November 9, 2022by Adi Bleih

Here’s how scammers commit refund fraud to steal from retailers

On the cyber underground, threat actors seek to profit fraudulently from the e-commerce boom. In particular, a tactic called refunding is growing in popularity. Refunding involves defrauding e-commerce vendors by claiming undeserved refunds. It exploits couriers and retailers, seizing technical loopholes in delivery and customer support services while leveraging emotionally manipulative social engineering.

The underground discourse of threat actors peddling their refunding services and threat actors refunding exchanging tips and best practices reveals that certain e-commerce vendors more frequently attract the attention of threat actors. In the past year, Amazon attracted the most threat actor attention, followed by Apple, Target, and eBay. This attention inevitably relates to the size and popularity of these retailers, but a study of underground refunding manuals reveals that social engineers are acutely attuned to the unique weaknesses and protocols of different retailers, sharing advice on which retailers to target by which methods - and for how much.

Figure 1: A breakdown of the 10 most-mentioned brands in the context of underground discorse on retail fraud in 2022

This article examines the underground discourse of “refunding” trends, tactics, and procedures (TTPs), providing an overview of threat actors' most common refunding methods.

Common refunding methods

Generally, most refund scams use social engineering. The underground is rife with guides and manuals on refunding methods and social engineering techniques - some for sale, but many published freely and often anonymously. This section briefly overviews threat actors' most common methods and lays them out in their "how to" guides.

“Did Not Arrive”/”DNA” – The simplest refund fraud method involves claiming that the package has not arrived. Underground manuals suggest that customer support will likely press you on whether “you checked with your neighbors/garage/porch,” but that after enough strenuous denial, they will offer you a replacement or refund. An anonymous guide (figure 1) recommends that if the customer service representative says they want to launch an investigation with the courier service, simply hang up and try again.

Figure 2: The DNA method guide posted in a popular underground forum.

Figure 3: DNA method further explains goals and expectations.

“Empty Box” – This method claims that the shipment arrived empty. The leading vendor that suffers from this refund scam is Apple due to the high value of their items in price. For example, a successful return fraud for a new laptop could net $3,200. Moreover, this method works much better when reporting on small items such as apple’s AirPods, iPhones, etc. In the example below, a threat actor shares a guide for refunding Apple in different countries using the ‘empty box’ method.

Figure 4: Apple refund empty box method in-depth explanation for each step.

“Wrong Item Arrived”/"Wrong Item In the Box" – Here, the social engineer claims the retailer has sent the incorrect item, then returns a similar, but much cheaper, object that the retailer stocks in their inventory. Social engineering guides emphasize the psychological components of pulling off this method (figure 5). According to the actor, it doesn't matter who the company is, as they all have a warehouse with an inventory of stock ready to be picked, packaged, and dispatched to their customers. As such, human error is inevitable when picking & packing an order. Thus threat actors can use social engineering for just about any item they like.

Figure 5: The wrong item received method guide.

“Boxing” – This method entails contacting the retailer’s customer support to claim an item is defective, returning the box without the purchased item, and claiming the item got stolen during delivery. Since packages are weighed during shipment, social engineers generally place dry ice of equivalent weight, then tamper with the box to give the impression that the container had been tampered with during transit.

Figure 6: The boxing method is attached with an in-depth explanation with an examination of each step in the process.

In addition to these guides, threat actors also share their experiences in refunding different retailers, which shed light on what to expect and how to succeed (figure 8). In another post (figure 8), an actor sells refunding guides for various retailers such as Best Buy, Amazon, and Sephora, at prices ranging from $600 to $3000.

Figure 7: ASOS refund and risks debate in one of the most valued underground forums.

Figure 8: Anonymously authored refunding guide gives instructions for refund methods, including the DNA method.


This fraud uses social engineering to exploit the human weaknesses of a company.  Even if a retailer invests millions of dollars in state-of-the-art cybersecurity products, they are not necessarily protected from refund fraud. Thus, instead of relying on technical measures to improve security, retailers must monitor underground channels to understand the latest TTPs and implement organizational processes designed to detect and prevent them.

Learn More

You may also like

October 26, 2022

How gift cards are used to launder money

Read more

October 24, 2022

Generating “grift” cards is free cash for cybercriminals

Read more

August 16, 2022

NFT Scamming on the Underground

Read more