nudata has been named 2023 Global InfoSec Awards Cybersecurity Service Provider of the Year for the second year in a row!
nudata named 2023 Cybersecurity Service Provider of the Year!


Identity checkpoint: nudata newsletter

Newsletter signup

Triangulation fraud: coming to an eCommerce site near you

Both retailers and cardholders are falling prey to triangulation fraud, involving an unscrupulous intermediary of which neither are even aware.

With Valentine’s Day now past and Easter excitement building, the National Retail Federation projectsconsumers will spend billions of dollars for gifts, cards, and candy. In fact, consumers spent $40 billion on Easter gifts and festivities in 2019. Some of that money will likely be lost to triangulation fraud.

Consumers shopping for a special spring outfit or Easter gift, but looking for a better deal than major retailers offer, could fall prey to triangulation fraud. This scheme involves three parties: the fraudster, the legitimate cardholder, and the buyer looking for a deal. This scheme doesn’t generally raise any red flags during the transaction but comes to light when the legitimate cardholder gets the bill or finds theirhard–earned reward points missing from their account.

What is triangulation fraud?

Here’s how it works: The fraudster uses stolen credentials to gain access to someone’s – let’s call him Vince – legitimate online retailer account (such as Amazon or Target) that contains a stored payment card or rewards points. If the fraudster were to buy and ship any goods to themselves, however, it would be suspicious and the evidence would lead right back to them.

Instead, the fraudster posts an ad selling an in-demand item at a bargain price on an auction or marketplace site. For a buyer struggling to find a deal for an expensive new phone or laptop, that “like–new” device the fraudster is selling on eBay could be a deal too good to pass up. The phone is in perfect condition because, in reality, it is brand new.

Once the fraudster receives payment from the buyer, they purchase the product from a legitimate retailer using the stored card in Vince’s account, changes the shipping address to the buyer, and away it goes! This way, the fraudster receives the money, the buyer gets their goods, and the fraudster leaves no trail to be investigated.

Two parties are left with the mess. The cardholder, Vince, has a fraudulent purchase against his account.He is going to ask for a refund and the retailer will have to investigate to decide if they grant the refund to the card.

The phone buyer will likely be contacted by the retailer in an attempt to find out what happened. The buyer will be accused of fraud and probably put into a blacklist for future online purchases. They will be requested to return the goods but they won’t receive the money back, because the bad actor has it.

In addition to those two victims, the retailer suffers a loss of goods – if they are not returned – and chargeback costs.

Overriding the fraudulent transaction, the legitimate cardholder, Vince, knows some of their his sensitive information is exposed and needs to cancel the card, update passwords and keep a close eye on his accounts to catch future fraud.

Enter the fourth victim.

As with most fraud schemes, there’s always a new twist to stay ahead of law enforcement. Triangulation fraudsters also recruit legitimate sellers to list their catalog of goods. They approach sellers with long histories and excellent ratings, promising a substantial percentage of sales, typically 30 percent according to Krebs on Security. With this fourth party added, the fraudsters are another layer away from detection.

How to reduce triangulation fraud

Reducing triangulation fraud can begin with the retailer, at login. They need a good verification solution in place that flags when an account user behaves differently, even when they have the right credentials.The solution identifies behavioral differences behind the scenes, reducing friction for authentic buyers while mitigating or flagging those unusual interactions, such as someone logging in with the right credentials but typing differently.

There is also an onus on consumers to ensure they are buying from legitimate sellers. It’s buyer beware, and it pays to be wary of deals that seem too good to be true. Consumers can protect themselves by buying directly from the product’s source or from legitimate retailers. Buyers need to do product research and read online listings carefully, examining images and descriptions. Subtle differences or spelling mistakes are a dead giveaway. When buying from an auction site, be especially careful if the product is listed as brand new or just out of the box.

Has your company been the victim of triangulation fraud or any other sophisticated scheme? We’d love to hear about it at

Sign Up for Our Newsletter

Related content

Start typing and press Enter to search