Triangulation fraud occurs when a buyer makes a genuine purchase on a third-party marketplace, but the seller fraudulently purchases the product from another merchant. This sophisticated form of fraud can affect any business with an online presence.
It can potentially happen on any marketplace, but I spent a year investigating triangulation fraud on the eBay platform specifically and was shocked at how prevalent it appears to be. I can personally attest to thousands of fraudulent transactions to the tune of $160k+ and that is just from one company that was targeted by this fraud.
How Does Triangulation Fraud Work?
First, the fraudulent seller creates listings on a third party platform or marketplace for items they do not have in their possession.
An unsuspecting buyer sees the listing, usually at a "too good to be true" price, and buys the item.
The fraudulent seller then goes to a legitimate ecommerce website selling the item, places an order to ship to the unsuspecting buyer (sometimes referred to as retail arbitrage dropshipping), and uses a stolen credit card for this transaction.
The ecommerce site ships the order, not realizing it was fraud until weeks later when they receive a chargeback from the actual credit card holder.
The unsuspecting buyer receives the item they purchased and may not even realize there was fraud involved, often leaving positive feedback for the fraudulent seller.
For a few examples, check out this Krebs On Security article from 2015. Interestingly the triangle graphic used in this article actually came from an eBay help page at the time - showing eBay has been well aware of this fraud for years.
Here's a look at triangulation fraud from the buyer perspective from Nina Kollars.
How Is eBay Involved?
When I first started talking about my experience with triangulation fraud on eBay, I'd get responses like "if the credit card fraud happens off eBay, how is that eBay's problem?"
It's a fair point and online sellers do need to take steps to protect themselves against fraud and theft. However, when a marketplace is being used to facilitate fraud and is demonstrably aware it is happening, at what point do they have an obligation to act? Where do you draw the line between "not our problem" and willing accomplice?
I personally reported over 150 accounts involved in this fraud to eBay. The reports were taken with promises of action, but over a year later, only about 2/3 of those originally reported accounts were ever shut down. Some are still actively selling or they have just taken over different accounts to continue the fraud.
I submitted an IC3 to the FBI's Internet Crimes division and a report to my state Attorney General's office. There was no response from the FBI. The state AG's office sent a boilerplate response that said
In regard to eBay, our office has set up a complaint process with the company. Therefore, we are forwarding your correspondence to a representative of the company and asking them to respond to both you and our office upon its review.
That complaint process turned out to be eBay's PROACT department (Partnering with Retailers Offensively Against Crime and Theft). eBay's response to the AG's office that they would reach out and work with me directly was enough to get a rubber stamped "case closed."
Unfortunately, despite eBay's promises that PROACT would work with me on this issue, they stonewalled, pretended to send emails that "must have gone to the spam folder" (they didn't), and then eventually they just stopped responding at all.
At one point, an eBay employee candidly told me this was not new, he was not surprised to hear about losses of $100k+ and he knew of several large sellers who had quit selling on eBay after being targeted but there was nothing "proactive" eBay could do to stop it.
But here's the thing - this type of "retail arbitrage drop shipping" (whether it uses stolen credit cards or not) is already a violation of eBay policies.
Full policy below but here's the relevant part:
Listing an item on eBay and then purchasing the item from another retailer or marketplace that ships directly to your customer is not allowed on eBay.
If eBay simply enforced their existing policies when it is clearly shown an account is shipping from another retailer or marketplace, this fraud would likely stop almost instantly. Why doesn't eBay enforce this policy?
I've spoken to a few other sellers who've been hit by this kind of fraud that sold on eBay as well as having their own direct websites. I can't say to what degree there may be a correlation, but it seems like in some cases the fraudsters may troll eBay looking for hot selling products then search for those companies' websites to buy from directly.
Affected sellers are often hit with a double whammy. Not only is product being stolen from them directly, but the fraudsters may be competing against them selling on eBay too. Of course since they are not really paying for the products, their cost of goods is effectively $0 and they can afford to sell at 50%+ off regular retail prices.
If legitimate sellers in a category either quit eBay or go out of business because of this fraud, what happens when the fraudsters move on to the next hot item and leave that category gutted? That doesn't bode well for the long term health and stability of the marketplace.
I also have reason to believe many of the eBay accounts being used for this fraudulent selling are compromised accounts. The listings and accounts themselves have many red flags that led me to suspect they were previously legitimate accounts that had been taken over by the fraudsters. I also found many reports in the eBay community and on Twitter which may be anecdotal but fit with the MO of this fraud.
I have no direct insight into how these accounts are being compromised - phishing schemes, compromised email accounts, poor security protocols like using the same password across multiple websites, or brute force password cracking are just a few possibilities.
To be absolutely clear, I'm not suggesting the eBay site itself has been compromised, but many of the individual user accounts being used for this fraud may be.
While they may not be able to do much about the side of the triangle that happens off their site, eBay absolutely can and must be held accountable for the safety and security of both buyers and sellers on their platform.
eBay has said that moving to managing payments directly and cutting out PayPal will curtail this kind of fraud since there are strict Know Your Customer (KYC) regulations they have to follow.
However, I am seeing accounts enrolled in Managed Payments being used for this fraud as well. It may be slowing them down slightly, but it doesn't appear to be stopping them.
I've kept track of every account I identified and reported to eBay as part of this fraud. Out of 150 accounts originally reported throughout 2020, 45 were still active in November 2020 and at that time they were all still using PayPal. By February 2021, 19 of those 45 had been converted over to Managed Payments and were still actively selling fraudulent items.
I have continued to monitor and track new suspected fraud accounts and expect the number using Managed Payments will continue to grow as eBay pushes to enroll all sellers by the end of the year.
Identifying Fraudulent Listings
How do you know if you've been targeted by triangulation fraud? When I first encountered this fraud, it was because the company I worked for at the time suddenly saw an increase in chargebacks on low dollar amount orders which did not fit any pattern of fraud they had previously seen. They realized many of the chargebacks were for the same items, but did not at that point know about the eBay side of the fraud.
The pieces fell into place when a fraudster accidentally ordered an incorrect item and their buyer called to complain about the mistake because the company name was on the packing slip. Since I handled all eBay sales for the company, the call was routed to me. The buyer confirmed the seller name he purchased from on eBay, which lead me to investigate more and connect the dots.
I developed a system for identifying, tracking and reporting these fraudulent accounts.
- Review chargeback records to identify common items that were receiving a high volume of sales that were later disputed.
- Search eBay for those items looking for sellers and listings with red flags that fit the MO for this fraud.
- Check sold history of suspect accounts - often their sales would coincide within 24 hours of a fraudulent order being placed on the website.
This research then informed internal measures to flag and verify orders that were deemed high risk for this type of fraud.
How Do You Combat Triangulation Fraud?
I'll be completely transparent, this particular fraud is sophisticated, wide-reaching and constantly adapting. I can give some possible strategies to combat this fraud, but this is not an exhaustive list and cannot be guaranteed to spot and stop 100% of fraud.
Fraudsters will often change up their payment methods. If a merchant starts requiring the bill to and ship to addresses be the same or otherwise tries to clamp down on orders paid with credit cards, they may switch to using PayPal, using the stolen credit card as the funding source in the PayPal account.
I've also seen them use stolen credit cards to buy online gift certificates, then turn around and use the gift certificate to purchase goods. I suspect that may be what happened in this situation reported on Reddit.
I highly recommend that any online business should develop a comprehensive fraud prevention and detection strategy. There are many companies which offer various SaaS solutions - some even provide insurance coverage if they approve an order that is later disputed as an "unauthorized charge."
I'll refrain from endorsing any particular one, as the best fit can be highly dependent on your business needs and budget, but given the myriad ways an ecommerce company can be the victim of fraud, it's important to be proactive instead of reactive to these potential threats.
Have you been a victim of triangulation fraud?
I'd love to compare notes with other sellers who have experienced this type of fraud. Share your experience in the comments below or contact me. Requests for confidentiality will be honored.