Fake Amazon Receipt Generators

They can be used to scam Amazon Marketplace merchants:

What happens once our scammer is armed with his fake receipt? Well, many sellers on Amazon will ask you to send them a copy of your receipt should you run into trouble, have orders go missing, lose your license key for a piece of software and so on. The gag here is that the scammer is relying on the seller not checking the details and accepting the printout at face value. After all, how many sellers would be aware somebody went to the trouble of creating a fake receipt generator in the first place?

They’re also useful if you want to defraud your employer on expense reimbursement forms.

Tags: , , , ,

Posted on December 17, 2010 at 6:28 AM20 Comments

Comments

Paeniteo December 17, 2010 6:58 AM

While it is interesting to have this as a handy tool, you could rather easily create such receipts (and, probably, more convincing ones) by hand once you have a genuine receipt as PDF…

Henning Makholm December 17, 2010 7:22 AM

@Paeniteo: You could do that. I could do that. Most readers of this blog could probably do that. The ordinary man in the street, or the ordinary small-time crook, couldn’t.

The point about tools such as this one is not that they make attacks possible that would have been impossible before; it is that they package up the technical skills needed to do it in a nice downloadable package available to everyone.

Alan Kaminsky December 17, 2010 7:35 AM

Bruce, I have a receipt for a Skein polo shirt that I ordered but did not arrive. It must have got lost in the mail somewhere. Could you please send me a replacement shirt?

BF Skinner December 17, 2010 8:22 AM

Modifying the behaviour of infected hosts to make transmission to other hosts more likely is one way parasites can affect the structure of ecosystems. For example, in the case of Euhaplorchis californiensis, it is plausible that the abundance of local predator and prey species would be different if this parasite were absent from the system.

Although parasites are often omitted in depictions of food webs, they usually occupy the top position. Parasites can function like keystone species, reducing the dominance of superior competitors and allowing competing species to co-exist.

Many parasites require multiple hosts of different species to complete their life cycles and rely on predator-prey or other stable ecological interactions to get from one host to another. In this sense, the parasites in an ecosystem reflect the “health” of that system.

karrde December 17, 2010 8:41 AM

“They’re also useful if you want to defraud your employer on expense reimbursement forms.”

[sarc]Thanks for the advice. It’ll come in handy.[/sarc]

Adam December 17, 2010 8:47 AM

Signing wouldn’t be a bad idea. Imagine if the receipt contains a QR code for the entire order somewhere at the bottom, and each individual purchase has a barcode. A merchant could use an PC application or a phone app to scan the QR code followed by the barcode of any item they were interested in. The app could flag discrepancies.

The individual barcodes on each line would be a safeguard so that if a customer wanted to black out certain purchases they could do so without affecting the merchant’s ability to verify the others.

Rich Gibbs December 17, 2010 9:36 AM

“They’re also useful if you want to defraud your employer on expense reimbursement forms.”

As with so many other things, this is just a technological update on an old idea. Back in the late 1970s, I saw an ad in a reasonably reputable publication for a book of blank restaurant receipts, to use “in case you lose a receipt.”

Riko December 17, 2010 10:13 AM

@Rich….

I had an employee who used blank credit card receipts to scam expense reports. These were the paper kind that you filled out by hand and had multiple carbon or carbonless copies. He had a whole stack of them.

Scott G. Lewis December 17, 2010 10:17 AM

I think you missed the number one use for fake receipts. I sold a lot of used camera gear recently, and used Amazon Marketplace to do it (higher value than the camera store trade in offers). People weren’t sending me THEIR fake receipts. They were trying to spoof the order confirmation summary from Amazon, recreating that format, plus spoofing the sender field to the best of their ability.

Basically, I now ignore ANY order notifications on Amazon, other than using them as a reminder to logon to Amazon and see if I actually sold anything. Since the order receipts include all the information needed to ship the item, I would imagine some people ship merchandise only realizing 30 days later there’s no money forthcoming by Amazon.

As a general rule of thumb, I do NO business through email, but use email to know when I need to logon to something to see if I have business to do. 🙂

HJohn December 17, 2010 10:59 AM

On a slightly related note, SANS.org started a site I’m really enjoying called: http://www.securingthehuman.org. It has resources, posts, and blogs and some of it related to spotting fraud.

Thought others may be interested, and this seemed closely related enough to post.

Davi Ottenheimer December 17, 2010 11:40 AM

It just seems odd to me that the ideal target for the generator is a place that does not check their records, which means you really don’t even need any kind of fake receipt generator for this refund fraud.

This is like saying you have figured out how to rob someone who will give you money if you ask nicely for it.

vwm December 17, 2010 11:52 AM

“They’re also useful if you want to defraud your employer on expense reimbursement forms.”

My employer always demands a copy of my bank statement to confirm that I actually paid the expenses. I think that is just annoying. Whoever fakes receipts will either fake bank statements as well or he will fake receipts for cash payment.

Peter A. December 17, 2010 1:17 PM

@vwm

Well, MY employer actually issues AmEx cards to every employee at the time of employment – to be used for any expenses (approved beforehand) like buying technical literature, business travel related expenses (hotels, meals, car rental, gas, cash allowance) etc. – so they already have all the records to match against receipts. Therefore it is much less room for using fake receipts.

HJohn December 17, 2010 1:23 PM

@vwm
@Peter A

IMHO, reimbursements are often a way of borrowing from employees. Migrating away from it is a good practice for many reasons.

To say nothing of the fact that it’s frustrating to spend thousands on a mandatory business trip in order to wait 2 months to get the reimbursement check.

labradore December 18, 2010 12:15 AM

Last time my employer asked me to pony up trip expenses, I did it without saying a word. Then I turned in my expense reports including the interest expenses (29.9% APR). They sent me on the next trip with a company card in hand.

Francois December 19, 2010 9:28 AM

These receipts can not be used for refund fraud, as Amazon marketplace sellers have to use Amazon systems using a valid order id to perform a refund (the seller does not have access to the buyer payment instrument). As for requesting a replacement copy, the receipt is also missing information (e.g. SKU) that many sellers use to fulfill orders.
My take is that this is really an expense reimbursement scam rather than an scam targeted at Amazon sellers.

Dirk Praet December 19, 2010 6:41 PM

I guess this would only work with sellers that can’t be bothered with a short sanity check, or employees thereof too lazy or too stupid to do so, thus making it about as efficient as the average 419 scam. When used as an expense reimbursement scam, one should probably consider if the amount you can take outweighs the risk of getting fired on the spot if (or when) you get caught. In my experience, folks that engage in this sort of fraud just can’t remain silent about it, thus eventually digging their own grave.

ilgioa December 20, 2010 7:48 AM

A friend of mine used to print his own receipts at home to get free drinks at the discoteque’s bar. The cashier is at the entrance, the bar is inside.
Another one got a full book or real, blank, cab receipts from a friend working as a taxi driver. Receipts are neither numbered nor tracked in any way; he used them to round up expense reports.
I faked a couple of letters (with scanned signatures) from my boss (with his permission) to get around some bureaucracy.
To get a visa to certain countries, you still need to send an invitation request in paper, in your company’s letterhead, signed and stamped. They don’t realize it doesn’t provide much more authentication than me saying “hey can I please get a visa?”

It always amazes me how much you’re immediately more “trusted” if you show up with a piece of paper and a signature.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.