Customer fraud losses and remediation are often integrated as an inevitable cost of doing business Fraud's impact on the bottom line is often considered when pricing products and services. This has happened since the first thief swiped a product from a marketplace stand.
Today, scams responsible for severe business impact have become increasingly sophisticated, and the creeping costs are increasingly hard to budget for. Merchant losses attributed to e-commerce fraud were estimated at $44.3 billion in 2024. This number is projected to inflate to a dizzying $107 billion in 2029, a growth of 141%.
Among the various types of fraud that plague online shops and digital merchants are card-not-present (CNP) fraud schemes and, specifically, triangulation fraud. In this scam variant, merchants are hit the hardest. So what can online merchants and e-commerce website administrators do to curb triangulation fraud targeted at their online shops?
INVESTIGATE
Is your website currently under a web spoofing attack?
What is Triangulation Fraud?
Triangulation fraud is a sophisticated card-not-present (CNP) fraud in which the fraudster inserts themselves between a genuine buyer and a retailer. It then manipulates the legitimate purchasing process to defraud the seller.
As the name suggests, triangulation fraud typically involves at least three actors: the genuine shopper, the legitimate supplier, and the fraudster impersonating the legitimate supplier. Like other types of CNP fraud, triangulation fraud schemes employ stolen credit card details, often purchased on the dark web.
How Does Triangulation Fraud Work?
1. The Impersonation
The fraudster impersonates a genuine seller by creating a believably similar e-commerce website or marketplace storefront. With a spoofed website, fraudsters can harvest customer credit card information through the payment page.
Marketplaces like eBay or Amazon protect buyers' credit card information by not sharing it directly with sellers. However, fraudsters can still use these platforms to appear as legitimate sellers without needing access to that credit card data. Global marketplaces are taking steps to prevent fraudsters from using their platforms for illegitimate trading practices, but those are rarely enough to discourage cyber crooks.
2. The Tempting Bargain
The spoofed brand website or marketplace storefront will offer deals that are almost too good to be true, with price points carefully calculated to make the deals believable. Moreover, fraudsters often position themselves as resellers or wholesalers of the legitimate brand.
Fraudsters may even promote their store on social media and pay for ads on various advertising platforms. By getting these bargains and discounts (aka scams) in front of more people, they siphon clients from the legitimate brand e-commerce shop. If legitimate customers fall for their ads or social posts and visit the fake website, they can purchase from the fake shop---all without realizing that they're being used as virtual money mules or, even worse, are handing their credit cards and PIIs over to criminals.
3. The 'ol Switcheroo
When unsuspecting customers place their orders on the fake website, the fraudster uses stolen credit cards to order the products from the legitimate merchant, setting the shipping address to that of the legitimate buyer. Unaware of the fraudulent nature of the purchase, the merchant fulfills the order (often automatically) and ships the product to the address entered initially during the ordering process on the fake website.
4. The Chargeback
Upon discovering the fraudulent transaction, the compromised cardholder will contact their card issuer and demand a chargeback. The merchant will be forced to refund the money and potentially incur penalties and fines due to high chargeback rates.
The result of the scheme is:
- The fraudster pockets the customer's money for the product they purchased and potentially their credit card number to be used in future scams.
- The cardholder whose stolen information was used in the fraud must file a chargeback for a purchase they never intended to make and never received.
- The merchant victimized in the scheme loses the cost of the item shipped and is forced to refund the cardholder whose card was used in the scheme.
6 Ways to Prevent Triangulation Fraud
Triangulation fraud hurts the bottom line and tarnishes the hard-earned reputation of brands and merchants whose products are resold by scammers. So, what can eCommerce website administrators and merchants do to avoid triangulation fraud?
1. Employ Robust Real-Time Fraud Detection and Monitoring Tools
Fraud prevention tools and services can help automatically score each order for potential fraud risk and assess potential vulnerabilities. A traditional fraud detection and prevention suite can use policies and rules to classify abnormalities in orders.
To keep up with increasingly sophisticated fraud techniques, you should seek out systems that employ machine learning and AI models. These systems can correlate historical and external data to hunt down fraud in real-time. AI makes seeing "the big picture" of user behavior much easier, as it excels at spotting patterns and trends that humans may easily miss.
In addition, be sure to look for solutions that turn activities into contextual and actionable messages in near-real-time. Instant notifications enable you to inform the right stakeholders in your infosec and risk management departments.
It's important to remember that fraudsters often share information. If you're not prompt in discovering a triangulation fraud attack against your shop, online criminal rings will quickly adopt you as a target, ballooning your losses from fraud.
2. Harden Transaction Security Policies
Merchants often invest heavily in making it super-easy to complete purchases on their website or through their mobile app, which can, in turn, make room for fraudsters to interject. To protect your customers and business from triangulation fraud, implement robust authentication methods for user accounts and strict password policies. Importantly, publish a comprehensive return and refund processing policy.
While it may add some steps to the purchasing journey of legitimate clients, more robust security policies and purchase verification services can deter fraudsters from choosing your shop to target.
3. Use Threat Intelligence
As fraudster strategies and triangulation fraud trends change, you must stay up-to-date and apply steps to mitigate specific threats. Among the techniques you can adopt are automatic updates to your application deny lists to ban known fraudsters. You can also implement additional protections to product categories trending among fraudsters (think coffee capsules or consumer electronics).
In addition, you can employ threat intelligence services that continuously monitor the web for dubious ads and product listings that include your proprietary information and products. Some services even offer to contact marketplaces and social media platforms on your behalf to have the imposter shops shut down, but do not stop fraudsters from simply re-creating the fraud.
4. Implement Risk-Based Order Verification
Another way to curb triangulation fraud is to use risk-based order verification and transaction risk scoring to divert suspicious deals for manual review. Risk scores can consider various factors, such as discrepancies between IP address location and shipping address or multiple accounts created from the same device. It can also identify identity threats like mismatched personal details, helping you detect and block fraudulent transactions as timely as possible.
INVESTIGATE
Is your website currently under a web spoofing attack?
5. Spoof-Proof Your Storefront
Website cloning is one method fraudsters use to create believable copies of e-commerce websites. While it's not always entirely preventable, it's essential to monitor for potential website scrapers who may be probing your systems for product prices, images, and other content.
Solutions like Memcyco provide complete visibility into such scans and content scraping attacks. With Memcyco's easy, agentless deployment, companies can detect fake websites in real-time and protect their customers from falling victim to triangulation fraud. Aside from instant detection and alerting, Memcyco also issues "red alerts" if your users visit the cloned website, warning them not to make any purchases there.
6. Deploy Honeypot Traps and Decoy Information
Another effective way to discourage fraudsters from targeting your online shop in triangulation fraud is to add hurdles, bogus information, and roadblocks to their way to stealing the credit card information of innocent buyers while hiding behind your logo and brand name.
With Memcyco, you can ensure that potential customers never reveal their credit card information to crooks who've spoofed your shop. Instead, you can feed the fraudsters with decoy data they can't use.
Protecting your Web Shop and Reputation with Memcyco
Triangulation fraud is a particularly nasty form of CNP fraud plaguing online businesses worldwide. Some fraud campaigns abuse marketplaces like Amazon and eBay to impersonate genuine merchants. In contrast, others replicate full e-commerce websites to harvest credit card numbers while using genuine shoppers as money mules.
The last thing businesses want is for their customers to fall victim to fraud. Unfortunately, with fake websites becoming increasingly indistinguishable from legitimate ones, it's easier than ever for unsuspecting users to be duped.
Memcyco's nano-defenders, embedded into your site, can detect cloned websites in real-time and provide advanced insights into attackers, their locations, and details of affected victims. These capabilities allow you to quickly alert your customers, work to take down malicious sites used in triangulation fraud and minimize damage.
Additionally, Memcyco's red alert system warns users if they visit a fake site mimicking yours, preventing them from unknowingly sharing their payment details when making purchases. Contact us to learn how Memcyco can safeguard your eCommerce shop and bottom line from triangulation fraud.
Top comments (0)