Cybercriminals are constantly finding new ways to get a hold of stolen data and use it to make fraudulent transactions. What does it mean? In this article, we will talk about one specific type of payment fraud that has been growing in popularity:
Over the last decade, online payments have been going through a continuous evolution and innovation - but unfortunately, the same has been the case for payment fraud as well.
Cybercriminals are constantly finding new ways to get a hold of stolen data and use it to make fraudulent transactions. In this article, we will talk about one specific type of payment fraud that has been growing in popularity - triangulation payment fraud.
What does it mean, what damage it can cause and how merchants can protect themselves from it - these are just some of the questions that we will answer.
1. What is payment fraud?
Put simply, payment fraud involves all situations in which a criminal or a fraudster steals another person's payment details with the purpose of making unauthorized transactions or purchases. There are different types of payment fraud - including phishing attacks, friendly fraud, wire transfer scams, triangulation and more.
Value of e-commerce losses to online payment fraud worldwide in 2020 and 2021 (in billion U.S. dollars). Source: Statista.com
The annual losses to payment fraud are nothing less than concerning. According to Statista, they amounted to 17.5 billion dollars in 2020, increased by the whopping 14% in 2021, in which they reached 20 billion dollars. And that is only in the ecommerce industry.
This came as a result of the global COVID pandemic, which registered a rise in the number of newly registered ecommerce businesses, which in turn made them quite appealing to potential fraudsters. The impact was felt globally - in fact, 75% of online merchants reported a net increase in the number of cyberattacks as opposed to the period before the pandemic.
In fact, according to an annual report from the industry research company Nilson Report, card fraud will cost global markets a collective $408.50 in losses over the next decade. By 2030, when the total volume of card payments is expected to hit the mind-blowing $79.14 trillion, the industry will lose more than $49.32 billion to payment fraud.
2. What is triangulation payment fraud?
As we mentioned previously, there are different types of payment fraud that merchants can face online, and new ones are popping up all the time. From phishing attacks that send fraudulent communications to victims to transactions that appear to be legitimate (clean fraud), it can be very challenging to identify criminals and their true intentions.
And one of the most elaborate and complex types of fraud is precisely triangulation.
Triangulation payment fraud is a type of online fraud that involves the customer, a genuine third-party marketplace, and the fraudster middleman. Put simply, the customer makes an authentic purchase on the marketplace (for example, Amazon), but the received product was fraudulently purchased from a different retailer.
The problem with this type of fraud is that usually, customers are unaware of what has happened. Because they end up receiving the product they purchased, they often have no way of knowing if there was something wrong with the process behind it.
3. How does triangulation payment fraud work?
While triangulation payment fraud started out as a more simple method of buying low and selling at an inflated price to the final customer, it has evolved a lot since then.
Here is how triangulation payment fraud works:
3.1 The fraudster publishes the fraudulent listing
First, the cybercriminal will list a highly demanded item on a third-party marketplace such as Amazon, eBay or Alibaba. This includes typically trending items such as laptops, new consoles, games, headphones, and other desirable items of value.
3.2 They set a price that's "too good to be true"
Next, the fraudster will market the item at an appealingly low, too-good-to-be-true price. While third-party places such as eBay typically warn customers about purchasing heavily-discounted items, there will always be unsuspecting customers that fall right into the trap with the hopes of getting the product for cheap.
3.3 A customer places a genuine purchase
Once the item has been listed and promoted at a heavily discounted price, a genuine buyer will come along and buy it, thinking that they have gotten a really great deal. They make the payment, and the cybercriminal receives the money.
3.4 The criminal buys the item from a legitimate website
The criminal then goes to a legitimate ecommerce website that sells the same item, and buys it directly from there. Except that they are actually paying with stolen credit card data. When making the transaction, they will set the original buyer's address as the delivery address.
3.5 The item is shipped to the address
Next, the item is sent out from the legitimate online store to the customer who placed the purchase, without ever reaching the actual cybercriminal. In fact, they can even go as far as providing the tracking details of the shopping to ensure the customer of its legitimacy.
3.6 Delivery is completed
The genuine buyer ends up receiving the actual item they ordered, being completely unaware of what has happened in the meantime. In most occasions, they are satisfied with the service, happy that they have obtained the desired item at an excellent price.
In fact, they can even leave positive ratings and reviews for the fraudulent seller, unknowingly boosting the reputation of a criminal.
3.7 The owner of the stolen credit card files a chargeback
However, the aftermath of the whole triangulation payment fraud doesn't end there.
Once the owner of the stolen credit card data, which the fraudster used to make the purchase on the legitimate ecommerce business, detects an unauthorized transaction on their credit card, they will most commonly file a chargeback with their credit card issuer.
Because they don't recognize the charge on their card, they will dispute it, initiating a chargeback process.
3.8 The legitimate merchant suffers revenue loss
At the end of the day, triangulation payment fraud hurts legitimate businesses the most. The merchant, from which the item was ordered and who shipped it to the customer with the stolen credit card data, loses the whole profit of the purchase.
In many occasions, they are even hit with a chargeback fee, and they even risk of getting punished by credit card issuers if their chargeback ratio is too high.
4. What are the consequences of triangulation fraud?
Triangulation payment fraud may have serious consequences not only for legitimate businesses, but also for customers. In fact, it impacts the whole ecommerce industry - if people don't feel confident enough in making purchases online because they may end up being fraud, they might shop less or even stop altogether.
4.1. Consequences for merchants
As we just explained, triangulation payment fraud can have a seriously negative impact on the merchants who execute the orders. Because these purchases are made with stolen credit card data, as soon as the owner of the credit card finds out about it, they will initiate a chargeback with their bank.
If you are not familiar with the concept, a chargeback is a payment dispute that the customer initiates directly with the issuing bank instead of the merchant, requesting the reversal of funds. This usually happens if the customer doesn't recognize the charge on their credit card.
However, this is not always the case. There are different types of chargebacks, including Friendly fraud, in which the customer makes a legitimate purchase, but claims the product never arrived or was in bad conditions. While this can actually happen to customers, it is considered fraud when the claim was false with the sole intention of getting both the product and the funds.
High chargeback ratios (over 1%) can have severe consequences for businesses, including revenue loss, chargeback fees, monthly penalties, and even the termination of the merchant account.
Image source. Chargeback statistics.
4.2. Consequences for customers
While the legitimate business is the most obvious victim of triangulation payment fraud, customers can also suffer from its negative consequences. Even though they received the product they ordered and were satisfied with the purchase, it doesn't mean that it will always go smoothly for them.
The problem is that, when triangulation payment fraud occurs, the merchant who suffered the chargeback dispute may ask the customer to return the fraudulently-purchased goods.
In the eyes of the merchant, the totally unsuspecting customer made the actual purchase, and tried to trick them into keeping both the product and their funds. We know that's not the case because the client wasn't aware of everything that happened, but the merchant doesn't really know that.
On top of possibly losing their item, customers may end up losing trust in the business and their online security, as well as leaving negative reviews that will weaken the company's reputation.
4.3. Consequences for fraudsters
Unfortunately, most fraudsters don't suffer any negative consequences from their fraudulent actions as they are able to disappear before anyone finds out what they did.
5. How can merchants mitigate triangulation payment fraud?
Unfortunately, every company that accepts online payments is at risk of triangulation payment fraud. On top of that, triangulation fraud can look very different depending on each scheme, which means that it's particularly difficult to identify common patterns. Fraudsters that use these methods often try to make their transactions look clean and legitimate.
Fortunately, there are things that you can do in order to avoid or deal with triangulation payment fraud.
5.1. Use a secure payment gateway
One way to improve your online payment security is to implement an advanced Payment Gateway such as MYMOID, which is packed with all the tools you need to protect yourself from fraud as a merchant: PCI-DSS Level 1 environment, encryption and tokenization, fraud monitoring, 24/7 leak monitoring, continuous auditing, biometrics and more.
5.2. Do a product research
Another way to be aware of triangulation payment fraud before it happens is to pay close attention to products. For example, if you see a sudden spike for a particular product that's being highly demanded on the market, it may be worth taking a better look to try and identify if you've been targeted by this type of fraud schemes.
You can also do the exercise of looking up your products on third-party marketplaces and resellers such as Amazon, Facebook or eBay. If you see your unique products resold on these places for prices that are too good to be true, this may be a sign that the seller has been targeted by a fraudster.
5.3. Pay attention to your transactions
When it comes to triangulation payment fraud, there may be some recognizable signs associated with a triangulation attack, including:
• New accounts - for example, if you notice that the same customer has been buying the same product numerous times in a short period of time. Especially things that don't make sense, such as new PS5 consoles or video games.
• Non-matching address - as we explained previously, the fraudster will use the address of the original buyer so the item gets delivered straight to them. Pay attention if the billing and the shipping information are different.
• Invalid contact information - in many fraudulent transactions, the buyer will provide invalid contact information, such as email or phone numbers that are not working.
• Transaction speed and frequency - attacks associated with triangulation payment fraud are usually performed by small groups that are operating repeatedly from multiple devices.
5.4. Leverage the power of data
If you have suspicions that you may have been a victim of triangulation payment fraud, it may be worth taking a good look at your data. Look for products that fraudsters seem to be purchasing over and over. For example, products such as cosmetics or electronics are a common target for this type of fraud.
By identifying products that can be a target of triangulation attacks, you can improve your fraud scoring rules and set a lower threshold for these items.
You can also pay close attention to your merchant's analytics in order to identify common and recurring points. With the right Payment Gateway, you will be able to have access to a good amount of payment data which can help you improve your processes and avoid fraud as much as possible.
Stay updated with the latest news, tricks and tips for MYMOID
What is Payment Request Link (pay by link), and what are some of the most important things that you need to know before using it?
What are some of the most important steps that need to be taken when it comes to PCI-DSS for merchants? Continue reading to learn more!
What is a PCI Compliant IVR Solution, and why is it so important for your call center? Continue reading to learn more!
Pioonering digital payments since 2012. Trusted by +5.000 companies, startups and retail stores.