Triangulation fraud: The costly scam hitting online retailers

In this Help Net Security interview, Mike Lemberger, Visa’s SVP, Chief Risk Officer, North America, discusses the severe financial losses resulting from triangulation fraud, estimating monthly losses to range from $660 million to $1 billion among merchants.

He also highlights the emerging threat of AI-powered voice scams, urging businesses to implement MFA, behavioral biometrics, and employee education to mitigate vulnerabilities and foster collaboration among businesses, technology providers, and regulatory bodies.

Could you shed light on the severe financial losses that result from triangulation fraud and explain the intricacies of this scheme?

The payments industry estimates triangulation fraud causes financial losses among merchants to range from $660 million to $1 billion monthly. With this fraud scheme, threat actors create illegitimate online storefronts where they offer bargains on in-demand or luxury goods and services. The illegitimate merchant then uses an unassociated, legitimate merchant to fulfill the customer’s order and pays for the goods or services using stolen payment information, often obtained via cybercrime underground marketplaces.

This enables the threat actor to monetize the stolen payment account through a seemingly legitimate transaction. The illegitimate merchant then requests a positive rating from the customer, which increases the illegitimate merchant’s relevant in search engine results and boosts its credibility.

What immediate actions should security professionals in the finance and retail sectors take to protect their operations from these fraud threats?

Establish strong merchant onboarding practices to prevent fraudulent merchants from setting up shops. Threat actors often exploit weak merchant onboarding practices to set up fraudulent merchants, which is a common tactic used by threat actors perpetrating fraud schemes such as triangulation. Banks should also remain vigilant when it comes to combatting fraud from fake or newly onboarded merchants.

To prevent becoming compromised, banks can consider leveraging a screening service to identify potentially high-risk, unreliable or fraudulent merchants and third-party agents before making an onboarding decision. This will help reduce the risk exposure to fraudulent and illegal transactions and will help protect against brand damage

AI technologies are becoming increasingly sophisticated. Unfortunately, fraudsters are finding ways to exploit them. I’m particularly interested in how they’re using AI to enhance voice scams. Do you have any real-life examples of this in action?

With AI technologies and advanced language learning models (ALMs), threat actors can now create spoofed messages nearly indistinguishable from the legitimate entity or individual, to perpetuate financial scams.

For example, threat actors are leveraging “family emergency” schemes, in which fraudsters use widely available voice cloning tools to trick targets into believing their family member is in trouble and needs money sent quickly. All it takes to create AI-generated speech is a short audio clip of a family member, which can typically be obtained from the internet or social media. By customizing language and tone, threat actors can often convince the victims to participate in phishing scams resulting in access to accounts or stolen payment credentials.

What vulnerabilities do businesses expose that allow AI-powered voice scams to be successful? How can these vulnerabilities be mitigated?

AI powered voice scams prey on business vulnerabilities such as weak security protocols, lack of authentication methods and inadequate employee training. Businesses can mitigate these vulnerabilities through the following tactics:

• Implement multi-factor authentication to limit access to sensitive environments and information
• Utilize behavioral biometrics to create digital fingerprints to authenticate identity.
• Employ strict cardholder authentication controls to ensure that the customer is the legitimate cardholder
• Educate cardholders and employees on the dangers of phishing and how to identify such attacks
• Provide each admin user with their own user credentials. User accounts should also only be provided with the permissions vital to job responsibilities.
• Turn on behavior analysis on anti-malware software to search for suspicious behavior and update anti-malware applications.
• Secure remote access with strong passwords, ensuring that only the necessary individuals have permission for remote access. Disable remote access when not in use and use two-factor authentication for remote sessions.

How important is collaboration among businesses, technology providers, and regulatory bodies in combating these types of fraud? Can you mention any successful collaborative initiatives?

Inter-agency collaboration is the most important component in combating fraud, and close collaboration with partners among business, technology providers and regulatory bodies will ensure that threats to the ecosystem are effectively identified and mitigated.

Digital payments providers have access to novel techniques and technologies that can help government entities disrupt criminals targeting the financial and payments ecosystem. For example, in July of last year, Visa supported in Interpol’s arrest of a key actor in the cybercrime group OPERA1ER, which is estimated to have made up to $30 million in profits from fraud schemes.

Based on current trends, how do you foresee the evolution of fraud schemes?

As we look ahead, technological advancements will unfortunately continue to aid in the proliferation of fraud schemes, such as the use AI and ALMs to develop novel malware capable of identifying vulnerabilities within transaction messaging or fraud controls.

These tools can enable bad actors to create digital skimming code that can be embedded in online merchant checkout pages to steal sensitive payment and account data from customers who are checking out.

Also, customers will continue to be an attractive target for threat actors, and attacks will increase in volume and complexity against this target audience. It is more important than ever for organizations and individuals to be aware of how threat actors are using emerging technology to create more sophisticated fraud schemes so they can prevent falling victim.