Triangle Fraud in Brick & Mortar Retail

Date: unknown

Location: getcho.app

A while back, Krebs dropped a piece about a guy caught in triangle fraud scheme; below is the infographic he used.

When this piece came out, we didn’t know what it was called, but Getcho had been blocking triangle fraud for about six months. Today, Getcho helps retailers with their local delivery strategy and fraud protection comes out of the box.

What is triangle fraud

All over the world, bad actors buy and sell stolen credit cards on the black market. While you can buy things online with a stolen card, it’s not always easy to repay one’s “investment” and turn credit into cash. A naive strategy would be to buy merchandise and then sell it elsewhere — you could buy with credit and sell for cash.

There are two challenges with this strategy:

  1. The thief would need to send merch to a physical address before reselling it, making it possible to implicate them.
  2. The stolen credit card market is global. It would be inefficient and detectable to ship purchases outside of the victim’s country.

So criminals use a form of drop-shipping:

  1. They make an online store selling legitimate products.
  2. When a sale occurs, they use a stolen card to buy the product and deliver it directly to the (usually) innocent, unknowing recipient.

Just one more wrinkle: Victims often flag fraudulent purchases and asset protection departments investigate. Since the retailer knows the delivery address, the unknowing recipient can be contacted. They are then prone to charging back and reporting the fraud which could result in the online store being shut down.

So criminals don’t ship the merch directly. They exploit “buy online, pick-up in store” (BOPIS) processes.

  1. Criminals make the online store selling legitimate products, i.e. on eBay
  2. When a sale occurs, they use a brick & mortar store’s website to buy online. They choose “pick-up in store” for the fulfillment option
  3. They hire an unknowing courier service to collect the purchase and mail to the unknowing recipient via UPS or FedEx.

Thus the link between the criminal and the fraud vanishes. Considering there are four stakeholders — the credit card victim, the unknowing buyer, the unknowing retailer, and the delivery service — it might be more aptly called square fraud.

Catching triangle fraud

Getcho closely monitors all deliveries. One week we had a few requests to deliver laptops from a brick and mortar stores to UPS. We use LLMs to clean-up and vet delivery notes and the system kept flagging sketchy instructions to photograph the UPS receipt. That triggers a human call to the recipient which revealed a suspicious pattern:

  • Voip phone lines
  • Distant IP addresses
  • Distant billing zip codes.

When we called, the person was combative and suspicious and even failed to pronounce the name on the order.

So we blocked the order, reported the card to Stripe and alerted the police, the store and the unknowing consumer. In one case, we got a hold of the cardholder who confirmed his wallet had been stolen. For a few weeks, we played a big game of whack-a-mole and prevented a dozen instances of triangle fraud.

One time, we received a request to deliver a big order of spark plugs from a dealership to a car mechanic. Spark plugs are small and expensive, making them prime currency.

Seeing the same patterns above, we called the dealership who confirmed that they had also flagged the credit card. They said they were leery of constant spark plug purchases, but couldn’t figure out what the scam was. The mechanic was less cooperative and didn’t reveal the online store he bought from.

Preventing triangle fraud

To prevent triangle fraud automatically, we use a combination of great tools:

  • Stripe Radar and equivalents help Getcho partners detect mismatches between purchasing location and billing zip code.
  • Stripe Identity and KYC tools deter fraudsters from trying to work with our delivery networks.
  • Custom geolocation & phone look-ups flag the classic patterns, which can be benign in isolation.

Finally, we help physical retail stores with their BOPIS process. It’s important to provide in-store pick-up options since these account for 20% of orders at some stores. And many customers do delegate others to do their pick-ups, so requiring a physical ID is too stringent. Since retailers refund unclaimed BOPIS purchases, it’s in their interest to encourage a smooth pick-up.

Getcho integrates directly with ecommerce experiences like Shopify to flag orders and enable delegated pick-up or local delivery. By the time the pick-up person arrives, the store can authenticate them with Getcho and sleep easy.