Package rerouting is one of the oldest tricks in the fraudster book. It generally begins with stolen credit card details, and continues with an online order that appears safe, complete with the stolen card’s billing details and a matching shipping address. What happens next is a headache many merchants are unfortunately familiar with: fraudsters reroute the package and have the goods delivered to their location. For the merchant, the goods are unaccounted for, and a chargeback ensues shortly thereafter. Rerouting schemes have caught the attention of merchants and shoppers alike. The method of operation is quite straightforward, but its perpetrators have devised some sophisticated ways to keep merchants off guard.

Completely blocking the option to reroute packages may seem like a good idea at first, but could be a bad move in terms of customer experience, as there are many legitimate reasons customers would want to reroute. Sometimes customers prefer to reroute to their workplace, or to have gifts shipped to an alternative address to maintain the element of surprise. So how can merchants protect themselves against this type of fraud without increasing false declines or creating unnecessary friction? In this post I’ll share some tips on how to undermine fraudster efforts and to avoid incurring the associated losses.

What Is The Rerouting Fraud Modus Operandi?

Rerouting fraud typically takes on two different forms. Under the ‘classic’ ploy, the fraudster contacts the unsuspecting merchant after receiving the purchase confirmation email, and asks to change the shipping address for some reason (e.g. “I won’t be home in time to receive the package.”). Under a newer tactic, fraudsters contact the courier services directly to change the shipping address. Some services, such as UPS MyChoice, allow consumers to change the shipping address online, often without the knowledge of the merchant.

Rerouting fraud schemes are difficult to recognize because the “crime” takes place in the future: the change in the shipping address is made after the order has been reviewed for fraud and approved by the merchant. When the order is reviewed for fraud it appears to be fine, with full AVS match, matching billing and shipping addresses, and a related entry in the local Whitepages. But even with no visible sign of fraud, our systems routinely identify nearly 3% of these orders as clear-cut rerouting fraud attempts.

It’s important to keep in mind that not all cases where the shipping address is changed after a retailer’s approval are fraud attempts. In fact, Riskified data shows that 97% of rerouted orders can and should be safely approved! But there are two simple steps you can take to effectively safeguard against the 3% that could turn out to be fraud.

package rerouting illustration

Step 1 – Keep Track of Your Approved Orders

While you may not always be able to identify fraudulent purchases before the order is rerouted, it is critical to intervene once a new shipping address is provided by the customer. Based on our experience, we recommend taking the following measures:

  • Shipping address change? Reexamine the order for fraud

    Once a new shipping address has been provided for an order that was previously approved, review it for fraud again. Check whether the new address still matches a legitimate purchase story. Is it in a logical geographic range? Do the phone number and email make sense?

  • Know when a customer asks for rerouting

    Make sure there are effective communication channels within your business so that a package reroute never goes unnoticed. Your fraud team should be notified when a customer contacts the customer service team and requests that their package be delivered to a different address.

  • Agree on a process with your shipping company

    Sometimes customers realize they need to change the shipping address only after the goods have left your warehouse. Talk with your shipping providers to ensure that your team is notified in case of changes in the shipping address of your packages. You should have the final say on whether a package for which you are liable can be rerouted or not.

While these measures are simple, they are quite effective. Case in point – a recent package rerouting scheme uncovered by Riskified involved a sophisticated fraud ring that used the stolen credit card holder’s details to craft an online order that seemed almost flawless. The fraudsters discovered where the cardholder worked, and used the workplace email domain to create a fake, but very logical-looking email address. For example, let’s call the legitimate cardholder’s workplace ‘Victim workplace, Inc’. The fraudsters who obtained the stolen credit card details placed orders online with the email address ‘firstname.lastname@victim-workplace.com’.

Because the email address strongly matched the cardholder’s identity, these orders were approved by the merchant and shipped. Shortly thereafter, the fraudsters contacted the shipping company and asked to reroute the package. In this case, the merchant blocked the rerouting option, and the item was shipped to the address that was provided at the time of the purchase . As a result, the unsuspecting victim received a package he never ordered, and the goods were safely returned to the merchant.

shipping illustration

Step 2 – Analyze The Contact Details

Contact details can sometimes provide a hint that a legitimate seeming purchase may involve a reroute fraud scheme. Although fraudsters obviously want their purchases to appear as legitimate as possible, they will avoid providing their victim’s phone number or email address in the order details, as it could lead the merchant to contact the cardholder, which in turn would blow their cover. Often, analyzing the contact details provided by the customer will allow you to identify cases of planned package rerouting during the initial fraud review.

We analyzed legitimate-looking orders that were ultimately declined by Riskified as reroute schemes. It’s important to reiterate, all of these orders had a full AVS match, the billing and shipping addresses matched perfectly, and the customer’s name had a matching entry in the local Whitepages. Below are some questions merchants can ask themselves when reviewing the order contact details:

  • Is it a VoIP phone?

    When analyzing the phone numbers provided in these orders, we found that over 10% of these numbers were not mobile or landline phones, but rather VoIP (Voice over IP) phones. There are many legitimate reasons to use VoIP phone numbers (e.g. Skype), but they offer greater anonymity and are easy to obtain and ditch, which makes them more attractive to fraudsters. Often, a quick check in an online directory will show whether the number is a landline, mobile or VoIP phone.

  • Is the email address active?

    When reviewing emails provided with suspected package rerouting orders, we found that nearly 8% led to nonexistent or inactive accounts.
    A nonexistent email can often just be the result of a typo, or indicative of customers who may be protecting their privacy by providing a made-up email instead of their actual address. But a nonexistent email should definitely cause you to examine an order more closely. There are various online email verification services, such as email checker that can provide a basic review. Subscription services offer a more complete background check, including the ‘age’ of the email address, which is a good indication of legitimacy.

  • Is the customer using a proxy server?

    Another figure that stood out when we analyzed package rerouting fraud attempts was the fact that nearly 31% of these declined orders had a proxy indication, meaning fraudsters were likely using a proxy server when placing their order. Proxy IP addresses are not necessarily a bad sign, and there are many valid reasons to use such a service. But a remote server may also indicate that fraudsters are trying to conceal their location by using a makeshift IP address. There are many free online services that claim to provide real time IP address checks, but a subscription service, such as Maxmind, will generally provide more accurate results.

Any one of these indicators – VoIP, inactive email account and proxy connection – does not shout out “fraud” and should not be the sole basis for turning down a customer. Still, we recommend taking a closer look at orders with one or more of these characteristics.

Stopping Fraud Is In Your Hands

There are steps merchants can take to protect against package rerouting fraud. By taking the proper precautions, such as staying informed about what happens with orders following fraud review and carefully examining the order contact details, merchants can avoid chargebacks and ensure that legitimate customers are not being turned away. While the vast majority of rerouted packages are perfectly safe, retailers can save time, money and aggravation by looking out for what might be illogical in an otherwise very legitimate looking order.