Table of Contents
1 How It Works
2 How it Affects Chargeback Prevention
3 Example Scenarios
4 Requirements and Timeframes

Find out about disputes before your bank does. Stop up to 85% of them from becoming chargebacks at all.

About Early Alerts
Home > Glossary > What is Fullz?

What is Fullz?

Fullz are stolen identity packages that are bought and sold on the black market. Criminals use them to commit payment fraud and to generate chargebacks against businesses. Each package that they purchase contains a full identity profile with everything a fraudster would need to pretend to be another person. That includes full names, home addresses, Social Security numbers, credit card info along with CVV codes, and more. Criminals who buy these packages can bypass most standard verification systems without much trouble.

This gets really expensive for merchants because of how the fraud actually works. Fraudsters who use fullz to make purchases can answer the security questions correctly and pass address verification checks without any problems. From your payment system’s perspective, they look just like legitimate customers who make normal purchases. Eventually the real cardholder sees the unauthorized charge on their statement and disputes it with their bank. At that point, you’re stuck with a chargeback and you’ve already lost the merchandise.

Fullz are especially dangerous for online businesses because of how thorough they are. Most fraud detection methods just don’t work when the criminal has access to all of the right answers. Check. Check. They even have the mother’s maiden name for the extra security questions. All of your standard verification processes can’t do much to protect you when a fraudster has access to the victim’s entire identity profile.

Criminals who use fullz usually go after high-value items that they can resell right away. A lot of them will ask for rush shipping to get the products delivered before anyone detects the fraud. These fraudsters know the timeline that they’re working with and how long it takes before the real account holder sees something suspicious on their statement.

How It Works

Criminals get their hands on fullz through a handful of methods that have become far too common. Data breaches at businesses and corporations can expose millions of customer records all at once. Phishing emails are designed to trick victims into handing over their personal information on fake websites that look like legitimate sites. Malware programs can quietly steal information from infected computers without anyone noticing. Skimming devices are installed on ATMs and gas pumps to grab card data when you swipe or insert your card.

How It Works

Once fraudsters have this full identity package, they can create transactions that look legitimate to most payment systems. A fullz contains everything that’s needed to pass those first fraud checks that merchants use during transactions. The name, address, social security number and card info all match up exactly with what’s on file.

That’s where it becomes a problem for merchants who want to protect their businesses. Fraudsters can use fullz to take over existing customer accounts because they have all of the correct answers to security questions and verification prompts. They can also open brand new accounts that look genuine because all of the information checks out against standard verification procedures. Card-not-present fraud gets especially simple for criminals when they have all of the billing information that they need to bypass most standard verification systems.

These stolen identities get traded on markets where criminals buy and sell them just like any other product. Fresh fullz from recent data breaches usually cost more money because the victims haven’t noticed anything wrong with their accounts yet. The older data sells for less on these markets but still works well enough to be profitable for fraud operations.

Organized fraud rings actually run these operations with the efficiency and structure of a legitimate business.

How it Affects Chargeback Prevention

When criminals use fullz to make purchases they create a big problem for the merchants. The transactions actually look legitimate because the fraudster has all of the right information at their disposal. Everything passes the address verification and the CVV checks come back clean without any red flags at all.

The bigger problem shows up a few weeks or months later when the cardholder finally notices the charges on their statement. The merchandise is long gone by that point and the merchant is stuck with a chargeback that they probably can’t win. Most of these chargebacks fall under the reason codes related to unauthorized transactions or account takeover and they’re very hard to dispute because the merchant actually did follow the standard security protocols correctly.

How It Affects Chargeback Prevention

The financial damage hits the merchants from a few different angles all at once. They first lose the product and the payment when the chargeback comes through. Then their chargeback ratio starts to climb and it triggers higher processing fees from their payment provider. If the ratio climbs too high they might lose their merchant account for permanently. Some businesses never actually recover from a big fullz fraud attack.

Most of the standard fraud prevention tools fail to catch fullz fraud because all of the basic checks pass. The billing address matches and the security code is correct. The fraudster might even use the victim’s phone number and email address to finish the verification process without any problems. Merchants need to spend money on better detection systems that can analyze behavior patterns and device fingerprints if they want to have any chance of prevention.

Example Scenarios

This fraud talk is abstract until it happens to a merchant. These scenarios play out all the time in online businesses and they can be pretty devastating.

Think about an online clothing retailer who just processed what looked like a normal order. The customer logged into an existing account (one that they supposedly used before) and ordered 3 expensive designer jackets. Everything seemed legitimate on the surface because the criminal had purchased the fullz data that included the customer’s email address and password from an earlier data breach. The account owner won’t know that anything is wrong for a few weeks until they finally check their credit card statement. By that time, the jackets are long gone and the merchant is left stuck with a chargeback and an angry customer who wants answers about how somebody accessed their account.

Example Scenarios

Criminals can get even more creative when they usesynthetic identity fraud. They’ll grab a Social Security number from the fullz data and mix it with a fake name and address. From there, they will open accounts with subscription box services or software businesses. They’ll pay their bills on time for months at a time, all to build up trust and legitimacy. Eventually they will make a few large purchases or max out whatever payment methods they have access to and then they just disappear.

Online merchants also run into problems with what’s called dead fullz. These are identity profiles from victims who have already found out about the fraud and reported it to their banks. Criminals know that the automated fraud detection systems at most of these places (music streaming services, cloud storage providers and platforms like that) don’t verify much past basic card authorization checks.

Requirements and Timeframes

When a criminal uses fullz to attack your business, you’ll have to act right away and the response time is everything. Most payment processors only give you 7 to 10 days to dispute a chargeback. It gets much harder to meet that deadline if you have to investigate to see if the transaction involved a stolen identity or not.

Data protection standards are in place to help stop your business from accidentally becoming a source of fullz data. All of the customer information that you store could end up in the wrong hands if you don’t have solid security measures in place. At a minimum, you’ll have to encrypt payment data and limit which employees can access the customer records.

Know Your Customer protocols have become a must if you want to catch fullz fraud before it happens. You want to verify that the person who is making the transaction is actually who they claim to be. Strong Customer Authentication can add some more protection by requiring multiple forms of proof during the checkout process. These extra steps create barriers that make fullz much less effective for criminals.

Requirements And Timeframes

Fraud liability laws have changed quite a bit over the years. Skipping the security measures and accepting a fraudulent transaction means that your business is probably going to cover the cost. Even if you follow the protocols correctly, fullz can still get through because the stolen data looks legitimate. Real-time tracking helps you spot the patterns that humans might miss on their own. The sooner you can catch suspicious activity, the better your odds are of keeping the losses down.

Frequently Asked Questions

What verification methods best protect against fullz fraud?

Fullz packages sell for anywhere from $10 to over $200 on dark web marketplaces, and the price range is pretty wide for a reason. A few factors affect what criminals are willing to pay, and merchants need to know about this pricing structure. Fresh data from victims who have high credit scores will always command the highest prices on these markets. American fullz are especially worth a lot to criminals because the US financial system tends to have higher credit limits and a lot more payment options available compared to some other countries.

Even "dead fullz" (the ones that victims have already reported to their banks) still sell for some money on these marketplaces. The criminals know from experience that they can sometimes slip through the cracks before the banks update their fraud detection systems. The more supporting documents a package includes, the more expensive it gets. A fullz bundle that comes with a driver's license scan and utility bills attached might sell for three times what the same basic information alone would cost.

This pricing structure matters too. When criminals pay $100 or more for someone's full information package, they're very motivated to use it. They've already put some money down, and they want to see a return on the investment - it's why they'll try multiple merchants and test different payment methods until something finally goes through.

The best defense for merchants is to use a few verification methods instead of just one or two basic checks. Multi-factor authentication works well when it needs something that the customer knows, something that they have and something that they are. Biometric verification with liveness detection helps you stop criminals who use photos they scraped from social media or other online sources. Device fingerprint checks can spot when someone uses suspicious hardware or software combinations that don't match up with the normal customer behavior patterns. Transaction velocity checks and spending pattern analysis add another protective layer because they track how customers actually make purchases over time.

What should merchants do immediately after detecting fullz fraud?

When we look at how refined these fraud operations have become, it's getting pretty apparent that merchants need to be just as strategic in their defense. Fraudsters are collecting every bit of information they can get their hands on to make their transactions look as legitimate as possible and means our detection methods need to be equally smart.

What makes this type of fraud really tough for chargeback prevention is the fact that criminals have access to authentic customer information. That makes it extremely hard to catch the red flags that would normally trigger fraud alerts. Merchants need to move past the basic verification steps and start building multiple layers of protection that can catch the small inconsistencies that might slip through standard checks.

On a more positive note, businesses can cut way down on their exposure and reduce the damage when these incidents happen if they have the right preparation and response protocols in place. Really understanding how these attacks work and what to look for gives merchants a much better chance of detecting fraud early and protecting their business and their customers.

Once fullz fraud is detected, immediate action really matters. Emergency response should include a few important steps - freeze affected accounts straight away and block all related transactions, document everything you can including IP addresses and device fingerprints and behavioral patterns for chargeback defense, notify payment processors and compromised customers as fast as possible, launch closer monitoring on similar accounts and transaction patterns, preserve all transaction data for the investigation, and update fraud detection rules to stop repeat attacks with the same stolen information set.

Speed and thoroughness in these first steps can make all of the difference between containing an incident and facing widespread damage.

Related Glossary Items

What is Triangulation Fraud?

Triangulation fraud is a pretty nasty scheme where a fraudster inserts themselves between a legitimate buyer and your business. The...

What is Return Fraud?

Return fraud is when fraudsters manipulate refund policies to steal money or store credit from transactions. Fraudsters have a few...

Leave a Comment