Spammer wants to buy from me - how does this scam work?

About once a month we get a spam sent to our "Sales" e-mail address where the sender wants to buy something from us. They usually state their company name/address and the intended shipping address, and say that they intend to pay by credit card. Sometimes they include a short list of what they want to buy (a strange assortment of industrial and consumer products - none of which we actually sell) or if they don't specify what they want to buy, they ask for a price list.

I understand that there are two possible explanations for what they are trying to accomplish:

a) overpayment scam: They learn what we actually sell, they place an order and pay by check. They put wrong amount on the check (too much) and when told about it, they say to cash the check anyways and send a check back to them for the difference. Their check eventually bounces, but not before our check clears and they essentially steal the money - and the goods (if they were indeed shipped to a working address).

b) credit-card scam: They learn what we actually sell and place an order. They pay using stolen credit card information. They receive the goods and resell them on the black market, and the charge on the credit card is eventually reversed (charge-back) and either the vendor or the credit-card company is on the hook for the charge.

Since the e-mails we get state that the scammer wants to use a credit card, it would seem that (b) is the scheme being used. But I don't understand how a charge authorization can go through on a stolen credit card without the authorization being declined immediately. And most vendors probably wouldn't ship an order before the card has been charged.

Am I missing something here?

How exactly do these order-fraud scams work?

You are right in believing that scenario two is likely. There is also a scenario 3, another version of the overpayment that is used with checks and/or credit cards when targeting smaller businesses:

Scammer uses fake check or (stolen) credit card to pay for the item, but tells you he wants to use his (fake) shipper to deliver the items. He wants you to include the shipping in the total charge, and will ask you to arrange payment and shipping with this shipper. Of course the shipper doesn't accept anything but Western Union. The items never actually ship, because once the scammer collects the cash for "shipping" fees, he walks away, and nobody ever shows up to pick up the items because there was never any actual interest in them.

When we talk about stolen credit cards in these scenarios, we aren't talking about cards that were physically taken from the owner. Those thefts are typically reported quickly, and chances of charging to them after more than a day or so are slim. The credit cards used in these scams were typically obtained through phishing, hacking, or the use of infected computers. Thieves who specialize in getting credit card and bank account info generally collect this information, and then sell it on the open market to other criminals (such as these scammers). You can actually see a couple of samples of how this works in other topics at scamwarners. Often the owner of the card does not realize his details have been compromised, so it was never reported. If the credit card is used infrequently, or the owner uses an auto-debit process to pay the bills, It could be weeks or months before he/she realizes the card has been used for extra transactions (especially if they are small). If the credit card has a high limit and is used frequently or is a business card, a balance increase may not lead to red flags (especially if multiple users have access to the card), and it may not be detected until the owner reviews the statements. And of course some people don't look at their statements at all--those can take months to discover the truth.

So here's an example of this fake-order spam mail:

---------------------
Hello Sales,

My Name is John Martins am interested in purchasing some of your products, I will like to know if you can ship directly to Fiji Islands. I also want you to know my mode of payment for this order is via Credit Card.

Get back to me if you can ship to that destination and also if you accept the payment type I indicated.

Kindly return this email with your price list of your products..
I await your quick response.

Kind Regards.
John Martins

Island Consultant Limited.
11 Ruve Place, Tavakubu
Lautoka, Republic of Fiji Islands

Phone: (679) 666-2787
Fax: (679) 666-3998
Email: [email protected]
------------------------------

I can't believe the scammer is actually located in Fiji. Maybe someone in Australia or New Zealand might be tricked into following up this scam, but who else would actually want to go through the hassle of conducting business with an "out-of-the-blue" solicitation like that from Fiji? Why would the scammer say he's in Fiji? Why not a more typical location, like somewhere in the US, or the UK (he probably doesn't know where his spam mails are going, but he's probably targeting victims in the US or the UK).

Sometimes I feel like replying to these scams from an anonymous Gmail account and see how they function.

> Scammer uses fake check or (stolen) credit card to pay for the item, but
> tells you he wants to use his (fake) shipper to deliver the items. He wants
> you to include the shipping in the total charge, and will ask you to arrange
> payment and shipping with this shipper. Of course the shipper doesn't accept
> anything but Western Union. The items never actually ship, because once the
> scammer collects the cash for "shipping" fees, he walks away, and nobody
> ever shows up to pick up the items because there was never any actual
> interest in them.

I don't know on what planet (or in which country) such a scheme would actually work, but any business that does ship their products using a courier (Fedex, DHL, UPS, etc) would know that no shipper gets paid before they pick up the goods to be shipped. I would think that any company would know the shippers / couriers that operate in their city and would already have accounts with them.

> The credit cards used in these scams were typically obtained through phishing,
> hacking, or the use of infected computers.

We are usually paid by cheque for the products we sell, but about 4 times a month we are paid via credit-card transaction (the amount can be anywhere from $500 to $5000). Our customers are usually 100 to 8000 miles away, so we never process a credit-card transaction with the actual card.

I'm really not clear as to what would happen if we were given a working credit-card number, and we perform the transaction (ie - we bill the card, which we do on the morning that the product is to be shipped) and the transaction is accepted, but it later turns out to be a fraudulent transaction. I don't see how the credit-card processor can automatically withdraw money from our bank account to reverse the transaction (they wouldn't have the authority to make a withdrawl from our bank account). What normally happens in a situation like that?

That's absolutely true--but scammer will always have some reason why he can't use any of those major carriers. The majority of businesses won't fall for this angle--but all he has to do is find a single small business owner who is naive or desperate enough to try, he walks away with some nice cash.

It's no different than some of the other scams--for example, the vast majority of people do not believe there is a trunkbox full of money waiting for them, so the scammer sends his format out in bulk to hundreds or thousands of addresses--just to find the one person who will believe.

Why would the scammer say he's in Fiji?

He is very possibly picking an obscure location to support his use of his fake shipper. If the product is being shipped to the US, he really can't give appropriate excuses for not using one of the major carriers.

Even if the credit card initially showed up as valid, the merchant can still face a chargeback if the real cardholder later challenges the transaction. Here's an article with some pretty detailed info about chargebacks: http://articles.sitepoint.com/article/chargeback-challenge