How Does Triangulation Fraud Work?A Behind-the-Scenes Look at a Devious Digital Shell Game
How Does Triangulation Fraud Work? Outlining the Triangulation Scam Process
To the untrained eye, it looks like a standard eCommerce transaction: a customer makes an online purchase and a package arrives a few days later. But peel back the layers, and you’ll find a network of deceit that runs on stolen data and, increasingly, without manual involvement at all.
Think of it like a digital game of three-card monty. The fraudster is always one step ahead in this shell game, though, capitalizing on speed and confusion to monetize stolen cards before anyone realizes a crime has been committed.
In this chapter, I explore how triangulation fraud really works, talk about emerging tactics, and discuss why it’s so hard for marketplaces to put an end to this type of fraud.
Triangulation Fraud
In a triangulation scam, a fraudster sets up a fake eCommerce store, attracts real buyers, and uses stolen payment details to dropship an item from a real store. This guide explains how triangulation fraud works, the financial impact of this threat, prevention best practices, and more.
How Does Triangulation Fraud Work?
A criminal creates an online store, then lists products for sale at unusually low prices. When a cardholder makes a purchase, the fraudster turns around and buys the goods specified from a legitimate seller using stolen cardholder information. The merchant then ships the product to the buyer, while the scammer pockets the difference.
First, the fraudster sets up operations on a marketplace site. eBay is a popular option, but any site with a marketplace that allows third-party sellers to operate will work. The criminal then lists products for sale at unusually low prices.
When a cardholder makes a purchase, the fraudster then turns around and buys the goods from a legitimate seller using stolen cardholder information. The fraudster sets the shipping address to match that of the customer. The legitimate merchant then ships the product to the buyer.
The fraudster pockets the money from the original sale, while the legitimate merchant gets paid using a stolen payment card. This triangulation fraud loop can be repeated over and over again if the merchant lacks appropriate fraud detection tools and other safeguards in place to prevent abuse.
Of course, this becomes the merchant’s problem when the owner of the stolen information notices unauthorized charges on their statement. The cardholder disputes the charges, and the merchant ends up facing a wave of chargebacks as a result.
Automation & AI: How Criminals Scale Triangulation Fraud
Manually engaging in triangulation fraud is time consuming. So, scammers increasingly turn to AI and automation to facilitate their activities.
Bad actors can’t type in stolen credit card numbers manually if they want to carry out triangulation fraud attacks at scale. To increase the scope of their fraudulent operations, criminals may use tools like bot networks, which enable fraudsters to display hundreds of fake listings and place thousands of fake orders simultaneously.
Exacerbating this problem are AI-powered tools, which are being co-opted by triangulation fraudsters to personalize and customize fake online storefronts at scales. For example, bad actors can use AI tools to either outright generate or scrape product images and descriptions from legitimate retailers to ensure their fake listings remain up-to-date. Fraudsters can likewise use AI tools to monitor pricing across platforms and dynamically adjust prices when legitimate merchants adjust theirs.
Arguably the most damaging way AI is used in triangulation frauds, however, is to help criminals place orders with legitimate merchants, all with little to no human intervention. With the help of automation, fraudsters can target the same merchant hundreds of times with synthetic identities and fraudulent new accounts before any recognizable fraud patterns emerge, making triangulation fraud significantly more difficult to detect.
In April 2024, Security Research Labs uncovered a fake eCommerce network known as “BogusBazaar” that hosted over 75,000 fake sites. According to the cybersecurity company, over 850,000 customers placed orders worth $50 million with BogusBazaar before the network was discovered.
Why is Triangulation Fraud So Hard for Marketplaces to Stop?
Triangulation fraud is hard to stop because initial transactions appear legitimate, scammers hijack high-trust accounts, there are conflicting financial incentives, delays in enforcement, and a “whack-a-mole” effect.
Marketplaces are designed to facilitate transactions, not impede them. While a lack of friction is typically good business, triangulation fraudsters exploit the same features intended to create a seamless user experience to their advantage. Specifically, marketplaces tend to struggle with triangulation fraud because this type of illicit activity involves:
