The ominous Wish scam: A task for the MFC detective

One of our tasks from time to time is to analyze unusual incidents on the web applications of our customers. In most cases, this is an error made by the end customer - aka error 40. In some rare, but also all the more exciting cases, we find real crime stories in such analyses. Like a detective, we delve deeper and deeper into the matter and find more and more details. Like a recent ominous scam on Wish and other questionable platforms... A case for the MFC detective!

One of our customers suddenly reported a relatively large number of orders for which payment was made via direct debit, the goods were delivered and the direct debit was then reversed because the actual customer account holder did not place the order. Particularly exciting: The account holder is not the recipient of the goods but a third party.

Exciting, let's see more...

So we looked at a few of the affected transactions as well as the reactions of those customers who were confronted with the return debit. As expected, they were not particularly positive...

To see if this behavior can always be reproduced with such purchases on these platforms, I first simply made a test purchase on wish.com by myself to see what happens next. And after a few hours, the same thing happened with my purchase as with the other customers.

The scammer creates an account as a seller on the marketplace. Often they use marketplaces that do not check the seller in detail or they use a seller's address that's not easily verifiable, such as: 楼1单元802室 安庆市, 安徽省 mainland China (CN) , 543471.

The seller then creates an item on the marketplace and then copies parts of the product description from the original shop, including its images, to his offer. In some cases, other brands are then added to the product name, so that the offer is really often found. This keyword bingo is also known from other platforms such as Amazon, which advertise products such as "Quick Mealprep Tupperware Container Healthy Food Sustainability Eco Glass Container". The seller always sets a relatively low price compared to the original offer in order to attract bargain hunters hoping for the big deal.

A bona fide buyer now finds the supposed bargain, orders and pays on the marketplace - in my case with a credit card. The marketplace then sends an order confirmation and the seller receives a request to ship the item.

The seller himself now orders the item in the real shop; in the name and with the delivery address of the bona fide customer - but the email address is that of the scammer. Direct debit is then selected as the payment method and an account number from an external, unknown third party is selected. In our analyse, the scammers ordered with a German IP address, despite a Chinese address.

For the original shop, the order looks like a proper order: The goods are sent to the customer, the tracking number is sent to the scammer by email and after the shipment, the debit is initiated.

The scammer now enters the real tracking number in the backend of the marketplace, the marketplace tracks the package and determines that it has been delivered and pays the scammer.

The customer receives the goods, the transaction is processed by the marketplace and the money is transferred to the marketplace (in my case the credit card payment). This is a normal order for the trusting customer, even a confirmation that you can get real bargains on various marketplaces.

The shop collects the money and then receives a returned direct debit. The customer then already has his goods and often the scammer already has his money. The fraud is noticed so late that criminal prosecution is no longer possible. The assignment of the IP address to the customer is then already deleted by the internet provider. The shop remains at its own expense (incl. returned direct debit).

The foreign marketplace doesn't really notice any of this and only collects its commission. The transaction has apparently been processed properly and the goods were delivered to the customer.

At first glance, such an order is indistinguishable from other, proper orders in the shop. Since there is no technical comparison between the account number and the account holder, the incorrect account number is not an indicator.

One possible solution is to allow direct debit only for registered customers after logging in. However, this would deprive new customers of an attractive payment method, which in turn has a negative effect on the number of new customers. Here the shop operators have to reckon with higher costs, which is the lesser evil.

Clearly: Yes and no! We were able to find out how the scam works and also prove that the scam always seems to work the same way, but unfortunately we could not put a stop to such attempts at fraud. The lawyers may decide to what extent the foreign marketplace can be accused of assisting in fraud. In any case, I find it difficult to hold a non-EU marketplace accountable with a reasonable legal effort.

If you have similar cases in your shops or even a good solution to prevent these cases of fraud, we look forward to comments. We are looking forward to a vivid exchange!