New Phishing Alert: Rippleshot Identifies Refund Phishing Scheme

Update from Rippleshot Fraud and Product Specialist Gregory Lenihan

Financial institutions have been warning their customers for years about avoiding suspicious websites and guarding their information when talking to an unknown person on a call. That’s what makes a new form of phishing so troubling - cardholders are actually being directed to the scammers by the FIs. It’s called refund phishing and it’s a trend that all FIs should be aware of because it’s only going to get worse. 

As a quick overview, phishing is when an attacker tries to trick a victim into providing sensitive information. It’s a broad category of attack that ranges from obvious low skill “password reset” emails all the way to highly coordinated campaigns that target specific users. 

What is Refund Phishing?

In refund phishing, a cardholder will experience a fraudulent transaction and when they contact the merchant to ask for a refund, they will be phished. Here’s how that looks in action:

Fraudster completes a transaction on a victim’s card. Unlike other card fraud, the fraudster wants the cardholder to find the transaction and have a way to contact the ‘merchant’. That can happen in a few ways:

  • The merchant name starts with a phone number (usually a toll free number)
  • The merchant name is a website (or is unique enough to find through a search engine)
  • The ‘merchant’ emails the cardholder a phony receipt when the transaction is made.

The point of all of these efforts is to make it easier for the cardholder to find a customer service/return phone number to call.

Now that they have a phone number, cardholders call seeking a refund. This means they are more than willing to provide details about their card, their address, and anything else the fraudsters can get out of them. The merchant could also ‘verify’ the cardholder by sending them a OneTime Passcode to relay back.

By the time it’s all done, the cardholder may have given enough information for the fraudster to have tokenized the card on their own devices, reset the cardholder’s online banking credentials, and any number of other attacks.

What Action Can Be Taken?

First and foremost is to block those transactions. Luckily, the majority of these ‘merchants’ use specific merchant ID ranges that can be outright blocked. If the original transaction is declined, that erases the reason for the cardholder to call at all. 

Next is to review your previous transactions from those merchant IDs to limit further damage. Pay particular attention to returns or zip verification transactions from those merchants as it could indicate that those cardholders were successfully phished. Contact those cardholders to try to see what information was provided and take action accordingly. 

Given the urgency and seriousness of this trend, Rippleshot would like to provide the Merchant ID ranges found in this trend at no cost to any financial institutions interested. Please fill out the form at the bottom of this page and Rippleshot will send you the Merchant ID ranges for free.

What We’ve Seen in the Wild: Merchant Sites to Look For

Of the merchant names that could be traced to a website, the sites themselves are similar. In fact, this trend was originally investigated because of a spike in fraudulent activity in Merchant Category Code 5997 - electric razor stores. That led to a dozen different merchant names with websites that all sold the exact same fifteen products for the exact same amounts.

What makes this a unique attack is that the eCommerce portions of the merchant sites don’t work. For example, on one page, I used bogus data and received a response that the card was denied too quickly for it to have actually been checked. On another, I used bogus data and was sent to an order successful page.

The next possibility is that those sites were being used to trick cardholders into purchasing from their sites thereby providing their card data to the fraudsters. However, in those cases, the fraudsters should be driving traffic to their websites and the items should have discount prices. The items I saw were too expensive for that to be useful and I couldn’t find any links to those sites on social media.

The sites themselves can look pretty different from each other, but they all share one characteristic. They all make it very easy to find a contact number. Combining that with the fact that there are transactions with those merchant names occurring, despite the website’s purchase page not working, the most logical answer is that cardholders are being phished. 

The data further backs this up. We see a substantial amount of zip verification transactions from these MIDs. If you call one of the contact numbers as I did, the first you are asked is your zip code. Even more worryingly, we have seen multiple examples of tokenization attempts after these initial transactions. We’ve confirmed that others are seeing tokenization attempts on their cardholders in this pattern as well.

Volumes: What We’re Seeing in Our Data 

In our consortium data, we have seen tens of thousands of initial transactions with thousands of address verifications each month. Comparing the two, the fraudsters may have a success rate between about 5-10%. That’s absolutely worth it to the fraudsters which is why the overall volume this year has remained high. Not only that, but the fraudsters have been iterating on the design of the websites. The earlier web designs were lower effort and looked off. The more recent sites have improved quality greatly. All of that factors into the cardholder’s decision to contact the merchant. 

What to Do Next: Rippleshot’s Recommendation

As part of Rules Assist, our automated decision rules fraud tool, we have provided clients merchant ID ranges to cut off potential phishing activity before it can happen. We are recommending that transactions are reviewed for any cardholders that had approved transactions in those merchant ID ranges, especially if they had a zip validation transaction or a return. 

We are warning that those cardholders may have been involved in a targeted phishing attack, and flagging our clients to look for suspicious tokenization attempts, changes to user credentials, demographic changes, or any other account takeover activity. You can also reach out to our team to learn what type of fraudulent merchants you might be missing, and how our tool can help you proactively identify and block those potentially fraudulent transactions today.

Schedule Your Demo

Request a Product Tour

You have fraud frustrations? We have the solutions. Let's discuss what you are dealing with and we can learn more and share how we can help.

Three blue ellipsis's