Package redirection scams are one of the oldest tricks in the fraudster book. It generally begins with stolen credit card details and continues with an online order that appears safe, complete with the stolen card’s billing details and a matching shipping address. What happens next is a headache many merchants are unfortunately familiar with: fraudsters reroute the package and have the goods delivered to their location. For the merchant, the goods are unaccounted for, and a chargeback ensues shortly thereafter. So how can merchants protect themselves against this type of fraud without increasing false declines or creating unnecessary friction?

How Package Redirection Scams Work

After receiving the purchase confirmation email, the fraudster asks the merchant to reroute their order to a different shipping address for some reason (e.g. “I won’t be home in time to receive the package.”). In other cases, the fraudster contacts the shipping service directly to change the shipping address. Some services, such as UPS MyChoice, allow consumers to change the shipping address online, often without the knowledge of the merchant.

This type of fraud tactic is difficult to recognize because it happens outside of the checkout: the change in the shipping address is made after the order has been reviewed for fraud and approved by the merchant. When the order is reviewed for fraud, it appears legitimate with full AVS match, matching billing and shipping addresses, and a related entry in the local Whitepages. But even with no visible sign of fraud, our systems routinely identify nearly 3% of these orders as clear-cut rerouting fraud attempts.

It’s important to keep in mind that not all cases where the shipping address is changed after a retailer’s approval are fraud attempts. Completely blocking the option to reroute packages may seem like a good idea at first, but it could be a bad move in terms of customer experience. There are many legitimate reasons customers would want to reroute. Sometimes customers prefer to reroute to their workplace or to have gifts shipped to an alternative address to maintain the element of surprise.

Safeguard Your Business Against Package Redirection Scams

Here are tips on how to undermine fraudsters’ rerouting efforts and avoid losses.

Tip 1: Keep Track of Your Approved Orders

While you may not always be able to identify fraudulent purchases before the order is rerouted, it is critical to intervene once a new shipping address is provided by the customer. Based on our experience, we recommend taking the following measures:

  • Shipping address change? Reexamine the order for fraud
    Once a shipping address is updated for a previously approved order, review it for fraud again. Check whether the new address still matches a legitimate purchase story. Is it in a logical geographic range? Do the phone number and email make sense?
  • Know when a customer asks for rerouting
    Effective communication channels within your business can ensure that rerouted packages never go unnoticed. Notify your fraud team whenever a customer contacts customer service to change their package delivery instructions.
  • Agree on a process with your shipping company
    In some legitimate instances, customers may change their shipping address after the goods have left your warehouse. Talk with your shipping providers to ensure that your team is updated so you have the final say on whether a package for which you are liable can be rerouted.

Tip 2: Analyze The Contact Details

Although fraudsters obviously want their purchases to appear as legitimate as possible, inconsistent contact details could be a sign of a package redirection scam. Typically, they will avoid providing their victim’s phone number or email address in the order details, in case the merchant blows their cover by contacting the cardholder.

We analyzed legitimate-looking orders that were ultimately declined by Riskified as fraudulent transactions. It’s important to reiterate, all of these orders had a full AVS match with matching billing and shipping addresses, along with a matching entry in the local Whitepages to the customer’s name.

Below are some questions merchants can ask themselves when reviewing the order contact details.

  • Is it a VoIP phone?
    When analyzing the phone numbers provided in these orders, we found that over 10% of these numbers were not mobile or landline phones but rather VoIP (Voice over IP) phones, such as Skype. There are many legitimate reasons to use VoIP phone numbers, but they are favored by fraudsters because they are easy to obtain and offer greater anonymity than other phone options. Often, a quick check in an online directory will show whether the number is a landline, mobile, or VoIP phone.
  • Is the email address active?
    From our review of email addresses provided with suspected package rerouting orders, we found that nearly 8% were nonexistent or inactive accounts. A nonexistent email address can often just be the result of a typo or indicative of customers who may be protecting their privacy by providing a made-up email instead of their actual address. But a nonexistent email definitely requires further examination. Many online email verification services can provide a basic review, with some offering more complete background checks, including the ‘age’ of the email address, which is a good indication of legitimacy.
  • Is the customer using a proxy server?
    Our analysis of package redirection scams also revealed that nearly 31% of these declined orders had a proxy indication, meaning fraudsters likely used a proxy server when placing orders. Proxy IP addresses are not necessarily a bad sign, and there are many valid reasons to use such a service. But a remote server may indicate a fraudster concealing their real location with a makeshift IP address. Services that provide location data for IP addresses, such as Maxmind, can provide in-depth and accurate results for transactions.

Any one of these indicators – VoIP, inactive email account, and proxy connection – does not necessarily signal outright fraud and should not be the sole basis for declining a customer. Still, we recommend taking a closer look at orders with one or more of these characteristics.

Riskified in Action: Putting a Stop to Package Direction Scams

Riskified uncovered a package redirection scam involving a sophisticated fraud ring that used stolen credit card details for an online order that seemed almost flawless. The fraudsters discovered where the cardholder worked and used the workplace email domain to create a fake, but very logical-looking email address. For example, let’s call the legitimate cardholder’s workplace “Company X.” The fraudsters who obtained the stolen credit card details placed orders online with the email address “firstname.lastname@company-x.com.”

Because the email address strongly matched the cardholder’s identity, these orders were approved by the merchant and shipped. Shortly thereafter, the fraudsters contacted the shipping company and asked to reroute the package. In this case, the merchant blocked the rerouting option, and the item was shipped to the address provided at the time of the purchase. As a result, the true cardholder received an unexpected package and returned the goods to the merchant.

By taking the proper precautions to stay informed of post-checkout order updates and carefully examining the order contact details, merchants can avoid the hassle of chargeback fraud while preventing false declines of legitimate customers.