Triangulation fraud provides a great example of the kind of ingenuity criminals employ when finding new ways to scam consumers, businesses and financial institutions.
All at once it exploits the continuing trend for online shopping, the desire consumers have for bargains and hard-to-get items, and the relative anonymity of life online.
How Does Triangulation Fraud Work?
It’s hard on some level not to be impressed by the mechanics of triangulation fraud. The first fraudster who thought of it perhaps wondered if they’d invented “the perfect crime.”
But it’s not all bad news. As this type of scheme became more popular, fraud analysts found ways to mitigate against it. As SEON’s breakdown of fraud prevention platforms explains, chargebacks are one reason why triangulation scams can be so harmful for merchants.
However, the same type of solutions that help prevent fraudulent chargebacks can assist us in tackling triangulation fraud.
These fraudulent schemes work like this:
- A fraudster lists a desirable item on a marketplace site like eBay. Popular choices include trending items, such as new games consoles or laptops. These items are often marketed at an appealingly low price. Even though eBay warns consumers about “heavily discounted or sold-out items,” the demand is always there. The exact item is immaterial—the scam works so long as somebody wishes to buy it. Criminals can quickly lay the foundations of legitimacy by selling a few low-cost items first, ensuring they have a solid feedback profile.
- A genuine buyer comes along and buys the item. They pay, and the fraudster receives the money.
- The criminal then buys the item from a legitimate e-commerce site but pays with a stolen card. They give the original buyer’s address as the delivery address.
- The item is sent out from the online store to the marketplace buyer, without ever reaching the fraudster. The fraudster may even go as far as providing the tracking information.
- The buyer receives the item and is delighted. They’ve obtained the item they wanted at a good price and now perceive the seller as professional and efficient. They may well leave positive feedback, further enhancing the criminal’s marketplace reputation.
- Shortly afterward, the owner of the stolen card notices the transaction and complains to the card issuer. A chargeback process begins.
- The merchant that actually shipped the item loses out and has to pay the chargeback fee. Even if they manage to trace their way back to the marketplace seller, that individual will ignore their contacts or will, by then, be doing it all over again with a new account.
Triangulation fraud isn’t new. Back in 2020, Kinsta listed it as one of the worst e-commerce fraud scams. However, it started out as something simpler.
The early version of the scam involved a marketplace seller listing something not in their possession at an inflated price, before buying it cheaper elsewhere—essentially nothing more than “buy low, sell high,” which is a form of arbitrage.
Adding compromised credit cards takes triangulation fraud to the next level. It’s a higher-stakes game, with greater rewards for the criminals and bigger losses for genuine online businesses, as well as risks for consumers.
So, how can you mitigate against it?
Preventing Triangulation Fraud
Every online business that accepts card payments is at risk from this type of fraud. Even cryptocurrency marketplaces like Binance warn against variations of the scam.
Ultimately, there are two ways to mitigate these risks:
- preventing the fraud from happening in the first place, and
- putting yourself in a strong position to defend a chargeback claim if it occurs.
When doing business in person, you can stop a transaction that, on instinct, “doesn't smell right.” In the online world, it’s all about putting systems in place to replace that instinct.
To help identify and prevent such fraudulent transactions in the first place, at SEON we use technology such as device fingerprinting, behavior analysis, velocity rules, IP analysis – and, importantly, email and phone data enrichment.
For the latter, we start with the shopper’s email address or phone number and search for their “digital footprint”: their online presence, which can help us assess whether they are a legitimate shopper or a fraudster.
Such data points are combined into a risk score for each individual. For example:
- Whether an email address is established or brand new.
- The number of social media networks and online platforms this email is used for.
- If a phone number is linked to a genuine carrier network or is a virtual number.
- Whether a customer account is being accessed from the usual location and browser.
- Whether the buyer is using a VPN, proxy or anonymous browser.
- the distance between the IP address of the buyer and the delivery address
Striking a Balance
Obviously, it’s crucial to strike the right balance between avoiding fraudulent purchases (and, in turn, chargebacks), and alienating genuine customers with irritating barriers to purchase or declined transactions—known as false declines, which can lead to higher customer insult rates and churn.
There is no one-size-fits-all. For fraud prevention systems to work at their best, businesses should take the time to “tune” them according to their sector, risk appetite, and the threat landscape—to determine when transactions should be outright rejected or perhaps flagged for manual review.
Given that cybercrime is an eternal cat and mouse game, it’s inevitable that some fraudulent transactions will get through. However, having the right fraud protection mitigations in place can help them, too. Merchants are far more likely to win a chargeback dispute if they can show they did everything reasonably possible to prevent it, as well as keep meticulous records.
This cat and mouse game will never end, but technology like data enrichment and in-depth fingerprinting increasingly manages to take the place of that shopkeeper’s instinct.