What is a drop address?

Drop addresses are used in several legitimate scenarios. However, their relative anonymity means criminals can also exploit them to commit fraud.

Since there is no direct link between the recipient and the address to which the items are shipped, it is difficult for authorities to identify the perpetrators.

Legitimate uses of a drop address

Let’s start with a few examples of how a drop address can be used legitimately.

Remote area deliveries

Drop addresses are used in remote areas where there is no postal service or other form of reliable delivery.

In this case, residents utilise an address in a nearby town or city to collect their packages and mail. This may be a residential or business address or a PO box.

Parcel collection services

Some companies offer parcel collection services where items are shipped to their address (the drop address). Once there, the recipient collects the items from a parcel locker at their convenience.

This type of drop address is useful for those who are not at home during regular delivery hours.

Business operations

Businesses may also utilise drop addresses, especially those that:

• Operate without a physical presence, such as eCommerce companies, start-ups and other small businesses.
• Operate from multiple locations. Amazon’s fulfilment centres, for example, operate as drop addresses as consumer parcels are stored temporarily before shipment.
• Need a flexible solution for delivery management. This includes businesses associated with temporary projects or events such as those that operate seasonal or pop-up stores.

How are drop addresses used by criminals?

The process starts with the selection of a suitable location.

For fraudsters, an ideal drop address is:

• Accessible to only them (or at least a select few).
• Devoid of CCTV or other security features.
• A place where they have a plausible excuse to be if apprehended.
• A place that is unoccupied. Some criminals will mow the lawn or restore electricity to an abandoned property to make it look lived in.

Once a suitable property has been identified, criminals may use a drop address to receive:

• Online purchases made with stolen credit cards or money.
• Banned items purchased on the dark web, such as drugs or firearms.
• Imported contraband, such as cigarettes.
• Illegal items such as prescription pharmaceuticals, and
• Items intended to be used for terrorist activities.

Reshipping scams

Drop addresses are also a core component of reshipping scams.

In this context, criminals use stolen credit cards or bank accounts to purchase goods online. The goods are then sent to the address of an accomplice who repackages the goods – often in exchange for payment – and ships them to a depot or another intermediary.

From there, the goods are shipped once more to the criminal.

Reshipping scams recruit accomplices with fake work-from-home opportunities, with the Better Business Bureau reporting that 65% of scam job ads posted online were related to re-shipping.

While most accomplices are unaware of their participation in the scam, they are often arrested once the stolen card or account is linked to their address.

How can criminal use of a drop address be identified?

Various best practices help prevent (or at least reduce) criminal use of a drop address.

For eCommerce businesses, it is important to note that such use is a symptom of some type of fraud. To that end, specialised tools help identify specific behaviours indicative of fraudulent activity.

These include:

• High-activity addresses – these are addresses to which a high volume of items are shipped compared to the mean. Some tools also analyse data over a 90-day period and look for an increase in chargebacks to identity fraudulent transactions.
• Popularity – the more companies associated with a specific address, the more likely stolen credentials are involved. Ekata found that the fraud rate of addresses associated with more than 5 companies increased by 600%.
• Volatility – a predictor of synthetic identity fraud that looks at the number of identity trait combinations an address has been associated with. Traits include name, phone, email and IP address.

Robust verification processes

Merchants and financial institutions can also do their part to reduce drop address-related fraud. The absence of robust verification processes is a primary contributor to this problem, so with that in mind, here are two more corrective measures to consider:

• Utilise an address verification service (AVS) that cross-references the billing address provided by the customer and the address on file with the relevant bank. This tool is provided by credit card companies and banks to the merchant.
• Verify the identity of buyers with Know Your Customer (KYC) and multi-factor authentication (MFA). This reduces fraudulent activity and helps identify buyers who hold a drop address for legitimate reasons.

In summary:

• A drop address is an address used to receive mail or parcels that are subsequently forwarded to another location. Since drop addresses provide a degree of anonymity, they are often used by criminals to commit fraud.
• Legitimate uses of a drop address include remote area deliveries and parcel collection services. Start-up businesses or those that need flexible delivery systems may also use them.
• Drop addresses commonly form part of a reshipping scam, where third parties are recruited by criminals to forward items purchased with stolen credentials on their behalf.
• To reduce drop address-related fraud, specialised tools help eCommerce businesses identify certain types of high-risk behaviour. Merchants and financial institutions must also strengthen their verification procedures.