years. E-commerce retailers are at risk of losing more than $20 billion in 2021 due to fraud.

The average damage from a reshipping (a.k.a. package mule) scheme, according to researchers, is more than $1,100 per cardholder. These losses are easily preventable when consumers adopt strong passwords to protect their accounts, making it difficult for cybercriminals to perpetrate ATO.

However, merchants are ultimately the gatekeeper. What’s the best way to tackle this to protect consumers — and your bottom line?

First let’s take a look at how reshipping scams work. The process is pretty straightforward. Criminals gain access to a customer’s account and then use their information to purchase products, usually without changing any of the victim’s personal information so they remain undetected.

Once the order is placed and shipped to the address on file, the cybercriminal accesses the account again to monitor when the order will be shipped. Once they have confirmed the goods are on their way, they will reach out to the shipper to redirect the shipment to an alternate address where they can easily pick it up, or have a third party — a.k.a. “package mule” — do the dirty work for them.

Often these third parties are innocent bystanders themselves. Cybercriminals post fake job ads promising people easy work for what seems like a high rate of pay. The victim is told all they have to do is receive the package and reship it to a new address. This process makes it difficult to proactively detect the fraud, and the products are also difficult to recover once shipped.

To add insult to injury, many of these package mules are putting themselves at risk when they hand over their personal information for payment. They generally never get paid and in the coming months, the bad actors will use their stolen Personally Identifiable Information (PII) to perpetuate true name identity theft or create a synthetic identity.

Cybercriminals have also started taking advantage of the buy-online-pickup-in-store (BOPIS) trend that’s become popular during the pandemic. Scammers can place orders and pick up the goods before the legitimate customer even realizes what happened.

All of this adds up to a massive headache for both the customers whose personal information is breached and for the merchants who are out the cost of the product, shipping, have to reimburse the victimized account holder, and also risk losing their customer’s trust.

Consumers tend to blame businesses when these types of fraudulent activities occur, and it’s no wonder. Large retailers including T.J. Maxx and Home Depot have all had their e-commerce sites and store servers breached by cybercriminals in recent years, exposing millions of customers’ personally identifiable information.

However, the reality is that shipping fraud often starts with poor password security, which allows cybercriminals to access accounts in the first place, and they’re often using credentials that were breached months or even years earlier and sold on the dark web in large lists (called “combo lists”) for just a few dollars. That means that quite often a fraudulent charge has nothing to do with the merchant, and was actually the result of the consumer’s poor cyber hygiene weeks, months or even years prior.

Here are some steps merchants can take to reduce reshipping fraud, retain customer trust, and protect their profitability:

Educate Your Customers on Strong Passwords

No one likes seeing a message to reset their password when they’re trying to log into an account to make a quick purchase. It’s a fine line to walk for merchants who don’t want to risk losing a sale because a customer gets frustrated with the process.

However, the fact remains that easy-to-guess passwords and password reuse are two of the top reasons for account takeover. Customers may want to use the same password for years and years across all of their accounts, but retailers simply can’t let them.

Start by educating customers on the importance of picking a strong, 16-plus character password that is unique to the account, which can be shared on-screen during the account creation process (ex: “We want to help you keep your account protected”) and reiterated anytime the customer is asked to reset their password.

Prohibit the Use of Previously Breached Credentials

Implement a solution to prevent customers from choosing any password that has already been exposed in a data breach, whether it’s been in association with your customer’s email/username or not. With the increase in online shopping over the last year, adding this extra layer of security is more crucial than ever before.

Online fraud solutions like these allow merchants to easily identify user credentials that have been previously compromised, as well as verify shipping addresses to make sure that an order is legitimate.

Enforce Multi-Factor Authentication (MFA)

Multi-factor authentication is becoming more commonplace and it’s a good idea for any merchant. Requiring customers to present at least two distinct pieces of evidence in order to log into their accounts provides an extra layer of security if their original password has been compromised.

If it sounds like another hoop to jump through, consider that even Google is planning to enable it by default on users’ accounts because it deters a good amount of cybercrime. It’s also a smart solution given the rise in mobile purchasing and shipping authorizations. MFA allows customers to sign off on shipments and deliveries through their phones or other devices, potentially flagging fraudulent shipments.

Fraudulent activity including package mule scams are growing as online shopping increases, and preventing it requires layered solutions. Failing to act exposes your business and stands in the way of creating a seamless experience for your customers, leading to potential revenue loss.

Start by taking responsibility for your customers’ password habits. This will improve their overall cyber hygiene and ensure that their personal information is safe during any and all online transactions.

It also goes a long way in developing customer trust and loyalty, positioning you as a proactive partner in their online purchasing journey and ensuring they will feel secure buying with you in the future.

Pattie Dillon is the anti-fraud network relationship manager at SpyCloud, where she develops creative and innovative ways to fight fraud with SpyCloud’s leading-edge products and connects with others to build a safer internet through collaboration and knowledge sharing.

More on Security

What Retail Leaders Need To Know About the Congressional Hearing on Artificial Intelligence
OpenAI CEO Sam Altman, whose company created ChatGPT, was one of three experts who testified at a Senate Judiciary subcommittee hearing exploring the oversight of artificial intelligence. Here are the top takeaways for retailers.
Stopping Fraudsters at Checkout: How Address Verification Helps Prevent E-commerce Fraud
With address verification tools, retailers can identify potential fraudsters by quickly verifying the legitimacy of the addresses provided during online checkout. Learn more.
Sam's Club to Safeguard Workplace Tech
Learn how Sam's Club will safeguard its investment in company-owned handheld devices.