Triangulation fraud impacts multiple players and extends risk beyond the traditional paradigm. But what does it look like? And how can merchants, acquirers and consumers protect themselves, and their customers?
Triangulation fraud is when a customer makes a genuine purchase on a third-party marketplace, but the product they receive was fraudulently purchased from a different retailer’s website. It involves a lot of moving parts, so let’s have a look at some examples to really understand what is going on:
What does Triangulation Fraud look like?
The rise of online marketplaces around the globe offers customers and sellers unprecedented opportunities for buying and selling goods and services at the click of a mouse. However, the convenience of these online platforms can create an opening for a unique brand of fraud. It is quick and easy to set up a seller profile, and once a criminal is set up, they can exploit the system to commit triangulation fraud. Attacks often follow a similar pattern:
- Triangulation fraud starts when an unsuspecting customer makes a legitimate purchase on a third-party marketplace.
- The marketplace seller (the hidden fraudster) then places an order with a genuine retailer who has the product the customer wants.
- The fraudster uses stolen payment details to pay for the order but includes the genuine customer’s shipping information in the order, so the product is shipped to the customer.
- The owner of the stolen payment information disputes the charge with the genuine retailer who sold the product to the customer.
- The fraudster gets away with the original customer’s money, impacting a string of parties in the process.
Easy to hide, difficult to spot
A couple of clever things are happening here. The original customer is very unlikely to realize that something is suspicious: they paid for their item and received it as expected. They may even leave a positive review with the seller, boosting the fraudster’s credibility and opportunity for future sales.
Until the owner of the stolen payment details disputes the charge, the retailer may not notice that something is amiss: most of the details in the order look good, with the shipping information aligning with the genuine customer.
Who are the victims?
Unless they have appropriate security measures in place, the retailer is saddled with the chargeback. They are also out of the goods shipped.
However, the negative impact goes beyond monetary losses: the retailer’s brand can be tarnished as well as their relationship with the genuine customer and the genuine cardholder.
The Genuine Customer
When all is said and done, the genuine customer is now in possession of stolen merchandise.
To top things off, the genuine customer’s shipping information is linked with the fraudulent transaction and he/she may experience friction with future orders to that address.
The Genuine Cardholder
As with many fraud schemes, there is a true cardholder whose payment information is used to make the fraudulent purchase.
While ultimately that person is financially reimbursed, there is still friction and it requires time and effort to resolve.
The Merchant Acquirer
The acquirer is liable should the retailer not be able to satisfy the chargeback costs.
In addition, it is in their interest to keep fraud rates low and protect their entire merchant base from fraud attacks.
If the merchant leverages 3DS in their fraud prevention, the liability will sit with the issuer.
The introduction of PSD2 legislation in September will see wider adoption of 3DS 2.0 by merchants across Europe, with a corresponding shift in liability from merchant to issuer.
As e-commerce evolves, so does fraud
Triangulation fraud is a great example of how the dynamics of e-commerce risk are rapidly evolving, enabling fraudsters to evolve and develop new MOs that are very difficult to spot. Traditionally, fraud may be thought of in terms of a criminal using stolen information to directly defraud the merchant.
However, there is nothing traditional about the array of fraud happening in the e-commerce space. With friendly fraud, the customer is the fraudster. With triangulation fraud, the person who ends up with the fraudulent goods is not the fraudster. Sometimes, the fraudster in triangulation fraud is a fraudulent website and not an individual selling on a marketplace. The number of players and the amount of risk in ecommerce fraud are fluid, muddying the waters at every turn.
How can consumers and organizations reduce the risk?
It is important for every entity involved to understand their role and associated risk.
If you are the merchant, then the pain stems from fraud losses and impact on brand reputation. It’s critical to have effective fraud prevention strategies in place to avoid permanent damage.
The genuine customer must also be aware of potential risks. If the price tag on a marketplace or third-party item seems too good to be true, it probably is. Be cautious and perhaps dig a bit deeper when shopping in third party environments.
Fixing the basics
There are some basic checks that can easily be implemented. Leveraging device ID, both in terms of reputation and velocity is very helpful. A lot of times these fraudulent players are a small group operating from the same device or set of devices. Whether single individual or separate storefront, strong intelligence here can nip the fraud ring in the bud. In addition, comprehensive trend and link analysis will reveal common attributes in a lot of triangulation fraud. This is a bit more labor-intensive and reactive, but you can leverage historical data to map out and link common data points. This can then be fed back into your analytics.
Using cutting-edge technology to prevent sophisticated fraud attacks
More advanced fraud MOs call for advanced measures. Leading organizations are using in-session control with behavioral biometrics to reveal anomalous user behavior in real time. User behaviors including familiarity with the webpage, copying and pasting details, data input familiarity and more can reveal how a fraudster’s activity differs from a genuine user. This type of profiling can detect anomalous behavior in real-time and jump start a more proactive solution.
Adaptive Behavioral Analytics takes things a step further. It leverages machine learning and a variety of data inputs to build and understand the full behavioral profile. It begins with device ID intelligence and in-session behavior but does not stop there. Adaptive Behavioral Analytics ingests data across all channels, financial and non-financial, to develop granular behavior profiles and capture the full scope of a customer’s behavior. The adaptive models enable fraud prevention to shift away from reactive and labor-intensive strategies. This is extremely beneficial when capturing complex fraud attacks and delivering top-notch KPI’s.
Increasingly merchant acquirers and payment facilitators are making these innovative fraud solutions available to their merchants. Often this means providing them a white-labelled product that can defend against more sophisticated fraud attacks through a multi-tenanted environment – offering a tailored experience to suit the merchants size and need. As fraudsters continue to grow more sophisticated in their attacks, the ability to offer these services becomes a key competitive differentiator for the acquirer or facilitator.
While fraud MOs and the victims’ response often seem convoluted and multifaceted, it all comes down to the same basic elements: human beings deceiving other human beings for financial gain. Fraudsters are simply shifting up and down the chain of risk, wearing different hats and launching different schemes. For potential victims, it’s critical to be vigilant, understand your role, understand the behavior and trends, and protect yourself accordingly.
About the author:
PJ has a decade of experience in fraud prevention, driving education, innovation and mitigation across multiple industries and fraud use cases. PJ co-founded About-Fraud, a Global Community for Fraud Fighters, in 2017 and has driven community growth to over 6,800 members. As a Fraud Market Expert with Featurespace, PJ collaborates across various departments to educate and align complex fraud use cases with the powerful ARIC Risk Hub. PJ’s expertise extends across merchants and banks, leveraging tenacious curiosity to stay abreast of the most relevant fraud trends.
More from PJ:
The Risks of E-Commerce: Tackling Triangulation Fraud
Taking Social Engineering Personally: An Attendee’s Take on CNP Expo