What is Third-Party Fraud? How Does it Impact Merchants?

What Is Third-Party Fraud? How Does It Impact Merchants?

Your online business is doing well. You had a profitable month, with a couple of large sales to brand-new customers. Everything looks rosy until you’re notified that those two new customers weren’t really customers at all: they were fraudsters, and the real cardholders were victims of identity theft.

This is a case of third-party fraud. In other words, stolen credentials were used for making an unauthorized purchase.

How does this happen? Who is liable for the damage? Let’s take a look at what constitutes third-party fraud and what differentiates it from other types of payment fraud. We’ll also look at some preventative measures merchants can take to protect their businesses.

What is Third-Party Fraud?

Third-Party Fraud: Third-party fraud refers to any crime committed by using false identification to pose as another person or organization, without that party’s knowledge or authorization.

In third-party retail fraud, criminals hide behind a false identity. The fraudster typically poses as an actual cardholder, but sometimes uses a completely synthetic profile.

Cyber-criminals take the personal information of one cardholder (or even several different cardholders) and either take over existing accounts or open accounts without the victim’s knowledge. These are often credit card accounts that can then be used to make purchases.

Third-party tactics are often used to facilitate transaction fraud. That's not true in every case, though. Criminals have even been known to apply for major loans and mortgages under false identities, for example, which also constitutes third-party fraud.

Third-party fraud has always been an issue. That said, the rise of the internet and eCommerce has made the situation exponentially worse. With in-person transactions, merchants have the ability to see the buyer, see the payment card, and even ask for further ID validation. Online sellers, however, don’t have that advantage.

Having trouble differentiating different types of fraud? More and more merchants are finding that the right outside provider can tie up fewer resources and deliver a higher ROI.

While some buyer verification is possible, the eCommerce merchant ultimately has to make a decision based on whatever limited information they have. Selling over the internet increases third-party fraud risk, so the responsibility for refunding the customer often falls to the merchant. In other words, the fraudster goes free, and the merchant is left holding the bag.

First- or Second-Party Fraud vs. Third-Party Fraud: What's the Difference?

Since third-party fraud exists, it stands to reason there would be first- and second-party fraud as well.

First-party fraud — also called first-party misuse or “friendly” fraud — is fraud committed by the actual cardholder or another authorized user. For instance, if a valid purchase is made, but the buyer disputes the transaction at a later date, that is a case of first-party fraud.

Learn more about first-party fraud

Second-party fraud is similar, except that the claims are made through an accomplice. The second person is used to mask the identity of the fraudster. Note that both of these fraud types originate with the actual cardholder.

The primary difference with third-party fraud is that the legitimate owner of the information isn’t involved at all. In fact, there may not even be a legitimate cardholder; the fraud may originate with a falsified account. All totaled, 38% of financial crimes committed in 2022 were attributed to third-party fraud.

It’s extremely hard to identify third-party fraudsters because there is nothing to truly link them to the account. Third-party fraud typically happens quickly. The crook tries to make as many purchases as possible before disappearing from view.

50 Insider Tips for Preventing More Chargebacks

In this exclusive guide, we outline the 50 most effective tools and strategies to reduce the overall number of chargebacks you receive.

Get the FREE guide

Common Types of Third-Party Fraud

The term third-party fraud is often used synonymously with “identity theft,” meaning a fraudster commandeers the victim’s digital “identity.” This is fairly accurate, but it’s a rather vague description.

If we dig a bit deeper, we see that third-party fraud can be broken into a few sub-categories:

Account Takeover

The fraudster hacks into one account and changes the information, locking out the actual owner, or perhaps redirecting purchases to a different address.

Learn more about account takeover

Synthetic Fraud

Instead of hiding behind an actual user’s account, the fraudster may use a “Frankenstein” identity cobbled together using stolen personal information from different sources.

Learn more about identity theft

Loan Stacking

The fraudster applies for a number of different loans using a false identity, but has no intention of repaying any of them. They simply pocket the funds and disappear.

New Account Fraud

Accounts are opened using fake or stolen credentials, then either maxed out and abandoned, or are leveraged to obtain other accounts.

Learn more about new account fraud

Common Question How do fraudsters steal data?

It’s not that difficult for fraudsters to obtain personal data. They may trick consumers into handing over their information via “phishing” schemes, for instance. They may also conduct a hack to steal data in bulk. The data thieves can then use that stolen information themselves, or sell it via the dark web, where entire profiles (including social security numbers) can be bought and sold for pennies.

Different fraudsters may use different techniques. Still, it’s important to recognize all of the above as examples of third-party fraud. That’s because each category of fraud requires its own approach to prevention.

First-party fraud, for example, happens post-transaction. Combatting it requires contesting invalid customer claims, or using an alerts program to catch disputes before they escalate to formal chargebacks.

In contrast, third-party fraud must be countered at the verification stage, before the transaction is completed. Advanced fraud filters employ artificial intelligence and machine learning to verify that a cardholder’s documents are genuine. Detailed customer profiles can be used to help identify any actions that seem to be out of character or don’t match the buyer’s purchase history.

Learn more about fraud filters

Prevent fraud. Recover revenue. Get started today.

Preventing Third-Party Fraud

Simply put, the best way to prevent third-party fraud is by validating buyers. As a merchant, you can’t stop identity theft from happening. What you can do is put a system in place to recognize it prior to a transaction.

There are a number of tools available to help identify risky transactions. Deploying the right fraud prevention solution is as vital as adopting the right internal processes. Here are some suggestions:

3-D Secure

Implementing 3-D Secure 2.0 technology provides an added level of security by validating the buyer’s identity using a second authentication factor.

Learn more about 3DS

Address Verification Service

Address Verification Service (AVS) automatically checks the billing address listed in the transaction against the address registered with the issuing bank.

Learn more about AVS

Tokenization

EMV cards use tokenization technology, meaning a randomized placeholder number (or “token”) is used in place of sensitive personal data, keeping data safe from interception.

Learn more about EMV chips

Fraud Blacklist/Whitelist

A blacklist helps ban known or probable fraudsters from making purchases. A whitelist does this in reverse, only allowing verified persons to buy.

Learn more about blacklisting

Device Fingerprinting

Device fingerprinting identifies devices based on unique qualities. Some of these indicators include device configurations, hardware specs, and installed software.

Learn more about device fingerprinting

Card Security Codes

Card security codes (CVV2) help ensure the shopper has physical possession of the card. These codes cannot legally be stored by either merchants or processors.

Learn more about CVV2

Geolocation

Geolocation technology compares the user’s IP address against data on file with the issuer, verifying that the order is being placed from a reasonable location.

Learn more about geolocation

Biometrics

Biometric technologies, like thumbprint scans or facial scans, can be used as part of a two-factor authentication process, verifying the buyer using a second form of ID.

Learn more about biometrics

Velocity Limits

Velocity limits, or velocity checks, scan for potential fraud based on the rate at which a buyer submits multiple transactions.

Learn more about velocity limits

In addition to the above tools, make a habit of assessing and analyzing the methods by which people present their identity. This may help detect suspicious buying activity, inconsistencies, or patterns similar to past instances of known fraud.

IMPORTANT!

The point at which you can stop a third-party fraud attack is the verification stage, before the transaction is finalized.

All fraud prevention is about combining the right tools and the right approach to combat the particular issues you’re dealing with. Even with the best strategy in the world, however, your business will still be susceptible to fraud.

Criminals get more sophisticated all the time, and staying up-to-date on the latest risks can be a full-time job on its own. The experts at Chargebacks911® are constantly uncovering new fraud threats and developing innovative strategies and technologies to combat them. This includes not only third-party fraud, but fraud from all other sources.

Need a hand preventing third-party fraud and the resulting chargebacks? No worries: we can help. Contact us today for a free demo.

FAQs

What is third-party fraud?

Third-party fraud refers to crimes committed by using false identification to pose as another person or organization, without that party’s knowledge or authorization.

The fraudster typically poses as an actual cardholder, but sometimes uses a completely synthetic profile. Cyber-criminals take the personal information of one cardholder (or even several different cardholders) and either take over existing accounts or open accounts without the victim’s knowledge.

What are examples of third-party fraud?

Common types of 3rd-party fraud include identity theft, account takeover, synthetic fraud, loan stacking, and new account fraud or application fraud. These are the general strategies used, but specific tactics can vary significantly.

What's the difference between first- and third-party fraud?

With third-party fraud, the perpetrator pretends to be someone else, using stolen personal data for unauthorized purchases. The owner of the identity is a victim, unconnected to the crime. With first-party fraud, the fraudster is using their actual identity, but misrepresents the facts of their claim to get something (such as a refund) they don’t deserve.

How many types of “party” fraud are there?

Three. In first-party fraud, an individual commits fraud under their own identity; second-party fraud involves an individual who knowingly gives their personal information to another party to commit fraud on their behalf; third-party fraud is when the fraudster uses a stolen identity to make unauthorized transactions.

What are the consequences of third-party fraud?

The laws regarding third-party retail fraudsters can vary based on location, card networks, financial institutions, and so on. That’s almost a moot point, however, as less than 1% are ever resolved by law enforcement. The consequences for banks and merchants, however, can be substantial. Estimates show that on average, fraud costs merchants between 5-7% of their annual revenue.