Ecommerce fraud costs merchants billions every year — and the problem is accelerating. Global card-not-present (CNP) fraud losses are projected to exceed $50 billion by 2027, driven by increasingly sophisticated attack vectors and the sheer growth of online transactions.
For merchants and platforms processing payments online, fraud prevention is not optional. Every fraudulent transaction creates direct financial loss, triggers chargebacks with associated fees, and erodes customer trust. This guide covers the types of ecommerce fraud you need to understand, the tools and best practices for detection and prevention, and how to build a layered defence that protects revenue without creating excessive friction for legitimate customers.
Types of Ecommerce Fraud
Ecommerce fraud takes many forms. Understanding each type is the first step toward building effective merchant fraud prevention. Here are the most common attack patterns:
Card Testing Fraud
Fraudsters use stolen card numbers to make small test purchases — often just a few pence — to verify which cards are still active. Once confirmed, they use those cards for larger purchases elsewhere. Card testing attacks often come in rapid bursts, with dozens or hundreds of low-value transactions hitting your checkout within minutes.
Friendly Fraud and Chargebacks
Friendly fraud — also called first-party fraud — occurs when a legitimate cardholder makes a purchase and then disputes the charge with their bank, claiming the transaction was unauthorised or the goods never arrived. This is one of the most difficult fraud types to prevent because the transaction itself is genuine. Some estimates suggest friendly fraud accounts for 40-80% of all chargebacks.
Account Takeover (ATO)
In account takeover attacks, fraudsters gain access to a legitimate customer's account using stolen credentials, phishing, or credential stuffing. Once inside, they change shipping addresses, make purchases with stored payment methods, or extract personal data. ATO attacks have surged with the availability of breached credential databases on the dark web.
Card-Not-Present (CNP) Fraud
CNP fraud is the broadest category — any fraudulent transaction where the physical card is not presented. This includes all online, phone, and mail-order fraud. Because the merchant cannot physically verify the card, CNP transactions carry higher risk and higher interchange fees. CNP fraud represents the vast majority of ecommerce fraud losses.
Triangulation Fraud
Triangulation fraud involves three parties: the fraudster, a legitimate customer, and a legitimate merchant. The fraudster sets up a fake storefront offering goods at attractive prices. When a customer places an order, the fraudster uses stolen card details to purchase the item from a real merchant and ships it to the customer. The real cardholder eventually disputes the charge, and the legitimate merchant bears the chargeback.
The True Cost of Ecommerce Fraud
The financial impact of fraud extends far beyond the value of the stolen goods or services. For every pound lost to fraud, merchants typically lose £3-4 when you factor in all associated costs:
Chargeback fees — typically £15-25 per dispute, regardless of outcome
Lost merchandise — goods already shipped are rarely recovered
Operational costs — staff time spent on manual reviews, dispute responses, and fraud investigations
Increased processing fees — high chargeback ratios trigger penalty programmes from card networks
Account termination risk — exceeding Visa's 0.9% or Mastercard's 1.5% chargeback threshold can result in fines or loss of processing ability
Reputational damage — customers who experience fraud on your platform may never return
Prevention is always cheaper than remediation. A robust ecommerce fraud prevention strategy pays for itself many times over.
Fraud Detection Tools and Technologies
Modern ecommerce fraud protection relies on multiple layers of detection working together. No single tool catches everything — effective fraud prevention combines several technologies.
3D Secure (3DS2)
3D Secure adds an authentication step during checkout where the cardholder's bank verifies their identity. The latest version, 3DS2, uses risk-based authentication — low-risk transactions pass through seamlessly while higher-risk ones trigger additional verification. 3DS2 also shifts chargeback liability from the merchant to the issuing bank for authenticated transactions, making it one of the most valuable fraud prevention tools available.
Address Verification Service (AVS)
AVS checks the billing address provided at checkout against the address on file with the card issuer. Mismatches can indicate fraud. While AVS is not foolproof — fraudsters sometimes have access to billing addresses — it adds a useful signal to your risk scoring. AVS is most effective when used alongside other verification methods rather than as a standalone check.
CVV Verification
Requiring the card verification value (CVV) — the 3 or 4 digit code on the card — helps confirm that the person making the purchase has physical access to the card. Stolen card numbers obtained from data breaches often do not include the CVV, so this simple check blocks a meaningful percentage of fraudulent attempts.
Velocity Checks
Velocity checks monitor the rate and frequency of transactions to detect suspicious patterns. For example, you might flag or block activity where a single IP address attempts more than five transactions in ten minutes, a single card number is used across multiple accounts, or a shipping address receives orders from many different cards in a short period. Velocity checks are particularly effective against card testing attacks and bot-driven fraud.
Machine Learning and AI-Based Detection
Machine learning models analyse hundreds of data points per transaction — device fingerprint, behavioural patterns, transaction history, geolocation, and more — to generate real-time risk scores. Major payment processors offer built-in ML-based fraud tools: Stripe offers Radar, while Adyen provides RevenueProtect. These systems continuously learn from network-wide transaction data, improving accuracy over time. For platforms processing across multiple PSPs, a payment layer can normalise fraud signals and apply consistent rules regardless of which processor handles the transaction.
Ecommerce Fraud Prevention Best Practices
Beyond deploying specific tools, these best practices form the foundation of a strong ecommerce fraud prevention strategy:
Layer your defences. Use multiple fraud signals together. A transaction that passes AVS but fails velocity checks should still be flagged. No single tool is sufficient on its own.
Set risk thresholds by transaction value. Apply stricter verification for high-value orders. A £10 purchase might only need CVV, while a £500 order warrants 3DS2 plus manual review.
Monitor and tune rules regularly. Fraud patterns shift constantly. Review your decline rates and false positive rates monthly. Rules that were effective six months ago may now be blocking legitimate customers.
Track fraud metrics alongside conversion. Overly aggressive fraud rules hurt revenue more than the fraud itself. Measure false decline rates as carefully as you measure fraud rates.
Implement device fingerprinting. Track device characteristics (browser, OS, screen resolution, installed fonts) to identify returning fraudsters even when they change IP addresses or use new card numbers.
Require strong customer authentication. Where regulations permit, enforce two-factor authentication for account creation, login, and payment. This drastically reduces account takeover and CNP fraud.
Keep fraud rules separate from your core checkout flow. This lets you update fraud logic without redeploying your entire checkout, and makes it easier to A/B test rule changes.
The Role of PCI Compliance in Fraud Prevention
PCI DSS (Payment Card Industry Data Security Standard) compliance is not just a regulatory checkbox — it is a fundamental component of ecommerce fraud protection. PCI compliance requirements are specifically designed to protect cardholder data from breaches that fuel downstream fraud.
Key PCI requirements that directly prevent fraud include:
Encryption of cardholder data in transit and at rest
Tokenisation — replacing card numbers with non-sensitive tokens that are useless to attackers
Network segmentation to limit the blast radius of any breach
Regular vulnerability scanning and penetration testing
Access controls that restrict who can view or process card data
For platforms that embed payments into their software, PCI scope is a critical consideration. Using a PCI-compliant payment layer means your platform never touches raw card data, dramatically reducing both compliance burden and fraud risk for your merchants.
Payment Gateway Fraud Features
Most modern payment gateways include built-in fraud prevention capabilities. When evaluating a gateway or PSP, look for these features:
Real-time risk scoring — ML-based risk assessment on every transaction before authorisation
Customisable rules engine — ability to create, test, and deploy fraud rules specific to your business
Block and allow lists — maintain lists of known fraudulent and trusted identifiers (emails, IPs, card BINs)
3D Secure integration — native support for 3DS2 with risk-based triggering
Dispute management — tools to track, respond to, and analyse chargebacks
Network-level intelligence — fraud signals derived from the processor's entire transaction network, not just your data
Platforms that work with multiple PSPs face a unique challenge: fraud tools are typically siloed within each processor. A payment orchestration layer can aggregate fraud signals across all your payment providers, giving you a unified view and consistent rules regardless of which PSP processes a given transaction.
Chargeback Management and Prevention
Chargebacks are the most visible consequence of ecommerce fraud, and managing them effectively is essential. A proactive chargeback management strategy includes prevention, response, and analysis.
Prevention strategies:
Use clear billing descriptors so customers recognise charges on their statements
Send order confirmation and shipping notification emails promptly
Make your refund policy easily accessible and honour it consistently
Provide responsive customer support — many chargebacks happen because the customer could not reach the merchant
Use chargeback alert services (Ethoca, Verifi) to resolve disputes before they become formal chargebacks
Response strategies:
Respond to every chargeback within the deadline — even if you think you will lose, the data helps identify patterns
Compile compelling evidence packages: delivery confirmation, customer correspondence, IP logs, device data, AVS/CVV match results
Track win rates by reason code to focus your prevention efforts on the categories where you lose most
Analysis is the most underrated part of chargeback management. Review chargeback data monthly to identify trends: which products attract the most disputes, which acquisition channels produce the most friendly fraud, and which fraud rules missed the transactions that later became chargebacks.
Building a Fraud Prevention Strategy for Platforms
If you operate a platform or marketplace where multiple merchants process payments, fraud prevention becomes more complex. You need to protect both the platform and your merchants, and fraud can come from either side — external attackers targeting merchants, or merchants themselves committing fraud against the platform.
Key considerations for platforms building fraud prevention:
Onboarding KYC/KYB — verify merchant identities before allowing them to process payments. This prevents fraudsters from using your platform to cash out stolen cards.
Platform-level fraud rules — apply baseline fraud rules across all merchants, with the ability for individual merchants to add stricter rules for their specific use case.
Cross-merchant intelligence — a fraudster blocked by one merchant on your platform should be flagged across all merchants. This is where a unified payment layer adds significant value.
Chargeback monitoring by merchant — track chargeback rates at the individual merchant level and intervene before a single merchant's fraud rate threatens your platform's processing agreement.
Multi-PSP consistency — if your platform routes transactions through multiple payment processors, ensure fraud rules apply consistently. A payment orchestration layer normalises this, so merchants get the same protection regardless of which PSP processes their transaction.
Emerging Threats and Future Trends
Ecommerce fraud is evolving rapidly. Merchants and platforms need to stay ahead of these emerging trends:
AI-generated deepfakes — synthetic voices and video are being used to bypass KYC and identity verification processes. Expect biometric authentication to become standard.
Agentic commerce fraud — as AI agents begin making purchases autonomously, new fraud vectors emerge around agent impersonation and authorisation manipulation.
Buy Now Pay Later (BNPL) fraud — fraudsters exploit BNPL services to receive goods immediately using synthetic identities, with no intention of repaying.
Cross-channel fraud — attackers combine online and offline channels (e.g., social engineering a call centre to reset credentials, then using them online). Unified fraud detection across all payment channels is becoming essential.
The most effective defence against emerging threats is a flexible, multi-layered fraud prevention architecture that can adapt quickly as new attack patterns emerge.
Frequently Asked Questions
What is the most common type of ecommerce fraud?
Card-not-present (CNP) fraud is the most common type, accounting for the majority of ecommerce fraud losses. Within CNP fraud, friendly fraud (chargebacks from legitimate cardholders) and card testing are the most frequent attack patterns merchants encounter. Friendly fraud is particularly challenging because the original transaction is genuine.
How does 3D Secure help prevent fraud?
3D Secure (3DS2) adds an authentication step where the cardholder's bank verifies their identity during checkout. It uses risk-based authentication, so low-risk transactions pass through without friction while higher-risk ones trigger additional verification such as a one-time passcode or biometric check. Critically, 3DS2 also shifts chargeback liability from the merchant to the issuing bank for successfully authenticated transactions.
What chargeback rate is considered too high?
Visa's monitoring threshold is 0.9% (chargebacks as a percentage of transactions), and Mastercard's is 1.5%. Exceeding these thresholds puts you into a monitoring programme with escalating fines, typically starting at $25,000 per month. Sustained high rates can result in loss of processing privileges. Best practice is to keep your chargeback rate below 0.5% and investigate immediately if it trends upward.
Do I need PCI compliance if I use a hosted checkout?
Yes, but your compliance scope is significantly reduced. If you use a hosted checkout or payment page provided by your payment processor, you typically qualify for the shortest PCI self-assessment questionnaire (SAQ A), which has around 20 requirements rather than the 300+ in the full SAQ D. You still need to ensure your website is secure and that you handle any cardholder data that passes through your systems appropriately.
How can platforms manage fraud across multiple merchants?
Platforms should implement baseline fraud rules that apply across all merchants, combined with per-merchant chargeback monitoring and cross-merchant fraud intelligence sharing. A payment orchestration layer unifies fraud signals across multiple PSPs so that a fraudster detected on one processor is blocked on all of them. This is particularly important for platforms routing transactions through different providers based on geography, cost, or redundancy. Get in touch to learn how a unified payment layer can simplify fraud management for your platform.