To understand fraud, it helps to understand how fraudsters think. And some of the most revealing conversations about fraudulent activity take place on the dark web, a hidden portion of the internet known for black-market trading. There, fraudsters express their views and freely exchange information about all kinds of ecommerce fraud. 

The dark web houses discussions about policy abuse, personal data theft, and more, and the insights team at Riskified continually monitors those discussions to provide intel for and about our merchants and partners. Here’s what the team discovered about the growing problem of refund abuse. 

Why fraudsters commit fraud — what the dark web says

Chatter on the dark web reveals that fraudsters don’t think they are doing anything wrong when they commit policy abuse. In fact, they even consider acts of policy abuse just, moral, and something of which to be proud. They say:

  • “These big corporations have it coming.” 
  • “We are a modern-day Robin Hood.” 
  • Or even, “It’s an art form” and that they give “respect for [policy abuse] artists who get paid for their work.” 

The pain these self-proclaimed Robin Hoods cause is significant. Merchants invest up to 25% of their overall revenue in fighting policy-related abuse, and refund abuse is among the most costly types. 

Fraudsters and social engineering in refund abuse 

Social engineering is at the core of fraudsters’ tactics. Social engineering is the process of manipulating an individual into performing a specific action for illegitimate reasons. In this case, the individual is usually a customer service representative, and the action is issuing a refund.

Refund abusers use social engineering to claim a refund for a purchase while keeping possession of the goods purchased, either for personal enjoyment or to resell.  

How does social engineering work with refund abuse?

Fraudsters know that customer service teams are trained to please customers, not treat them with suspicion, and they take advantage of that to get their way. What’s more, in many organizations, customer service and fraud teams operate in different data silos, so call center staff may not ever see red flags related to payment methods or returns history. 

Fraudsters also know which merchants are softer targets than others, and they share information freely on the dark web about which ones are most lenient. They also share tips for modeling legitimate behavior to stay below the fraud detection radar, like working from mature accounts, alternating fraud methods, and allowing time between claims to avoid suspicion. 

Two most common types of refund abuse

Fraudsters on the dark web commit refund abuse using many different methods. They may return empty or partially empty boxes or claim a package was lost in transit. But the two most common scams are the Did Not Arrive (DNA) and the Fake Tracking ID (FTID) methods. 

1. About did-not-arrive (DNA) refund policy abuse

Bad actors use the DNA “did-not-receive” method to claim that a package never arrived or was stolen. They then attempt to get a full refund, which puts merchants in a difficult position, especially when they know the parcel arrived and/or the customer signed for it.

The DNA method represents one of the most popular and successful refund policy fraud methods because it’s simple, and the actor can make the claim without going through the motions of making a return.

To deter DNA abuse, some merchants require a signature to prove the delivery was made to the correct person. But dark web discussions confirm that anyone can create a fake signature.

Why merchant counter-measures fail against DNA

Other merchants use GPS parcel tracking and/or ask the courier to take photos upon delivery. While this shows the parcel has been delivered, fraudsters can still claim the delivery was stolen or did not reach the intended recipient, making GPS data nearly useless as proof.

Sometimes, after a fraudster claims a DNA, the company sends the same delivery person back to identify the recipient and prove the package was handed to the correct address. But fraudsters are more than willing to manipulate or gaslight the driver by denying the interaction ever happened. When it’s the customer’s word against the courier, the merchant isn’t likely to win.

2. About fake-tracking-ID (FTID) return policy abuse

FTID fraud involves altering the return postage label and then returning an empty or junk-filled package instead of the item for which the refund was requested. The common denominator to all FTID methods: tracking systems must show the package as delivered to the returns center.

To accomplish this, fraudsters typically alter the label on the junk package to remove any information linking the package to the customer. This causes the return center to throw out the junk package, prevents them from tying it to the bad actor, and ensures delivery tracking shows the package was delivered, entitling the customer to a refund. 

A newer and even more common method involves modifying the delivery address to direct the parcel to an unrelated location. Delivery tracking will show that the package was delivered to the location (which is not the return center), and the unsuspecting recipient typically throws out the junk package, eliminating evidence of the abuse.


FTID intensified in 2020, when one fraudster even offered an “e-book” for sale online explaining the method. Today, details about committing this kind of policy abuse can be found in virtually any fraud forum. 

Why merchant counter-measures fail against FTID

To combat FTID, couriers may measure the weight of the package to confirm it matches that of the product purchased. But fraudsters easily counter this by ensuring their fake return weighs the right amount. 

Even if the courier uses a barcode to bypass the altered shipping address, savvy fraudsters have found ways to alter them.

Complex and risky, FTID has a reputation as an imperfect method for committing returns fraud, but it’s still costly for merchants.  

Protect your business with a more proactive approach

Refund policy abuse creates enormous costs for merchants, and as long as fraudsters can share and hone their MOs on the dark web, they will find new ways to steal your goods.

What does it come down to? To protect your ecommerce business from refund abuse today and tomorrow, you need to take a proactive approach: identify suspect patterns and behaviors before the crime occurs, then connect and communicate with the different departments in your company to create an integrated barrier against policy abuse. 

Want to go deeper into the dark web? Watch this webinar, Exposing policy abuse on the dark web. (And get a comprehensive look at the state of policy abuse in Policy abuse and its impact on merchants, research that uncovers its causes, motivations, and impact.)