Planet Money - Wake up and smell the fraud
Episode Date: August 26, 2022Sometimes online shopping can feel a little unsavory. There are the listings that make you question if you'll really be getting exactly what's advertised. And there's no worse feeling than paying for ...something and then not getting it. But when Nina Kollars ordered coffee pods and got WAY more than she asked for, it made her feel just as uneasy. Her quest for answers and what it teaches us about a new generation of online fraud. | Subscribe to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy
Transcript
Discussion (0)
This is Planet Money from NPR.
I'm going to go out on a limb here and say there are two kinds of people in the world.
The ones who, when they find a $20 bill on the street, are like, yes!
They put it in their pocket, maybe get themselves a little treat.
Then there are the people who get hung up, wondering, where did this money come from?
Should I try to figure out who dropped
it? Nina Collars is definitely in the second camp. And a version of that little dilemma happened to
her not too long ago when she bought a coffee machine. Are we plugging for Nespresso? Can I
say Nespresso? We can totally say Nespresso. I actually think it's a great product. I am literally
drinking my Nespresso coffee right now.
Nespresso is Nestle's version of a coffee maker that uses those little coffee pods.
Big in Europe, kind of aimed at people who like fancy espresso but don't have time to go to the cafe and don't mind burning through a bunch of pods. The pods come in these different blends and intensities.
And so Nina's like, I'm going to get a sampler pack, a bunch of different pods.
But instead of buying them on Nespresso's website, she starts looking for a deal on eBay.
Sure enough, she finds a sampler pack for half off.
What was your theory of how they were selling it for half the price?
I didn't know.
So either the coffee is getting close to expiring or somebody had gone in and purchased a whole bunch.
And when you purchase a whole bunch, sometimes you get extra for free.
And they were, you know, trying to make a dollar off of it.
Right.
So people trying to sell off the perks they get for being part of a loyalty program or
something.
But, you know, the third thing that goes through your mind is, did this fall off the back of
a truck?
Wink, wink.
Right.
But she decides the probability that it's stolen is low. So she makes the order and she's
keeping an eye out for a box. A few days later, comes home and this is when the weirdness starts.
And there's too many boxes in front of my door. Two boxes to be specific, which is one more than
she was expecting. And I know I'm waiting for the coffee, right? I know. But, like, what is this other stuff?
And it's not just the number of boxes.
I thought I was going to get, you know, a janky box sent by somebody who packed it personally from eBay.
Classic eBay frumpy package.
That's right.
Yeah. And it's not.
It's a legit Nespresso box packed beautifully.
Okay.
And I'm thinking to myself, um, this is a little weird, right?
She opens the first box, and sure enough, there are the coffee pods she ordered,
which makes the extra box even more mysterious.
So I open up the other box, and there's this Nespresso machine.
And I was like, this is, there's definitely something wrong.
Because she's just received a fancy coffee machine worth about 200 bucks
directly from Nespresso that she definitely hadn't ordered.
She checks her credit card to see if she got charged for it.
But no, there's just her payment to some seller on eBay.
And most of us at this point would be kind of psyched.
Free coffee machine?
Great. Carry on. But Nina is different than most of us at this point would be kind of psyched. Free coffee machine? Great. Carry on.
But Nina is different than most of us.
She's highly suspicious, very skilled, and there's nothing she loves more than an internet mystery.
I want to know. I want to know what's going on.
I want to know what is going on, that I ordered something from eBay, it came from Nespresso,
there's a beautiful little puzzle,
and it's sitting there on my counter giving me caffeine, it's fantastic.
And so this is what I'm doing this evening.
Nina wouldn't just spend one over-caffeinated evening.
She would spend whole days, over-caffeinated weeks, trying to crack the case of the extra Nespresso machine.
Hello and welcome to Planet Money.
I'm Alexi Horowitz-Ghazi.
And I'm Nick Fountain.
Nina Collars was pretty sure she'd stumbled onto some sort of internet scam.
And she was right.
She was onto something big.
But unlike in most scams, she seemed to have come out ahead.
What sort of scam gives you free stuff?
Today on the show, a particularly crafty internet crime.
A crime perfectly engineered to avoid detection from law enforcement and play off one of our basest instincts, the desire for killer deals.
Say you are an internet criminal.
Maybe the last person you want to accidentally draw into your deceptively cheap coffee scheme is someone like Nina Collars.
I just want to confirm, you just came here from the Pentagon.
I did.
You work for a four-star general or the equivalent.
The equivalent, that's right.
Amazing.
She's great.
Nina's military job is so fancy and important that it comes with this kind of long mandatory disclosure.
Nothing that I say here today necessarily represents the opinions of the Department of Defense.
I'm here in my personal capacity, in part as a hacker.
Before Nina was a cyber warfare nerd in the Pentagon, she was what's called a white hat hacker.
That is a person who looks for vulnerabilities on the Internet and fixes them before the bad guys can exploit them.
So to Nina, this awesomely free Nespresso machine sitting on her counter seemed less like a lucky accident and more like a tell.
A sign that something was not right.
And Nina starts her detective work like any grizzled hacker would.
By submitting a ticket to eBay's customer service portal.
But she knows that's not going to do much.
So I call Nespresso,
and it is almost impossible
to explain to them what is going on.
She lays out the whole situation,
how she'd ordered some coffee pods on eBay,
the package came from Nespresso,
the extra coffee machine.
And the customer service rep's like, yeah, I can look at that. Yeah, no, everything looks good. Everything's paid for.
You got this espresso machine and this coffee. Nina knows that she made her order on eBay,
but the Nespresso rep is telling her that they have an order in their system in her name for both the coffee pods and the machine, fully paid for at full price.
And I said, oh, so problem one is I didn't buy it from you. I bought it on eBay, and yet you sent
it to me. And so she's very kind about it, right? She says, no, no, no, everything is fine.
And at this point, this is where my inner something is wrong on the Internet starts to flare.
And I said, everything's not fine.
I not only have not paid the amount of money that's listed on this invoice, but I've only paid for roughly a third of the value of any of this.
Nina keeps trying, but the situation is confusing enough that she cannot get it across to the customer service rep.
She either hears, I want to send this back somehow, or I never got my order.
And I'm saying, I have an order that doesn't belong to me.
How do I give it back to you?
It doesn't fit in the decision tree of the call center.
Does not fit.
And so I'm on hold a lot.
Hold, please.
Hey, somebody here is complaining about getting too much stuff.
Exactly.
Nina realizes there is another bit of information that could be useful.
And I said, well, hold on a second. Can you maybe just confirm to me the credit card that was charged?
And the customer service rep is like, well, I can't give you the number, but I can give you the name.
In fact, it's probably right there on the invoice you got with the packages.
Nina looks. Sure enough, there's a name. We'll call him George from Poughkeepsie.
Nina gets off the phone and thinks through what she's got.
Okay, I ordered coffee pods from some generic seller on eBay, but the shipment I got came directly from Nespresso.
When I called up Nespresso, my name was in their system, but they don't have my credit card on
file. They have this guy George and Poughkeepsie's credit card. So is George running some sort of
scheme, or is he caught up in something much bigger? To answer those questions, Nina is going to have to do some digging.
First up, she needs to establish a pattern.
If she orders again and George pays, then he is the primary suspect.
But if it comes from a different cardholder, then George is probably just a bit player.
She looks on eBay and there are a ton of listings for discount pods.
Very similar postings, but from different sellers.
I start doing all the data capture I can.
Okay.
Every step of the way.
You make a spreadsheet?
I make a spreadsheet.
Oh, I love it. I love it.
I set up an automated search on eBay
coordinated to try and neck down.
There's a lot of folks who are selling capsules on eBay.
And perfectly legitimately, frankly,
I try to neck it down to indicators of fraud.
So way too cheap, brand new account, no established history of successful sale.
Pretty quickly, she finds about 50 listings like that, just like her first purchase.
A sampler pack of Nespresso pods at half the usual price. She picks two and buys them. So for science and for research and for posterity,
you got a sweet, sweet deal on some Nespresso pods. That is correct. Got it. Meanwhile,
I am taking screenshots and snapshots and recording all of my transactions.
When the first box arrives, sure enough, just like the first time, it comes straight from Nespresso.
And again, there's a freebie, this time a really nice milk frother.
She's got a whole home barista set at this point.
She looks at the packing slip for who paid, and it is not George from Poughkeepsie.
He seems to be off the hook.
Then she gets the next box in the mail, also from Nespresso,
also not paid for by George. And this time there's double the coffee that she ordered.
So there is definitely a pattern here. And yes, Nina is going through a lot of effort to try to
unmask a scam that so far she's only benefiting from. But remember, she's slamming like six cups
of Nespresso a day.
And with each order, she's getting closer and closer to an answer.
I go ahead and make another additional purchase.
Okay.
And when I did that, the coolest thing happened.
Yeah.
The fraudster couldn't fulfill the order.
Huh.
And decides to write me a note.
And let's see if I have the...
It says, hello, friend, which was, I think,
was a very kind thing to say. Sure. First, thanks a lot because you choose my listing to buy.
Then it says, my mom has sick on hospital now. Oh, good. So I can find any other item in best
condition to ship to you. And I have to go to the hospital with her now. So I hope that you Nina writes back, says,
I'm really sorry to hear that about your mom.
But no response.
And the account is shut down a few days later.
And this letter does have all the telltale signs of an internet grift.
The grammatical mistakes, the tragic tale.
But remember, so far nothing bad has happened to Nina.
She's gotten some free stuff and great, albeit heartbreaking, customer service.
Those things, the freebies, the letter, Nina knows they must be clues.
Clues to how the scam works.
Is it a scam?
Come on, it is definitely a scam.
Okay, okay, it's a scam.
But then who is making the money?
And who exactly is getting hurt?
That's coming up after the break.
Fundamentally, the case of the extra Nespresso machine is a credit card scam.
A way to turn stolen credit card numbers into clean money in a fraudster's bank account.
All while everyone who's drawn into the scam feels like they're coming out ahead.
To explain how it works, we're going to need some reinforcements.
So we called up a kind of historian of internet fraud.
His name is Patrick McKenzie.
But I try to stay anonymous in the sketchy parts of the fraud. His name is Patrick McKenzie. But I try to stay anonymous in the sketchy parts
of the internet. Patrick works for Stripe, a payments processing company, which mostly means
they handle credit card payments for online businesses. And as part of his job, Patrick
lurks around the sketchy parts of the internet, trying to glean whatever he can about fraudsters
who deal with stolen credit cards. He says, surprisingly, their world isn't all that different from ours.
They have forums, they have conferences, they have starred reviews for people who are
better or worse actors in the industries. It is fascinating.
How are there conferences for fraudsters? That can't be true.
It happens to be true. As you can imagine, this is more of a by-invite-only thing so that they don't accidentally invite the authorities.
Patrick says to figure out what happened to Nina, it's helpful to look at how the structure of credit card scamming has changed over the years.
Like every other industry, the credit card fraud industry has a supply chain associated with it and a division of labor among that supply chain.
A division of labor.
Like, credit card
fraudsters are specialized. Different people are best at different parts of the chain. So the person
who steals your card isn't the person who figures out how to get money out of it. Broadly, that
supply chain is differentiated between carters and cashers. Carters and cashers. Yes. Carters
steal payment credentials and cashers turn payment credentials into money.
Patrick says Nina's story is a clear case of cashing.
People trying to make a buck from stolen credentials, mostly credit card numbers.
And the way they make money has changed a lot over the past couple decades,
mostly because there's this ongoing cat and mouse game,
with the cashers constantly trying to stay one step ahead of
more and more sophisticated fraud detection techniques.
To solve the case of the extra Nespresso machine, it's helpful to know just how we arrived
at credit card scams so sophisticated that, on the surface, they look like they're benefiting
everyone they touch.
So, indulge us real quick for a journey through the evolution of credit card cashing.
Woo, fun.
Alexi, let's say it's 2003 and you and I are living in Topeka, Kansas.
Why not?
Exactly.
Yes, and we decide not only are we best buds and roommates.
Obviously.
We are going to become business partners, embarking on a life of cashing.
All right, life of crime.
Let's go.
First thing we're going to have to do
is find ourselves some stolen credit card numbers,
which we can buy in bulk off any number of sketchy websites.
And then we get to work.
Way back in the day,
the easiest way to get money out of purloined credentials
was to buy valuable things, ship them to yourself,
sell them to a flea market, and then you have money.
So we use our purloined credentials to start buying, you know, the latest Nokia brick phones and DVD players and Linkin Park CDs maybe.
But this is all risky because all of this stuff is still showing up on our doorstep.
And so law enforcement or industry could realize that, hmm, it seems like we've been frauded 473 times by the folks at 123 Main Street.
Maybe someone should look into that.
So, Sketchy Nick, we get out of selling our ill-begotten goods at flea markets or on Craigslist, and there ends phase one of our cashing career.
Time to pivot to phase two.
Time to pivot to phase two.
Alexi?
Yeah?
How about instead of swiping the stolen cards at other people's stores, we swipe them at our store?
We have a store?
We're going to start a new business.
God, we're cool.
You, as the fraudster at 123 Main Street, could sign up for an account to do lawn care services.
Yeah, we can lawn mow. I've whacked a weed in my day.
We can lawn mow.
I've whacked a weed in my day.
What we're going to do is call up a credit card processing company and say,
hey, would you help our small business, Planet Money Laundering,
take credit card payments from our customers?
And when they say yes, congratulations on your new enterprise.
Bingo. We take all of our stolen credit cards and swipe to our heart's content.
Oh, yeah. One problem. Sorry. If you as a lawn care business have run up 100 credit cards from
South Africa, China, Nevada, New York, and California while your business is physically
present in Kansas, that looks a little bit suspicious to those of us in the industry.
Also a little suspicious, we've been swiping credit cards, I mean,
mowing lawns in the middle of the night.
Which is admittedly a pretty inconvenient time to mow.
Patrick says it's not just addresses and times of swipes.
There are a ton of other signals of fraud that the credit card processors can use to find and shut down fraudulent businesses.
Like suspicious amounts.
Say we were to swipe 420 over and over and over again.
Which we definitely would.
Yes, that would be a problem.
Or say we keep swiping cards from the same elite rewards program.
That would be a sign of bulk theft.
And so ends phase two of our caching career.
And our life of crime.
Busted.
I know, sad.
But it does bring us to the latest innovation in credit card caching.
And the exciting conclusion to the case of the extra Nespresso machine.
Its name? Triangulation fraud.
And it is far harder to detect than any of those previous forms of credit card caching.
And that's why it is the new hotness in fraud circles.
The new hotness, triangular fraud, is what Nina came across.
That was a classic example of it.
Yes.
So here, finally, is the big reveal.
We are going to walk you through exactly what was happening with Nina and the free coffee machine.
Remember when Nina went to eBay, found those discount pods and pressed purchase?
Her money went to the fraudster through the account that they had set up on eBay.
money went to the fraudster through the account that they had set up on eBay. Meanwhile, the fraudster used stolen credit card info to make the purchase at Nespresso's website and send Nina her
order. Plus a little bonus. And if the buyer had been anyone other than Nina, it would have worked
out beautifully. Because the thing about triangulation fraud is that everyone in the
triangle comes out ahead.
Nina gets a great deal on coffee pods, eBay gets their commission, and Nespresso gets a sale.
So when Nina tries to sound the alarm with Nespresso or eBay, they have no idea why she's complaining.
Everyone's doing great.
It is brilliant. acts as a secret middleman, using George from Poughkeepsie's stolen credit card number to buy Nina exactly what she wants, while depositing her clean money into a bank account somewhere.
The only person who's lost out is George, and that is where the scam starts to unravel.
The fraud will initially be detected by the people whose credit cards they've stolen.
Eventually, George might notice an unfamiliar charge. But his bank will make him whole.
Even George isn't on the hook in the end.
So who does pay?
When I first started working on this story,
I thought that Nina's coffee and her extra Nespresso maker
all ultimately got paid for by the banks.
But Patrick told me, no.
The banks also have a way of passing on the cost of the fraud.
It's called a chargeback.
They call up the business that made the sale,
in this case Nespresso, and say,
hey, the customer says they didn't authorize what happened.
And the business will look at their records and say,
well, shoot, we just got defrauded
for one case of Nespresso pods,
but this is the business we have chosen.
Okay, we're going to write that off defraud losses
and go about our merry way.
Patrick says this is the final tricky detail
working in favor of the fraudster. They're spreading these chargebacks across tons of
different online retailers. They're using stolen credit cards to ship sneakers and tote bags and
podcaster microphones. And each time a retailer is losing some amount of money, but not enough
to take action on it. I think one of the reasons that triangular fraud
has succeeded so much is that it distributes the cost of the fraud over a variety of different
businesses. And so no individual business and no individual actor has both enough of the economic
skin in the game and the data to just shut down the fraudulent operation. But it seems like Nina
did manage to shut down her particular case of triangulation fraud.
She compiled all her documentation and sent it to the FBI,
and then she kept an eye on the eBay listings.
A few months later, the discount pods pretty much vanished from the site.
The funny thing about this whole story is,
if the fraudster had never sent Nina that extra stuff,
if they just sent her the thing she ordered,
she would never have gotten suspicious
in the first place.
So why send that extra coffee machine?
Nina thinks the little bonuses
were a way to buy her love,
to get good eBay reviews,
to keep her coming back as a customer,
keep their eBay accounts alive.
So it was meant to be a bribe.
But for Nina, it was something else.
It was the clue.
It's a very peculiar type of person who's like,
sees this and is like, I want to know more.
Like, I feel like I find a deal on the internet and I want to know less.
And I just want to keep getting that deal.
You know what I'm saying?
I think most people are very happy to think that there are victimless crimes.
But if you're getting something for free on the Internet, somebody somewhere is paying for it.
And you should know that.
And you should probably think about that.
Ooh, that makes me feel personally...
Attacked?
Yeah.
These days, Nina says she doesn't play the discount coffee game.
When she needs to re-up her coffee pods, she pays full price.
Speaking of e-commerce, you can get some Planet Money gear at shop.npr.org slash planet money.
We've got hats.
We've got T-shirts.
But please, if you are a cyber criminal, leave our swag out of your triangulation schemes.
This show was produced by Emma Peasley and engineered by Gilly Moon.
It was edited by Molly Messick.
And our executive producer is Alex Goldmark.
I'm Nick Fountain.
And I'm Alexi Horowitz-Ghazi.
This is NPR.
Thanks for listening.
And a special thanks to our funder, the Alfred P. Sloan Foundation, for helping to support this podcast.