INDUSTRY BENCHMARKS
LIVE FORTER DATA
AI INSIGHTS
FRAUD RINGS
Global Performance Benchmarks
Benchmark your performance against retailers in Forter's global network of businesses.
�
Welcome to the Cyber Month 2025 Insights Hub, your central destination to monitor fraud trends, benchmark performance, and track consumer activity. New data drops every Tuesday through December 2nd.
CYBER MONTH
2025
The Forter Global Network: Live Shopping Data
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut
43%
Traffic & Approval Rate Change
2.10%
of total traffic from bots
$XX,000,000,000,000
$XXM
Total Approved Volume
$XX
Average order value
vs 2024
XX%
Average online growth
vs 2024
16%
Agentic Growth vs. October Average
Fraud Ring Report
This holiday season, we're profiling the most complex fraud rings targeting retailers. Below are detailed breakdowns of their targets, signatures, and tactics.
�
Want the full
Cyber Month Report?
�
$4.2M Fashion Bot Attack
48-Hour Coordinated Bot Attack (Nov. 5–7, 2025)
Bots
Nov. 6, 2025 08:51 - 08:56 (5min, 630 txs)
Peak Attack Window:
$4.2M USD
FRAUD PREVENTED:
A highly coordinated bot ring executed a simultaneous, high-velocity attack across multiple fashion merchants. Over a 48-hour period, the attackers masked their activity within early holiday traffic, utilizing stolen American Express cards and synthetic identities to purchase premium streetwear. By leveraging automated account creation, device manipulation, and fraudulent business domains to impersonate legitimate shoppers, the campaign drove volume to peaks of 180 transactions per minute.
�
Initial Assessment:
Key Evidence
Fraud Signature: “0-Day Identity Trio”�
94% new accounts (< 24 h old)
100% new or null spoofed devices
Single stolen AmEx BIN 374279 across all txs
Synthetic Identity Profile
�
�
Fake fashion domain to impersonate legit business. Such as: SWILLSNEAKERS.COM
Format [word][2digits].[word]@FAKEDOMAIN.COM (e.g., cyphers98.chins@)
Random-common names (“Olivia Robinson,” “Oliver Wilson,” “Poppy White”)
Billing + Shipping: 100% Either GB or US dominant.�
Network & Payment Fingerprint
40 residential IPs across 23 Class-A ranges → rotating proxy/VPN setup
Payment type: AmEx credit card from American Express Services Ltd.�
Behavioral Signals
Bot-like velocity: 180 tx/min peak
Identical account + spoofed device pairings; no device fingerprint
Device Spoofing/ Device Manipulations indications�
Targeted Products
High-AOV streetwear mostly, along with some luxury fashion items.
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Review recent orders paid with American Express cards. Look for combinations of new accounts (<24 hrs), new or missing spoofed devices, and fake business-style email domains (e.g., SWILLSNEAKERS.com). Any overlap of these traits may indicate early probing activity.�
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
See if those combos appear in short bursts: clusters of new accounts, new spoofed devices, and unfamiliar emails (in the given pattern) created within minutes of each other. Look for clusters showing different device indicators, as this ring frequently performs sophisticated device manipulation to hide its origin.
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm that your fraud model tracks less common device components (e.g., GPU vendor, WebGL renderer ID, timezone offset), as these secondary identifiers are often left unchanged by the ring.
�
The First Agentic Commerce Holiday Season
SEND ME THE REPORT
It's the early days of agentic commerce, but how we understand this holiday season - and how merchants handle it - will set the tone for the AI-powered year ahead. The 2024 holiday season saw no agentic traffic. Fast forward 12 months and chatbots like ChatGPT, Claude & Gemini can now be used to drive consumers to your site. If you're not tracking the impact of agentic activity on your site, it's time to start.
The scale of our network is what powers our holiday intelligence. This global network of 400,000 businesses and
2 billion shoppers provides the data behind our industry benchmarks, emerging AI insights, and fraud ring analysis.
�
Top Emerging Fraud MOs
32%
ATO (Account Takeover)
44%
DTO (Device Takeover)
25%
Return Fraud / Abuse
YoY Increase
Sign up for Forter's deep dive analysis of the AI-driven trends and fraud tactics that shaped the peak holiday season.
�
10%
Good bots
90%
Bad bots
Data reflects activity from Nov 1 - Nov 24
�
�
Average Site Traffic
Want more insights like these once the Cyber Month rush is over?
GET THE FULL DEEP-DIVE REPORT
7%
Average Approval Rate
$800K AI Damaged Goods Return Ring
7-Day Coordinated Operation
10 home-goods merchants, expanding into multiple fashion merchants
�
$800K USD
FRAUD PREVENTED:
A coordinated return-fraud ring has been actively abusing instant-refund workflows across home-goods merchants and has recently begun expanding into the fashion sector. The operation uses a simple but high-volume method: purchase low-AOV items, generate AI-crafted “broken” or “corrupted” item photos, or ship back empty boxes, then request immediate refunds. This lets the actors keep or resell the items while also receiving the refunded amount.
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Identify short-window clusters where multiple refund attempts share freight-forwarding addresses, cloud-hosted IPs, similar product types, or unusually fast refund timing. These combinations are often strong indicators of coordinated ring activity.
�
�
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm your fraud model monitors secondary device & network attributes (timezone, language settings, infrastructure patterns) Link these traits to repeated use of freight-forwarding addresses to uncover cross-merchant connections that appear unrelated at the surface level.
�
�
�
Fraud Signature: “AI-Generated Damage Refunds”�
AI-generated damage photos used across merchants
Empty/low-weight boxes sent instead of merchandise
Aged accounts (<6months) paired with a few clean txs
Legitimate payment methods used throughout�
Network & Payment Fingerprint
Buyer devices show Chinese language settings and timezone offsets
Underlying network signals suggest origin activity consistent with China
Heavy use of hosting/cloud infrastructure with frequent US region rotation
Payments via legitimate cards, PayPal, Apple Pay, and BNPL to avoid fraud flags�
Behavioral Signals
Same IP or address rarely used more than a few times before rotation
Cross-channel evasion: new devices, shifting locations, and lightly aged accounts
Refund requests often submitted shortly after delivery or immediately after photo upload�
Targeted Products
Items eligible for low-friction refund approvals
Fragile home-goods items and now lightweight fashion items�
Synthetic Identity Profile
�
�
Generic Western names using major email providers (Gmail, Outlook, Hotmail)
Frequent use of freight-forwarding addresses
Devices tied to recent spoofing or anonymization activity�
Review refund requests from the past week involving damage photos. Pay attention to accounts aged a few months, rapid refund submissions, and repeat activity tied to the same buyer device or card.
�
�
$650K Gift Card ATO Fraud Ring
Nov 8th - Nov 12th
November 9, 2025 12:40–13:10 (30 min/220 txs)
�
Peak attack Window:
$650K USD
FRAUD PREVENTED:
A coordinated fraud ring carried out a multi-merchant ATO attack on high-value digital gift cards ($100-$150), likely after a successful phishing campaign amplified by AI. They leveraged compromised "aged" accounts to buy liquid, instantly deliverable gift cards—ideal for rapid monetization. At the same time, they rotated through numerous IPs and mimicked normal user behavior to blend into holiday traffic. This combination enabled them to quickly resell the gift cards before victims noticed the takeover and canceled the orders.
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Review gift card purchases from accounts with sudden behavioral changes; new devices, new IPs, newly added payment instruments. Look for aged accounts that abruptly shift into high-value gift card spending.
�
�
�
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Cluster transactions across accounts showing combinations of fresh device fingerprints, newly added payment methods, repeated gift card purchases, along with any card-testing activity. Look for identity-level overlaps. Include this analysis from the login phase, where the compromised accounts were first accessed.
�
�
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm that your fraud model links early-funnel actions (such as login activity and payment-method updates) to downstream gift-card checkouts. Early interactions usually expose stable device traits that fraudsters struggle to spoof, allowing you to anchor identities and detect coordinated ATO activity.
Fraud Signature: “High-Velocity ATO Gift Card Purchases”�
Hacked + aged accounts used to purchase digital gift cards for fast monetization
Card testing performed beforehand, either by attempting to update payment methods or by making small-dollar test transactions
Adding dozens of payment instruments to old accounts within a short time
Attempting purchases at a steady pace to avoid triggering anti-fraud alerts�
Network & Payment Fingerprint
New logins from a device with a language/timezone patterns inconsistent with historical account activity (ATO indicator)
Burst in failed payment attempts in old accounts due to card testing
Use of rotating mobile IPs and hosting/cloud infrastructure to disguise true origin
The use of mobile ISPs, through a mobile app and an old Android��
Behavioral Signals
Sudden transition from normal buying patterns to repeated, high-AOV gift card purchases
Gift cards were sent to auto-generated email addresses following a [fullname][4digits]@GMAIL.COM (ravijkumar3456@gmail.com) pattern
Rapid card-testing behavior: several new instruments added and attempted in short bursts over several old accounts.�
Synthetic Identity Profile
�
�
Aged accounts (multi-year histories) suddenly showing new devices, new IPs, and abnormal purchase behavior.
Gift cards being sent as gifts to different and unrelated emails.
Multiple payment methods added quickly across accounts, typical of takeover-driven gift card fraud�
$4.2M Fashion Bot Attack
48-Hour Coordinated Bot Attack (Nov. 5–7, 2025)
Nov. 6, 2025 08:51 - 08:56 (5min, 630 txs)
Peak Attack Window:
$4.2M USD
FRAUD PREVENTED:
A bot ring carried out a 48-hour, high-velocity attack across multiple fashion merchants, aiming to hide in the early holiday traffic and using stolen American Express cards and synthetic identities to purchase premium streetwear items. The operation relied on automated account creation, device spoofing/manipulation, and fake business-style domains to impersonate legitimate shoppers, reaching peaks of 180 txs per minute.
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Review recent orders paid with American Express cards. Look for combinations of new accounts, new or missing cookies, and fake business-style email domains. Any overlap of these traits may indicate early probing.
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
See if those same combinations appear in short bursts: clusters of new accounts, new cookies, and unfamiliar emails created within minutes of each other. Look for clusters showing different device indicators, as this ring frequently performs sophisticated device manipulation to hide its origin.
LEVEL 3: DEEP DIVE ON ADVANCED FORENSIC
Extract less common device components from the cookie (GPU vendor, WebGL renderer ID, or timezone offset). The ring manipulates major device elements like user-agent and screen size, but often leaves these secondary identifiers untouched.
�
Fraud Signature: “0-Day Identity Trio”�
94% new accounts (< 24 h old)
100% new or null cookies
Single stolen AmEx BIN 374279 across all txs
Network & Payment Fingerprint
40 residential IPs across 23 Class-A ranges → rotating proxy/VPN setup
Payment type: AmEx credit card from American Express Services Ltd.�
Behavioral Signals
Bot-like velocity: 180 tx/min peak
Identical account+cookie pairings; no device fingerprint
Device Spoofing/ Device Manipulations indications → Core Identifier�
Synthetic Identity Profile
�
�
Fake fashion domain to impersonate legit business. Such as: SWILLSNEAKERS.COM→ Core Identifier
Format [word][2digits].[word]@FAKEDOMAIN.COM (e.g., cyphers98.chins@) → Core Identifier
Random-common names (“Olivia Robinson,” “Oliver Wilson,” “Poppy White”)
Billing + Shipping: 100% Either GB or US dominant.�
$600K Home Goods Returns Fraud
7-Day Coordinated Operation
Sustained activity w/ bursts aligned to merchant refund-processing hours
Peak Window:
$800K USD
FRAUD PREVENTED:
A coordinated return-fraud ring abused instant-refund policies across 10 home-goods merchants using a simple but effective M.O. Purchase low-AOV items, generate AI-produced “broken item” photos, and request an immediate refund without returning the merchandise. This allows the fraudsters to keep the fully functional item to resell, while also getting their money back—effectively killing two birds with one stone.
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Review recent refund requests that relied on photo-only approval flows. Look for combinations of new accounts, new spoofed devices, lower-AOV, and refund claims submitted within minutes or hours of delivery. Inspect the attached photos: fraudsters can get sloppy.
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Look for clusters that combine freight-forwarding addresses with activity from “legit-looking” hosting or cloud services, especially when paired with items eligible for instant-refund approval.
LEVEL 3: DEEP DIVE ON ADVANCED FORENSIC
Analyze secondary indicators to surface the buyer’s true origin (such as timezone offsets, IP infrastructure, and other subtle device metadata). Check language settings and regional configurations to see if they correlate with a China-based origin. Cross-reference with the repeated use of popular freight-forwarding services commonly used for shipments into China.
�
Fraud Signature: “AI-Generated Damage Refunds"�
False photo evidence with AI image-generation tools
Instant refund workflows exploited across multiple merchants
New spoofed devices (few months old emails & accounts with few txs)
The ring uses its own legitimate payment methods, resulting in no chargebacks.
Network & Payment Fingerprint
Real location patterns suggest activity from China, aligning with historical behavior
Chinese language and offset on the buyer device
Hosting/cloud infrastructure and frequent IP/region rotation (around US regions) to disguise the true location
Legitimate payment methods to avoid payment-fraud flag�
Behavioral Signals
Transactions never originate from the same IP or address more than a handful of times. After ~10 attempts, the ring rotates both
Evidence of cross-channel evasion: new spoofed devices + rotating locations + account aging�
Synthetic Identity Profile
�
�
Core Identifier: Using Freight Forwarding Services as a shipping address
Accounts aged 1–6 months with a few clean transactions to build reputation
Generic Western names and mainstream email providers (Gmail, Hotmail, Outlook)
Consistent use of fresh/new spoofed devices�
95%
Agentic Growth over the last 6 months
970%
Increase from H1 2025 to H2 2025 in fraudulent checkout attempts by agents
12%
Increase since November 1
Agentic Traffic
Top 6 Agentic Referral Sources
AI Agent-Initiated Fraud
Agentic Conversion Rate
1. OpenAI ChatGPT
2. Google Gemini
3. Microsoft Copilot
4. Anthropic Claude
5. Perplexity
6. xAI Grok
AI-Enabled Fraud
210%
YoY increase in the % of fraud attacks leveraging automation (as a % of total fraud)
AI Fraud Growth
210%
Percentage of fraud attacks leveraging automation (as a percentage of total fraud)
AI Fraud Growth
210%
Percentage of fraud attacks leveraging automation (as a percentage of total fraud)
$2.2M Gift Card Fraud Attack
72-Hour Coordinated Bot Operation (Nov. 9-21)
Nov. 20, 2025 14:12 - 14:18 (6min, 410 txs)
Peak Attack Window:
$2.2M USD
FRAUD PREVENTED:
A coordinated bot ring executed a three-day attack across several merchants, focusing specifically on high-value gift orders. The actors attempted to blend into seasonal gifting traffic by using stolen Visa cards and lightweight synthetic identities. Their operation relied on automated account creation, device spoofing, and rapid rotation across low-reputation email domains. At peak velocity the bots pushed more than 65 transactions per minute, often reusing the same identity template with minor edits.
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Check recent Visa-paid gift orders. Look for newly created accounts, spoofed or missing device fingerprints, and low-reputation email domains. Any overlap of these traits may indicate probing by this ring.
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Search for short bursts of gift orders where accounts were created within minutes of each other. Look for clusters with inconsistent billing and shipping details and mismatched buyer–recipient pairs.
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm your fraud model monitors email domain reputation. Identify newly created/ low-reputation domains from the attack window, then cluster those with device manipulation and bot indicators (rapid user-agent changes or missing persistent cookies) Linking suspicious domains to the same spoofed device traits helps reveal coordinated gift-order/gift-card attempts.
�
�
Fraud Signature: “Gift Clone Pattern"�
91% new accounts (<24 hrs)
All new, null, or short-lived spoofed devices
Nearly all orders marked as “Gift” with a separate recipient name from cardholder/account details
Network & Payment Fingerprint
55 rotating residential IPs spread across 19 Class-A network ranges
Payment method always Visa
Velocity spikes tied to VPN node switches every 2 to 4 minutes�
Behavioral Signals
Bot-like bursts of txs with identical account lifecycles
No persistent device or cookie identifiers across sessions
Device manipulation techniques applied to user-agent and screen dimensions��
Targeted Products
High-AOV gift orders
Brand gift cards, premium electronics accessories, & luxury apparel items purchased as gifts�
Synthetic Identity Profile
�
�
Fake gifting or family-themed domains [ex. FAMILYHUBMAIL.COM]
Email format: [first name][2 digits].[random word]@[fake gifting domain]
Repeated use of simple US and UK name sets
Billing + shipping patterns show 95% mismatch between buyer and gift recipient, used to mask fraud routing��
$2.2M Gift Card Bot Ring
$1.5M Freight Forwarder Ring
$4.2M Fashion
Bot Attack
$650K Gift Card ATO Ring
$800K Returns Fraud Ring
$1.5M Freight Forwarder Ring
November 20-23, 2025
Activity across merchants on both US East and West Coasts
SCOPE:
$1.5M USD
FRAUD PREVENTED:
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Check for spikes in new or zero-cookie devices sending orders to Delaware freight-forwarder codes.
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Look for bursts of gibberish or manipulated ship-to addresses combined with mobile-network origins. Cluster short-window spikes where received orders use different variations of the same underlying forwarding address.
LEVEL 3: CHECK YOUR FRAUD MODEL
Make sure your fraud model extracts address-manipulation techniques such as added digits or characters. Cluster occurrences that share the same manipulation pattern, appear on mobile connections, and point to freight-forwarding services deliveries.
�
�
�
Fraud Signature: “Gift Clone Pattern"�
Stolen cards & ATO activity blended across the same devices (about 50% ATO)
Repeated shipments to the same Delaware forwarders despite address manipulation
Random letters, digits, and unit numbers appended to addresses to evade matching
Orders placed from both coasts, indicating a distributed fraud team
Network & Payment Fingerprint
Originates from major US mobile carriers with frequent IP cycling
Usage of android phones�
Behavioral Signals
Orders routed to the same forwarding services via heavily altered address lines
Bursts of attempts within minutes across multiple merchants
Consistent targeting of high-resale electronics�
Targeted Products
Broad electronics, including small devices and components
Products eligible for expedited shipping to forwarding hubs��
Identity and Device Traits
�
�
No persistent cookies or browser/app signatures
Mobile network to obscure home networks
Compromised/newly created accounts mixed
Buyer name variations include added initials and truncated spelling���
A coordinated fraud ring used stolen cards and compromised accounts to purchase electronics and ship them through a small set of Delaware freight forwarders. To disguise repeated use of the same hubs, the actors manipulated address lines with random letters, extra numbers, and fake unit identifiers. All activity originated from mobile networks using devices with no cookies, creating the appearance of public-location traffic.
�
$4.2M Fashion Bot Attack
48-Hour Coordinated Bot Attack (Nov. 5–7, 2025)
Nov. 6, 2025 08:51 - 08:56 (5min, 630 txs)
Peak Attack Window:
$4.2M USD
FRAUD PREVENTED:
A highly coordinated bot ring executed a simultaneous, high-velocity attack across multiple fashion merchants. Over a 48-hour period, the attackers masked their activity within early holiday traffic, utilizing stolen American Express cards and synthetic identities to purchase premium streetwear. By leveraging automated account creation, device manipulation, and fraudulent business domains to impersonate legitimate shoppers, the campaign drove volume to peaks of 180 transactions per minute.
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Review recent orders paid with American Express cards. Look for combinations of new accounts (<24 hours), new or missing cookies, and fake business-style email domains. Any overlap of these traits may indicate early probing.
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
See if those same combinations appear in short bursts: clusters of new accounts, new cookies, and unfamiliar emails created within minutes of each other. Look for clusters showing different device indicators, as this ring frequently performs sophisticated device manipulation to hide its origin.
LEVEL 3: CHECK YOUR FRAUD MODEL
Extract less common device components from the cookie (GPU vendor, WebGL renderer ID, or timezone offset). The ring manipulates major device elements like user-agent and screen size, but often leaves these secondary identifiers untouched.
�
Fraud Signature: “0-Day Identity Trio”�
94% new accounts (< 24 h old)
100% new or null spoofed devices
Single stolen AmEx BIN 374279 across all txs
Network & Payment Fingerprint
40 residential IPs across 23 Class-A ranges → rotating proxy/VPN setup
Payment type: AmEx credit card from American Express Services Ltd.�
Behavioral Signals
Bot-like velocity: 180 tx/min peak
Identical account+cookie pairings; no device fingerprint
Device Spoofing/ Device Manipulations indications → Core Identifier�
Targeted Products
High-AOV streetwear mostly, along with some luxury fashion items.
Synthetic Identity Profile
�
�
Fake fashion domain to impersonate legit business. Such as: SWILLSNEAKERS.COM
Format [word][2digits].[word]@FAKEDOMAIN.COM (e.g., cyphers98.chins@)
Random-common names (“Olivia Robinson,” “Oliver Wilson,” “Poppy White”)
Billing + Shipping: 100% Either GB or US dominant.�
$2.2M Gift Card Bot Ring
72-Hour Coordinated Bot Operation (Nov. 19-21, 2025)
Nov. 20, 2025 14:12-14:18 (6min, 410 txs)
Peak Attack Window:
$2.2M USD
FRAUD PREVENTED:
A coordinated bot ring executed a three-day attack across several merchants, focusing specifically on high-value gift orders. The actors attempted to blend into seasonal gifting traffic by using stolen Visa cards and lightweight synthetic identities. Their operation relied on automated account creation, device spoofing, and rapid rotation across low-reputation email domains. At peak velocity the bots pushed more than 65 transactions per minute, often reusing the same identity template with minor edits.
�
�
Initial Assessment:
Key Evidence
Were you impacted?
LEVEL 1: CHECK IMMEDIATE FRAUD SIGNS
Check recent Visa-paid gift orders. Look for newly created accounts, spoofed or missing device fingerprints, and low-reputation email domains. Any overlap of these traits may indicate probing by this ring.
LEVEL 2: IDENTIFY UNIQUE FRAUD VECTORS
Search for short bursts of gift orders where accounts were created within minutes of each other. Look for clusters with inconsistent billing and shipping details and mismatched buyer–recipient pairs.
LEVEL 3: CHECK YOUR FRAUD MODEL
Confirm that your fraud model monitors email domain reputation. Identify newly created or low-reputation domains from the attack window, then cluster those domains with device manipulation and bot indicators such as rapid user-agent changes or missing persistent cookies. Linking suspicious domains to the same spoofed device traits helps reveal coordinated gift-order and gift-card attempts.
�
�
Fraud Signature: Gift Clone Pattern�
91% new accounts (< 24 hours old)
100% new or null spoofed devices
Nearly all orders marked “Gift” with separate recipient name from cardholder
Network & Payment Fingerprint
55 rotating residential IPs across 19 Class-A network ranges
Payment method always Visa
Velocity spikes tied to VPN node switches every 2 to 4 minutes�
Behavioral Signals
Bot-like bursts of transactions with identical account lifecycles
No persistent device, cookie identifiers across sessions
Device manipulation techniques applied to user-agent and screen dimensions��
Targeted Products
High AOV Brand gift cards, premium electronics accessories, and luxury apparel items as gifts�
Synthetic Identity Profile
�
�
Fake gifting or family themed domains such as FAMILYHUBMAIL.COM or GIFTLINEINBOX.COM
Email format: [first name][2 digits].[random word]@[fake gifting domain]
Repeated use of simple US and UK name sets
Billing + shipping patterns show 95 percent mismatch between buyer and gift recipient, used to mask fraud routing�
