Suppose you’re a seventeen-year-old who wants to buy a bottle of vodka from the liquor store. The problem, of course, is that you’re underage, and the cashier is definitely going to ask for some ID. So you have two ways to beat the system: buy/steal the ID of someone who looks a bit like you, or create your own fake ID from scratch. Fraudsters who want to log in to your eCommerce site face a similar choice. In an Account Takeover (ATO), a fraudster obtains account credentials and poses as an existing loyal customer. Our guide on the true cost of account takeovers covered this tactic in-depth. But there are also fraud MOs that involve promo abuse fraud from fake customer accounts. As with ATO attacks, the fallout from these fake account scams goes well beyond just financial losses – It can hurt your brand, your reputation with banks, and your ability to provide loyalty benefits to good customers.

Riskified has identified four primary ways that fraudsters use fake accounts to rip off eCommerce merchants:

  • Promo Abuse
  • Product Launch Abuse
  • Seller Fraud
  • Card Milking

Additionally, there are attacks associated with Synthetic Identity Fraud – when fraudsters patiently construct entire fake digital identities, complete with credit scores, and use these to pull off huge heists. In this post, I’ll take a look just at the Promo Abuse MO and explain how it works, and some steps merchants can take to protect themselves from this fraud.

Promo Abuse: The Methods

Many merchants provide benefits to account holders, a strategy to attract new customers and encourage loyalty for existing ones. For example, they offer discounts on your first purchase or free gifts with purchase – commonly gift cards.

Merchants usually think of promo code use as a sign of order legitimacy – why would a fraudster with a stolen card care about a discount? While Riskified research does show that orders placed using discount codes are less likely to return as chargebacks, that doesn’t mean these orders are fully legit. By creating fake accounts, users are able to generate value through gifts and discounts, value that’s effectively stolen from you.

This kind of abuse can range from fairly innocuous – like a customer creating a second account to get 10% off a shirt – to sophisticated and costly. Referral programs, where customers receive benefits for referring friends to a store, are particularly juicy targets for sophisticated abuse. In one scam, Tesla owners ran PPC campaigns for their referral codes, in order to earn multiple thousand-dollar referral bonuses, eventually prompting Elon Musk to shut down the program. In a similar scam, one Uber user amassed $50K in ride credit. Referral offers where customers get cash are especially vulnerable: fraudsters can create hundreds of fake accounts and refer themselves. They collect cash rewards and resell the goods on secondary markets.

How Can Merchants Prevent Promo Abuse?

There are those who suggest that the best way to fight promo abuse is to alter programs to make it less profitable for fraudsters to exploit them.

We disagree.

Great promotions are important tools to foster customer loyalty and help merchants differentiate themselves from competitors. Instead of giving in to fraudsters, merchants should bolster their ability to detect and block the fake accounts that take advantage of these programs.

For example, many attempts at promo abuse can be prevented by stopping single users from opening multiple accounts. Add a clause to your promotion’s terms and conditions stating that this is a violation, and then block these accounts from being opened. How? A web beacon can detect fraud in the instance of a user opening a second account with the same device and IP address – that’s a good start.

For merchants that are squeamish about blocking account creation, even if it’s almost surely a fishy situation, there are less aggressive options on the table. You can allow all accounts to be open, but monitor user behavior after account creation (a practice called behavioral analytics). Once an account starts exhibiting suspicious behavior, like referring friends immediately after login (without browsing any products), you can place a hold on the account until the user verifies their identity.