Today, most of the discussion around credit card fraud is focused on stolen credit card data – using the data to execute fraudulent transactions that can then be monetized. However, a sizable, yet often overlooked elements of the cybercriminal underground, are so-called “merchant account scams.” These require a significantly higher level of expertise coupled with a sizable initial investment when compared to traditional credit card fraud. Nevertheless, the potential gains from such a scheme also stand to be considerably higher, and often result in a great deal of damage to the merchant account holder and financial institutions alike. Here are three of the most common forms of merchant account schemes.
Fake E-Commerce Sites
In this scheme, a fraudster opens a legitimate merchant account using stolen personally identifiable information (PII). The fraudster then links the account to a bogus e-commerce store and makes purchases using stolen payment information (credit/debit cards and bank accounts). This type of scheme can remain active for several months and allow fraudsters to make upwards of $100,000 per merchant account. A less common derivation of this tactic is to use bogus e-commerce stores to trick real customers into making the purchases.
Abusing Legitimate Merchant Accounts for Payment Refunds
Alternatively, a fraudster may hijack legitimate merchant accounts and issue fraudulent payment refunds to controlled credit/debit cards. This particular scheme requires a significant number of controlled debit/credit cards, which are usually acquired through the utilization of unsuspecting “bank drops.” This can be very profitable for fraudsters and damaging to the merchant account owner. A merchant refunds scheme is usually very short-lived – often lasting no more than 1-2 weeks.
Opening a Legitimate Merchant Account for Cashouts
Although not an openly advertised scheme, but definitely utilized by several vendors, some fraudsters hire a front man to open a legitimate merchant account for the sole purpose of cashing out “grey funds” – typically via prepaid or gift cards purchased or loaded with stolen funds, as these types of cards have a lower chance of a chargeback. It is worth noting that several vendors are known for providing such services only for high value transactions above $10,000 each, serving as an intermediary point in case a wire transfer or bank check payment is not advisable, but credit card charge is preferable.
Unlike the vibrant market for stolen credit card information and PII, it does not appear that there are marketplaces specializing in the sale of merchant accounts/IDs. Such transactions are almost always performed through person-to-person agreements and are rarely openly advertised. More often than not, a prospective buyer will create a post on a cybercrime forum asking for help with cashing out funds through merchants, and will be subsequently contacted by a vendor directly via private message or other form of non-public communications.