The Refund Scam

Posted by on Nov 4, 2015 in Fraudster on the Roof, Wire Fraud

As always, please note that the intention of the “Fraudster on the Roof” series is for readers to learn and think about how to better detect fraud, not to improve how they implement it.

The fundamentals of the Refund Scam are simple: scammer orders an item from a large online market place, when it arrives the scammer gives the market a call and says that it was not received. The market knows that it’s not unusual for orders to get lost, stolen or damaged so after a quick review of the account and a few key questions they refund the user for their trouble. Bottom line has the scammer scoring a product that he did not pay for, also known as theft.

Small markets deal with this type of theft on a small scale and obviously larger markets deal with this problem on a much larger scale. So much so that underground markets have arisen purely to facilitate running the Refund Scam as a service that aims to increase the probability of success for its customers. By targeting gigantic markets the scammers quickly learn to take full advantage of processes and operating procedures in a way that facilitates a much smoother scam.

Basically the scammers are saying

“Hey don’t worry about doing the scam yourself, I’m a pro and can do it for you with little to no risk and a near 100% probability of success”

Integral to the model of scammers running the Refund Scam as a Service is the pricing structure, limits, execution and support.


Refund Scam as a Service pricing is charged as a percentage of the amount being defrauded (so full price of the laptop that you ordered, for example) and increases depending on risk, the type of market and any additional features. Baseline pricing for a massive market like Amazon starts at 10% whereas typically has scammers demanding as much as 15%. If you want more features then the percentage that the scammer takes will increase accordingly:

  • Double Dipping: once the original order has been received, the scammer will step in and contact the market to ask for a replacement instead of a refund. Upon receiving the replacement, the scammer then contacts the market again but this time to request a refund. All in all, the Double Dip will leave the chap who originally ordered the product with two products in addition to the refund. Price for a double dip starts at 15% of the total of the goods received (so if you ordered a $500 laptop the scammer will take a $150 fee).
  • Triple Dipping: the Double Dip with an added replacement. Scammers warn that this is seldom successful and may result in an account closure. Price starts at 20%.


Scammers want you to be successful, for your success is their success. In a world where morals and ethics mean nothing when mutually exclusive jurisdictional boundaries come into play, scammers pride themselves in knowing the ins and outs of a target and proudly show off their capabilities. It’s almost as though they know that even if they get caught, the markets they are targeting are so big that nobody is going to do anything about it. It’s sad and unfortunate that more often than not this actually turns out to be the case, at least from what I have observed.

There are limitations in this scam and scammers will make sure you are aware of these before onboarding you:

  • The type of goods you purchase is an important factor in this scam. Everyone wants the latest Apple product, so there is heightened sensitivity (on the market side). Scammers will let you know which products are an absolute no go.
  • Since this is percentage based and there is manual effort involved, scammers won’t waste their time for an order of $50 only to make $5. As a result, minimum purchase order amounts are in play and they start at approximately $100 for scammers that are still trying to make a name for themselves. Since high amounts introduce more scrutiny, most scammers appear to cap the maximum order at $500, depending on your region. Other more experienced scammers cap out as high as $4000 for a normal order and $2500 for a Double Dip with minimum orders of $350.
  • Source of the goods. On Amazon, for example, scammers warn that the Refund Scam will only work on items sold and fulfilled by Amazon and not by private sellers.


Using Amazon as an example, the scam is executed as follows:

  • Joe Public wants a free laptop so he engages a scammer on an underground market to help him with a refund scam
  • Joe logs into Amazon with his own account and orders a new laptop
  • The laptop arrives. If a signature is required Joe will be notified in advance by the scammer to sign for the delivery using a different name
  • Joe contacts the scammer and lets him know that the laptop has arrived
  • Scammer will then ask Joe to provide the following:
    • Order Number
    • Account email
    • Full name on account
    • Billing address
    • Items ordered in addition to how many packages it came in
    • Total price of the item
    • Whether or not the order was signed
    • If Joe is male or female
  • Scammer then takes over and calls Amazon to arrange for a refund
  • Upon successful completion, Amazon refunds Joe and Joe owes the Scammer 10% of the amount refunded

Support is offered but these guys appear to be so busy that if it’s not successful upon the first attempt then you’re probably not going to hear from the scammer again. What they will tell you is that either way it’s win-win for the buyer: if the scammer is unsuccessful then you don’t owe any money and you still have a laptop, whereas if the scammer hits the mark then you have the laptop + a refund minus the 10% fee.


Let’s take a quick look at an underground market. I did a search for “refund service”, from which several vendors were discovered. Know that these vendors carry a reputation that is the result of feedback from buyers over time.


A closer look at the vendor with the most sales (ThinkingForward) shows that he is engaging in fraud other than just the Refund Scam. Striking to note the similarity with reputable markets:

  • Overall positive score
  • Feedback partitioned into 1, 6 and 12 month partitions
  • User providing the feedback is partially anonymized
  • Title of the order is shown for each feedback entry


ThinkingForward goes into some detail in the order details for buyers interested in purchasing the * WORLD FAMOUS™ * ESTABLISHED Amazon Refund Service *


Aside from his babble about continuing to work as hard as ever or encouraging newbie scammers to use this service as an entry point into the underground, of interest is that ThinkingForward has a minimum purchase order of $700. He also knows that he can only handle so many orders at a time (10) with an expected delivery time of around 3 days. Now consider that ThinkingForward has sold 485 instances of this service since March of 2015, so assuming each order has been for at least $700 he has tried to defraud a minimum $339,500 from Amazon alone. Obviously this estimate is only for this market, and ThinkingForward claims to be on a few: “..and still active as a top seller on a few markets..”


Seems to me that the problem with this scam is the delegation of trust, i.e., there isn’t really any. Buyers have no problem having the scammer make the call to the market place on their behalf since there seems to be a low barrier to entry on making this call. If this scam involved a bank or an insurance company, well it just wouldn’t work. Why? Because there’s a higher barrier to entry when claiming to be someone on the phone. These institutions will ask you for more details other than the just the transaction in question. So you’d be reluctant to give a scammer your details (much more than just order details) and have him or her represent you. The pitfall being that you’re trusting the scammer not to scam you when he’s done with the call. But even if you were another scammer yourself using stolen accounts or cards, you wouldn’t want to give this scammer the keys to kingdom.

These guys know that they are working against massive corporations with conflicting incentives all over the place: manager A wants high throughput, manager B wants happy customers, manager C wants shorter (and less expensive) calls whereas poor Manager Z wants less fraud. Whatever mitigation they put in place it’s going to be figured out by the scammers and they will adjust their own processes accordingly, until the issue of trust is addressed. Ultimately if a call for a refund started with “would you please login to your account and tell me about the order you placed six months ago?” then scammers are going to have to jump through a few more much higher hoops to overcome this problem.

Nobody (even another scammer) is going to trust a scammer with his or her personal account details.

Obviously this wouldn’t solve the problem of account owners perpetrating the scam for themselves, but it will go a long way in dissolving what looks to be a thriving and low cost, low risk business in the underground markets.

« »