What Is Triangulation Fraud?
Triangulation fraud is a particularly malicious ecommerce exploit which takes advantage of a legitimate eshop to conduct a fraudulent version of a triangular sales, where the fraudster arranges for a legitimate shopper to receive a product the fraudster has procured using a stolen credit card.
The triangle aspect involves three actors:
- one fraudster
- one legit customer
- one storefront large enough to be heavily automated
A fraudster poses as a seller offering a great deal on a product, gets paid by the real customer, then uses a stolen credit card to fill their order with a legitimate online shop. The buyer of the product receives it, but the real cardholder and the shop both lose out – then the company loses again when the legitimate cardholder is correctly awarded a chargeback for the sale.
Originally, triangulation fraud referred to something more like an arbitrage opportunity – buying low over here, then selling high over there. Now, in an age where fraudsters can buy stolen credit card credentials cheaply and in bulk, and credit card fraud detection is necessary, not only are the stakes higher but also more malicious in terms of cost and damage.
Modern triangulation fraud in a CNP (card not present) ecosystem refers to situations where there are three parties:
- a fraudster posing as a real ecommerce storefront, or reputable eBay or Amazon seller, armed with stolen credit card information
- a buyer taking advantage of an unrealistically good price on a new product (or, sometimes, just a good price)
- a semi-luxury retailer – usually one large enough to have a fully automated checkout and delivery infrastructure
The outcome of these schemes looks like the following:
- The fraudster walks away with the legit buyer’s money.
- The stolen credit card is charged.
- The company loses the product and also has to refund the money to the person whose account was actually charged.
How Does Triangulation Fraud Work?
Triangulation fraud works by having a fraudster pose as a legitimate merchant so they can receive money from a sale, order the product after the fact, and pay their (unwitting) “supplier” with a stolen credit card. Let’s take a closer look.
The most common form of triangulation fraud occurs anywhere a bad actor can establish what appears to be a valid retail storefront. These are often auction platforms like eBay but can also be an entire website, or even come from a targeted social media ad.
Most often, the fraudster will pose as a reseller of a product that is popular and expensive enough to have semi-luxury value, but not so expensive that there would be human oversight over each individual sale.
Then, the fraudster lays in wait – probably not very long – for a digital customer looking for the best deal on that product. When they stumble upon the product at a price point that seems too good to be true, the following ensues:
- The customer pays the fraudster posing as a reseller for the product.
- The fraudster pockets the money from the customer.
- The fraudster places the customer’s order with the actual, original retailer, using stolen credit card details.
- The retailer fills the order, charging the stolen credit card and delivering to the original customer.
- The customer receives their order, unaware they were an unwitting money mule.
- The real cardholder discovers the fraudulent charge on their card and files a chargeback with their card issuer.
- The retailer has to refund the money but has no recourse to reclaim their product.
One of the most high-profile examples of triangulation fraud was described in detail by Nina Kollars at the 2019 Defcon conference in her presentation titled “Confessions of a Nespresso Money Mule”.
In it, she describes how she found herself being complicit in a widespread triangulation scam focusing on coffee capsules, and how easy it was to become an unwilling actor in the scheme. You can watch it below:
How Harmful Is Triangulation Fraud?
Triangulation fraud and similar kinds of CNP fraud may cost international businesses up to $34.66B in 2022. Fraudsters who decide to execute this kind of scam will often think of it as a victimless crime – the credit card holder gets their money back, and a major company has been defrauded of an amount of money that they won’t mind losing.
In the shadow of this massive $34.66 billion, though, are the less tangible costs, and the costs handed down to the average person.
In her presentation mentioned above, for instance, Nina Kollars showed how the victims were often elderly, not tech-savvy people, who often won’t understand the situation or know of any recourse to combat it – for instance, the chargeback option they have.
How Can Triangulation Fraud Be Prevented?
Triangulation fraud can be hard to spot, particularly without specialized security software in place. In the setup of a triangulation scheme, every actor present in the scam may initially appear legitimate. There will be a real customer, a real credit card, and a real order of real products.
As with any kind of digital fraud, knowing as much about your customer as possible is essential, but having in place good security with minimal friction and false positives is a delicate balance.
When looking to stop triangulation fraud, we’ll want to consider data points such as:
- The age of the account. Are any of the accounts suspiciously new and unrated by customers?
- Conflicting physical addresses. Are the billing and shipping addresses related or not?
- Falsified contact details. Do the parties respond to communication attempts e.g. by phone?
- Behavioral connections. Are multiple accounts named in a pattern or do they share similar passwords?
Deployment of a suitable fraud prevention solution will first allow businesses to gather information on fraudsters using:
- Data enrichment: Allowing businesses to check the validity of email addresses, for example if the email account – and thus associated business accounts – was created recently, as well as IP address data.
- Reverse social media lookup: While a fraudster might have access to any number of credit card credentials, they will have little ability to flesh out their stolen identities into realistic shoppers, complete with the social media and online platform profiles commonly associated with any legitimate online presence.
- Device fingerprinting: By examining how users connect to a business website, taking into consideration things like the presence of a VPN or an unusual hardware setup, companies can identify common fraudster patterns, and defend themselves.
- Velocity and behavior checks: By identifying multi-accounting, we can catch those criminals who are running several such fraud schemes at the same time.
With a security suite that has the correct tools, businesses should be able to spot and stop fraudsters attempting triangulation fraud.
From there, depending on the results, a dedicated fraud team can review the data enrichment analysis to determine if a customer is valid and manually sign off on them, with only a modicum of added friction.
It can also help to enable fraud prevention machine learning tools that can suggest new, bespoke risk rules based on the needs of individual companies, as well as streamlining the approval process.
Contact Us for a Demo
Feel free to reach out to us for a demo!