With ecommerce shopping now commonplace, customers are becoming more comfortable – and more savvy – making purchases online. Experts say that nearly one-quarter of all retail sales is spent online and ecommerce sales will exceed $7.3 trillion by 2025. That creates a fantastic problem for retailers – more customers, more potential for sales, and more revenue.
But there’s also more risk involved.
Ecommerce fraud accounted for losses of $20 billion in 2021. The opportunities for fraudsters are just as great as they are for consumers. Especially with the latest technologies that make it easy to steal customer identities and execute elaborate schemes, including a tactic called triangulation fraud.
This scheme is sneaky because it is designed to exploit customers and make them unwitting participants in crimes without raising a single red flag. Unless you know how to recognize triangulation fraud.
Triangulation fraud happens when an innocent customer makes a purchase on a third-party marketplace, except the item they receive was fraudulently purchased from another retailer’s website.
Here’s how it happens:
To get to the bottom of preventing this scheme, you need to understand how fraudsters get the stolen payment information.
Triangulation fraud is tough to detect because it is perpetrated using stolen payment data. Fraudsters have several avenues to find it.
Data breaches, like the massive Facebook database leak in January 2021, create a treasure trove of user data for fraudsters. The Facebook database contained more than 533 million verified records from 106 countries, including over 32 million records on users in the United States, 11 million on users in the United Kingdom, and 6 million on users in India. That compromised data included users’ phone numbers associated with IDs and full names, locations, birthdays, bios, and some email addresses.
Once it was posted on an easy-to-hack, ungated forum, cybercriminals had a field day.
Phishing scams happen when a fraudster sends a link via email, text message, or even social media that looks trustworthy, but clicking the link automatically installs software (known as malware) that gives the fraudster access to the users' device.
From there, fraudsters can capture user-entered login credentials and personal information that can be used to access accounts and make fraudulent purchases. More than 450,000 new malware programs are identified every day, and the number of malware programs totals more than 1.3 billion.
Fraudsters can also capture credit card data using skimming devices, which are attached to devices at places like gas stations, ATMs, and other places where a card swipe is necessary. While the popularity of contactless payments has shifted how many consumers use their credit cards, there still are plenty of opportunities for fraudsters to use this tactic. Fraud related to card skimmers is increasing at a rate of nearly 10% per year.
Mobile wallets and other smartphone-based payments are giving fraudsters another target. By hijacking users’ mobile phones, they can access credit card data, intercept calls from banks and other financial institutions, and confirm charges.
All of these tactics can lead to account takeovers and account takeover fraud, which accounted for every fifth login attempt and 13% of U.S. ecommerce fraud costs in 2021. Once fraudsters have access to their victims’ accounts, they can perpetrate triangulation fraud with ease.
What makes this type of fraud unique is that the legitimate customer may never realize anything suspicious is going on. They placed an order, and they received the item they expected to. So, they never have a need to complain to the company that sent the product. In fact, the transaction may have gone so smoothly that the customer leaves a positive review for the fraudster, boosting the fraudster’s ranking and increasing the likelihood of future sales.
The transaction looks just as ordinary from the legitimate retailer’s side, too, so these fraudulent purchases rarely raise any red flags. But they’re not nearly as innocent as they seem.
Here’s how triangulation fraud impacts the parties involved, starting with the legitimate cardholder.
The legitimate cardholder finds out the worst way that their personal data has being used to make fraudulent purchases – by finding them on their statements. It’s one of the worst feelings to see those transactions on their credit card bill or payment log. They often feel violated, scared and even angry at the online retailer for allowing a fraudulent purchase to be made.
The cardholder will be reimbursed for the cost of these transactions, but they have to go through the chargeback process to dispute it. As the online retailer tries to determine why this customer is continuously initiating chargebacks, it may decide to set a rule that automatically declines transactions with the users’ card details. If this happens, the legitimate customer may not be able to shop on that site with no understanding why.
Triangulation fraud is also obviously a negative impact on retailers.
Not only does the online retailer lose the cost of the shipped goods and the cost of shipping, but they also have to deal with a swath of costly chargebacks.
Disputing chargebacks is time-intensive. In the case of triangulation fraud, the online retailer will always lose, which results in fees and the risk of being placed in a monitoring program by the issuing bank.
For small businesses, chargeback fees can be catastrophic. Mid-size and enterprise retailers, on the other hand, tend not to pay as much attention to chargebacks and may think of chargebacks as the cost of doing business. So those companies can easily find themselves with a huge chargeback issue that seems to come out of nowhere and eats away at profits.
But that’s not even the worse part for online retailers.
If a retailer decides to fight triangulation fraud by declining transactions associated with specific card numbers, they will increase their number of false declines. And what we learned from our original research, State of Consumer Attitudes on Ecommerce, Fraud & CX 2021, is that consumers do not respond well to being declined.
Online businesses will lose the lifetime value of about 40% of the customers they falsely decline. And 34% of them will do their best to take down the company’s online reputation by sharing their experience on social media channels.
What about the innocent customer who’s just trying to make a purchase?
They suffer as well.
Despite being an innocent bystander in the triangulation scheme, those customers possess stolen merchandise. Almost certainly, any or all of their personal data – name, card number, address – will be added to fraud databases and the retailer’s deny list. A deny list contains customer data that should always result in a declined transaction. Do not pass “go”; do not collect $200.
What does that mean? You guessed it, more false declines, more unhappy customers, and less revenue.
Ecommerce businesses have to find ways to fight triangulation fraud by reducing their risk.
Any business can be at risk of triangulation fraud, but there are certain businesses that make better targets than others.
Companies in “high-risk” industries are particularly at risk. What makes an online retailer “high-risk?”
Smart businesses can protect themselves with a few simple steps.
For triangulation fraud to work, valid customers have to be duped into thinking that a third-party marketplace is a legitimate site. But if you make a point of communicating to your customers on your site what makes it legitimate – and what to look for on a fake site – they may be less likely to make the mistake.
Encourage customers to pay attention to reviews. If they all sound the same or like they were written by a machine, odds are the site is an imposter. And make sure they know that when a deal seems too good to be true, it probably is. Also keep in mind that the pandemic has brought a large number of consumers into the fold. They are green around the gills when it comes to ecommerce shopping and more likely to be victims.
Simple fraud filters won’t be able to catch every instance of triangulation fraud, but they can help. Adding device IDs to the fraud filter mix may help increase the chances of catching fraud, since these fraud rings often place multiple orders from the same set of devices. Another fraud filter to consider integrating is link analysis to identify and connect common data points in order to use the results to strengthen data analytics.
But don’t rely solely on fraud filters. That will definitely get you into trouble and increase your false decline rate. The best way to use fraud filters is to flag suspicious transactions that need further investigation as part of a robust strategy.
A truly effective defense against triangulation fraud, chargebacks and brand reputation issues related to false declines involves a hybrid approach.
At ClearSale, our AI-enabled software leans on machine learning to automatically approve transactions, flag suspicious orders for secondary review – usually no more than 2% or 3% – and conduct any rare but necessary consumer follow ups using a customer-centric model. As the results of secondary reviews are fed into the system and more orders are processed, our solution “learns” customer behavior, improving the automatic approval algorithm and resulting in fewer false declines.
And because the secondary reviews are performed by our team of over 1,500 fraud analysts who are incredibly experienced – we successfully fight fraud in the most high-risk regions in the world – we’re able to help clients better understand how to improve other aspects of their business that contribute to customer experience and fraud.
ClearSale’s comprehensive ecommerce fraud prevention program might be just what your business needs to protect itself against triangulation fraud. Contact us to see if our solution is right for you.