It's the season of online shopping and with it comes organized retail crime. Lucky for financial firms and law enforcement, OSINT can help prevent revenue loss and solve cases of theft.

Organized retail crime (ORC) is becoming a major challenge for law enforcement and retailers, costing tens of billions of dollars annually. ORC is not simply shoplifting or a crime of opportunity; it is “organized crime that involves professional organized theft groups. These are transnational criminal networks of individuals working together to steal for profit that finances their on-going operation and other criminal activity.” The impact of these crimes goes beyond retailers and law enforcement, affecting online marketplaces, financial institutions and intellectual property legal practices.

“In addition to defrauding retailers, threatening employees, reducing choice, and increasing costs to consumers, many of these organized retail crime syndicates use their ill-gotten gains to fund other criminal activities, such as labor, arms, and drug trafficking.”

Association of Certified Anti-Money Launder Specialists

A recent report from the Association of Certified Anti-Money Laundering Specialists (ACAMS), examines the growing problem of organized retail crime, the organizational structure of the groups carrying out these crimes and the steps financial institutions can take to combat the related illicit financing and money laundering activities. The report was developed in partnership with the lead law enforcement agency tackling these crimes, the Department of Homeland Security’s Homeland Security Investigations (HSI). HSI recently launched Operation Boiling Point, a joint effort with private sector organizations to combat and disrupt these organized theft groups.

Because the stolen goods often end up being resold on social media or e-commerce sites, open-source information is a key resource for investigators in both the public and private sectors.

The report highlights the importance of open-source intelligence (OSINT) in detecting and investigating organized retail crime syndicates. Due to the complex ecosystem of these criminal operations and their impact on multiple industry segments, the value of online research is not limited to law enforcement entities. Retailer counterfeit investigators, web platforms, financial institutions and others can find valuable information on open sources beyond listings on ecommerce sites and social media posts. Investigators can also learn more about suspicious companies using satellite imagery, public business records and mapping their digital footprint.

Awareness of the value of open sources is only a small part of carrying out online investigations. Understanding where to look, what to look for and how to capture and interpret that information is critical. It’s also important for investigators to incorporate both operational and cyber security measures when conducting online research. Many organized retail crime groups are more sophisticated than they initially appear and can employ measures to attack or derail investigators, such as fake websites, malware and obfuscation techniques.

And as the report notes, vigilance around potential misinformation is also an integral part of open source information gathering and intelligence analysis.

The report lists a number of red flags for researchers to be aware of when conducting online investigations into organized retail crime and theft groups.  Some of the key indicators for researchers to focus on include photo details, such as the background where photos are taken and the type of tags on the merchandise. In addition, personal and business address searches can reveal links between groups. 

Red flags tied to OSINT research (ACAMS Report, p.37-38):

  • Online search indicates that buyer and seller have identical addresses with the same individuals as registered agents.
  • Open-source internet search fails to support the client’s stated business or revenue. Merchandise still in shipping plastic (cargo theft).
  • Large variety of sizes available.
  • A variety of merchandise, new with tags.
  • Different sellers using the same photos, or posting photos of merchandise with the same background.
  • Merchandise photos with sensor tags or other electronic article surveillance (EAS) devices still attached.
  • Defaced product labels.
  • Using stock retail photos.
  • Photos of merchandise taken inside a vehicle.
  • Item price is significantly less than price of other sellers on the marketplace or below manufacturers cost.
  • Specific language using words such as: “like new”, “new in box” or “NIB”, “new with tags” or “NWT”, “unopened”, “taking orders [for product]”, “DM for orders or size”, “factory sealed”. Company (shell) website not functioning or has no information.
  • Reviews about the company may be scarce, indicating a new seller or one that is working from seller ID to seller ID. However, it is also important to point out that oftentimes the ORC seller may appear to be a very legitimate business and may have many positive reviews.
  • Company’s address using a Google Earth search shows land with no building, a warehouse with no sign, or a building without the company’s name/storefront.
  • Company’s website does not allow you to buy a product outright, indicates you must contact the retailer first.
  • Multiple usernames using the same internet protocol (IP) address.
  • Usernames that are not standard first/last names. May include a handle, street name, nickname, or a business entity beginning with “Pawn” or “Flea Market”, or more often names like “below sale”, “wholesale”, or “wholesale OTC”.
Financial crime Fraud and brand misuse OSINT research