What is Triangulation Fraud? How Merchants Can Prevent It

Triangulation fraud is a complicated fraud scheme that occurs, predominantly in ecommerce, between three parties: an unsuspecting customer, a fraudulent seller, and a legitimate merchant. 

The triangulation occurs when:

1. A fraudulent seller sets up an online storefront or marketplace that appears legitimate and offers high-quality products, potentially at a “discount”. Usually, they’ll use a marketplace like Etsy.
2. An unsuspecting customer places an order through that seller’s website, thinking they’re purchasing from a reputable source
3. The fraudulent seller doesn’t fulfill the order; they instead purchase the product from a legitimate site, using another credit card they’ve stolen
4. The legitimate merchant fulfills the order and ships to the customer
5. The fraudulent seller keeps the money paid to them by the customer, who doesn't know they've been a part of the transaction because they paid money and received goods. Little do they know the scammer will later use their credit card details to continue the scheme.

Who Benefits and Loses in Triangulation Fraud?

The Fraudulent Seller

The primary beneficiary of triangulation fraud is the fraudulent seller. 

This seller makes near-instant money with very little effort. For instance, let’s say the fraudster “sells” high-end power tools. On this fraudulent website (styled to look like the real brand website), a drill is priced at $200. When a customer makes a purchase, the seller charges the customer $200 and keeps that money. Then, the seller buys the real tool (or, worse, a knock-off) from another website for $220 using a different stolen card, and has it shipped directly to the customer. The fraudulent seller pockets the $200, and has access to the customer’s stolen credit card information for use at a later date for future fraudulent activity - and the customer has no idea they were duped because they received the goods they expected. 

The Customer

The customer may not even notice this if they don’t check transactions closely, but they are certainly losing in this situation - in several ways. Even if they receive the desired item at a “deal” they did so at the cost of their credit card information and, possibly, two charges. This credit card information will also almost certainly be used in a fraudulent transaction in the near future. 

Likewise, if the fraudulent seller mistypes the customer’s address or otherwise misrepresents information, the customer could never receive the item they’ve paid for, causing additional headaches like trying to reach out to a support team (that is unlikely to exist) and no real order confirmation. 

The Merchant

Even though the merchant receives and fulfills a legitimate order, it also loses in triangulation fraud. Should the customer fail to receive the item (since a third party typed in the information, potentially incorrectly) or notice any odd charges, the merchant could receive a chargeback for the purchase. 

Merchants already know the issues with receiving chargebacks, from financial losses, to the inability to work with certain PSPs, to significant reputational damage. If the fraudulent website gets a significant amount of traffic and orders, this merchant will also start to receive an influx of chargebacks - seemingly out of the blue.

How can Merchants Prevent Triangulation Fraud?

While a merchant could hope that customers would stop purchasing from fraudulent websites, fraudsters are getting better and better at their tactics. In fact, it is likely that fraud will only continue to rise and merchants will need to take the matters into their own hands.

Implement Strong Fraud Prevention Measures

The most obvious tactic to combat triangulation fraud is to implement strong fraud prevention measures that include risk scoring tools. These tools can catch trends - like purchases that come from a single IP seem to have a high chargeback rate, or repeated purchases of a single item - and can prevent the fraudster from making any future purchase. These tools will also flag purchases where the billing and shipping addresses don’t match, where brand new accounts are making repeated new purchases, and where the transaction velocity is suspiciously high.

Detecting fraud quickly is also paramount in this instance. The longer a scheme like this goes undetected, the more likely it is that the scheme will become more sophisticated and widespread among your products and services, creating a criminal fraud ring. Likewise, the fraud detection tools could be fed with consistently bad data that may allow this level of fraud to go undetected even with the most sophisticated detection programs.

Select PCI-DSS Compliant Partners

Merchants should also choose payment partners that have strong a security posture that, at a minimum, meets PCI-DSS compliance. If your system is subject to PCI-DSS requirements (merchants almost certainly are), it is also your responsibility to ensure that your partners also comply - failure to do so can threaten your own business’ compliance standing.

When selecting a provider, you should consider the provider's experience and expertise, reputation, and cost, to name a few factors, to ensure that provider's services meet the true business need.

Remember, however, that PCI compliance is an ongoing process. The right provider at a single point in time may not be the right provider in the future. Continue to monitor your security environment and continue to assess which providers can help your organization as your business model and customer base grows.

Basis Theory, a fully programmable vault that helps you create engaging commerce flows, connect with any partner, effortlessly manage compliance, and keep control of your payments data, is one such partner. By partnering with Basis Theory, merchants can confidently protect payment data. Contact us to learn more.