This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 4 minutes read

The Emerging Dark Side of E-commerce Frauds

How the dark web is mined and information is misused by some players in the e-commerce ecosystem for window dressing their performance.

Have you ever received an e-commerce item you did not order? Guess what, you're not alone. Many Indian online shoppers were perplexed and astounded when they received products from e-commerce sites that they had not ordered. They received cash-on-delivery orders at their doorsteps during the e-commerce blockbuster sale days over the last several weeks. Many people who were unaware of such orders either paid for them or returned them to the merchants. This is not a new problem, but rather an implicit market fraud perpetrated by logistical partners, startups, and cybercriminals.

The entire operation is managed through collaborative efforts between small startups, logistics partners, and cybercriminals, with the dark web serving as the channel. Founders of startups frequently work with intermediaries or brokers who put them in touch with cybercriminals selling user credentials on the dark web. The most in-demand online site credentials are from well-known platforms, and thousands of them may be purchased for as little as a few hundred dollars. Once they have these credentials from the dark web, they can access the online marketplace accounts of the people whose credentials have been exposed and place low-value orders for their products using the cash-on-delivery payment method. After that, items are delivered to the customer's address from the online store. Many people make the mistake of purchasing an overpriced or, more accurately, entirely irrelevant product under the impression that they may have misordered the product during the blockbuster sale season. Such frauds are extremely common during the holiday season when identification is nearly impossible due to greater demand and a higher rate of return.

The Startup Factor

Small product-based firms face a great deal of growth-related challenges. Products need to be highly visible to the general public in order to attain high volumes of growth. This unethical mode of operation provides startups with high volumes of deliveries with little to no discounts (rather products are often sold at an inflated rate). High volumes provide high revenue growth for a particular quarter whereas product returns are likely accounted for in the subsequent tranche. Customers that wind up paying for the things during delivery have few to no options because the business frequently removes itself from the e-commerce platforms once the sale period is through.

The majority of startup companies in India are valued based on revenues and customer additions, not profits. This enables companies to boost their sales and brand awareness, making them more attractive to venture capital or private investments.

Entanglement With Logistic Partners

Such unethical and immoral businesses are frequently sponsored by logistics companies, who do so to boost their revenue from both deliveries and returns. In many cases, these businesses have long-standing connections with the senior management of logistics companies or have received private funding from those companies' subsidiaries. Both parties benefit from this arrangement. Startups not only overcharge for their products, but logistics partners also make additional money from delivery fees.

Logistics businesses also have access to delivery information for many online sales platforms, which is used to target deliveries and returns to certain regions for increased sales potential with fewer cash-on-delivery rejections. 

Cybercriminals and Dark Web

It's no secret that corporate logons to a variety of online marketplaces are accessible to initial access brokers (IABs), a group of cybercriminals who sells access to corporate networks by hacking them. Anyone interested in purchasing access to business networks can purchase it via initial access brokers. Brokers or middlemen buy access to business networks, steal intellectual property, including user databases, and then resell the user database to interested buyers on the dark web.

In addition to IABs, many people use the same login credentials across other websites for online convenience. Credential stuffing can happen if you use the same password for several accounts. Credential stuffing is the practice of hackers using previously obtained login information from one website to "stuff" into other websites until they discover a match. For those searching for user credentials, dark web forums are a gold mine.

Combating Fraud

Online shoppers must contend with a constantly evolving array of fraud tactics and should exercise caution before accepting any deliveries, especially if they are of the cash-on-delivery variety. Users can take a number of precautions to avoid falling victim to such schemes, including avoiding cash-on-delivery payments, using multi-factor authentication, selecting unique passwords for each website, and regularly checking for their credentials that have been exposed.

Online marketplaces must also implement a variety of security measures to stop these frauds from happening. When onboarding vendors onto a platform, enhanced due diligence ought to be standard protocol. Identification of any connections between the various parties or sellers involved is a crucial step in the due diligence process.

Unusual IP addresses used for ordering, large numbers of orders for the same SKU at one location, and recurrent cash-on-delivery orders for the same SKU are a few red flags that may raise suspicion on online sales platforms. The use of artificial intelligence (AI) and data analytics by online sales platforms can help identify patterns or anomalies of sellers indulging in such fraudulent practices. In a short amount of time, AI models can create complex rules to identify and stop system misuse.

© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.


data & technology, cybersecurity & data privacy, data privacy & cyber risk, memo

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with