Payment fraud is a costly headache, especially for companies selling products online — in 2024, businesses lost $35.8 billion in fraudulent credit card payments alone.

However, the true impact on businesses is much higher. In addition to losing the revenue to chargebacks (more on that process later), there are three types of costs that sellers incur when confronting payment fraud:

Direct costs

• Unrecovered goods sold. If you charge $100 for shoes that cost you $80 to buy and ship, a lost chargeback for shipped shoes means you’ve lost $180 before any other expenses.
• Chargeback fees, which are charged whether or not the merchant wins the dispute.
• Stalled cash flow. Even if the merchant wins, funds are withheld for months while the dispute is stuck in decision limbo. 
• Higher credit card processing rates as a seller’s chargeback rate increases.

Indirect costs

• Wages paid to fraud prevention teams and other costs tied to resolution processes. 
• Subscription and setup costs for fraud solutions.

Opportunity costs

• False-positive transaction declines. Some estimates put these as several times higher than actual revenue losses.
• Lost sales due to customers who are unhappy about tightened policies to reduce return fraud.
• Wasted advertising spend that drew in the fraudster.

Kinds of payment fraud

There are two major categories of payment fraud. For both, we will focus on credit card abuse, because that is the primary challenge most sellers face, though just about any form of payment can be abused.

First-party fraud, aka friendly fraud

When an individual abuses chargebacks to get goods and services without paying (or abuses policies to underpay), it’s first-party fraud, which often goes by the euphemism friendly fraud. Estimates of how common this is vary, but data shows that this form of fraud is now more common than that by third parties.

The three primary pathways of friendly fraud for online purchases are:

Chargebacks. Most friendly fraud is done by consumers disputing charges on their credit cards, and card issuers tend to take their customers’ side. The burden of proof is on the merchants, who lose the majority of these payment disputes, even many that are obviously fraudulent. (We’ll go over why and how to improve your win rate lower down.) 

Coupon and referral abuse. Consumers love a deal, and in the pursuit of one, they often cross a line into fraud. Many act like opening multiple accounts at a merchant to earn referral fees and signup bonuses, or double-dipping on coupons, is crafty shopping, but in truth it’s abusive behavior that has a real impact on sellers’ bottom lines.

Return fraud. From wardrobing (wearing clothes, then returning them) to putting a counterfeit item in the return shipment, people have found many ways to take advantage of companies’ policies around returning items. While not as devastating as chargebacks, these still cost a lot because each return costs between $10 and $40, and many items end up being unsellable or eventually sold at a discount.

Third-party fraud, a form of identity theft

When someone uses someone else’s money or credit without authorization, that’s third-party fraud, the predominant form of identity theft. Almost all third-party payment fraud is now accomplished online; less than 10% in the US is done with lost or stolen physical cards. 

A few of the many forms of online third-party payment fraud include:

Card cracking. It’s estimated that 80% of active credit card accounts have been stolen in hacks and data breaches; this data is typically sold on the dark web for criminals to try to use. However, these databases usually don’t store the CVV code and don’t always have the full details of the card owner. Card cracking is the set of procedures these thieves use to glean the missing information so they can then go on a spending spree before being noticed.

Account takeover (ATO). By using techniques like phishing or simply trying passwords from a stolen database, a criminal can force their way into someone’s account at an online seller. If the account has saved payment info, placing fraudulent orders can be straightforward and hard for the seller to identify. Buy now, pay later (BNPL) accounts are particularly attractive, because they unlock instant credit at thousands of participating retailers. (Learn more about ATO in this guide.)

New credit applications. Armed with a Social Security number (SSN) — or its equivalent outside the U.S. — and demographic information, miscreants can commit loan fraud by applying for credit card and BNPL accounts they have no intention of ever repaying. A recent trend is synthetic identity fraud, where stolen data like SSNs are blended with made-up data to create accounts for people who don’t exist. Such fraudsters tend to lift these SSNs from children and people with very thin credit profiles because they’re the least likely to discover that their credit was abused. With fake or mismatched addresses and phone info, the victim will never be alerted, so the loan fraud attempts will continue until the bank notices.

Payment fraud solutions

No single tool or technique can strike the balance of making it easy and fast for honest buyers to spend their money while throwing up roadblocks for likely fraudsters. A comprehensive payment fraud prevention stack should include:

Payment processing fraud prevention. For instance, Stripe Radar uses signals from across billions of transactions to make intelligent guesses about the legitimacy of a transaction. 

Device identification. Fingerprint sees through the tricks fraudsters use to adapt and conceal their identities by using a variety of signals to identify individual computers and mobile devices. Device identification is a powerful tool for letting the right folks shop while blocking suspicious ones.

Bot detection. There is no legitimate reason for a bot to make a purchase. Use Fingerprint’s Smart Signals to identify bots when they attempt to test credit cards or break into your customers’ accounts, so you can block them before any damage is done.

Fraud scoring. Something needs to take all the inputs and decide whether or not to approve a transaction. Fraud scoring software typically uses a combination of machine learning and defined rules to determine a risk level, based on everything from the user’s location to typos in the billing address. Many transaction risk platforms can accept inputs from various sources; this is an important feature if you’re composing a best-in-breed payment fraud prevention suite.

Techniques for payment fraud prevention

In addition to purpose-built software, there are several smart things you can do to reduce your exposure to payment fraud:

Use blocklists. This helps prevent both first- and third-party fraud. People who have defrauded you once are likely to do it again, but now that you know who they are, you can prevent them from repeating. You probably want to deny any card that’s been involved in a fraudulent chargeback, as well as close and block the reopening of associated accounts. You can also use device fingerprinting to identify and block devices tied to previous fraudulent attempts and transactions. Similar concepts apply to return and coupon abusers.

Improve your transaction descriptor. There’s very little space for describing a charge on a credit card bill: MasterCard has a 22-character limit (Visa’s is a relatively generous 25!). Some people dispute charges they willingly made simply because they don’t recognize the abbreviation on their bill. Even though it’s unintentional, this kind of chargeback is a form of fraud because it recoups payment from a legitimate transaction. If you face this challenge, consider changing how your line items look on customers’ statements.

Scrutinize small transactions. Low dollars, low risk, right? Wrong. Small purchase attempts, especially in a cluster, should raise suspicions of card testing. If criminals find you to liberally accept payments, those purchases could soon become big ones.

Single-use discounts and coupons. Generic coupon codes fly around the internet faster than celebrity gossip. Consider marketing processes that generate unique codes specific to a given customer.

Require extra verification. Merchants can decide how strict they want to be. Options include requiring two-factor identification to log into accounts, CVV codes, and accurate addresses on the purchase screen, or even direct verification with the credit card issuer.

But reduce friction for the good guys. Use device fingerprinting to boost your confidence in identifying honest customers. Consider backing off on all the roadblocks when you’re getting traffic from devices and locations you’re pretty darn sure won’t do you wrong.

Improving your chargeback win rate

Most credit cards take a very consumer-friendly approach to disputed charges. It’s frustrating that the burden is on you as the seller to prove that the customer intended to make a purchase and that you delivered goods as promised. It’s salt in the wound that you have to pay a fee and wait months to get the funds even if you win.

It’s the rate, not the dollar amount. You want to win as many first-party disputes as you can. Chargeback rates are calculated as a percentage of total transactions, not the sales amount. A $5 dispute impacts you just as much as a $500 one when it comes to your risk status with your processor. Too many chargebacks and you’ll have headaches, including higher rates and perhaps even required deposits. If it’s clear that it’s third-party fraud, though, don’t bother protesting, since you’re definitely at fault — instead, see what you can learn from the mistake.

Use device intelligence as compelling evidence. Both Visa and Mastercard officially view device fingerprinting as data points to support merchants’ arguments against fraud. This can be particularly useful for fighting friendly fraud because it helps prove  that a purchase was made on a device whose profile matches the disputer’s.

Present crystal-clear policies. A lot of friendly fraud is premised on poor customer service or broken promises. The clearer you make your policies about returns, exchanges, delivery times, etc., the better evidence you have that the consumer knowingly accepted the terms of the purchase. You can take this a step further by requiring affirmative consent with a checkbox. (Of course, excellent and easily accessed customer service will encourage your customers to contact you instead of their credit card if there’s an issue.) 

Document as much as possible. Keep thorough and tidy records of every transaction and item sent. If the quality of the item might be in debate, take pictures. If the customer calls you, take notes.

No seller wants to spend time, money, and focus fighting payment fraud, but it’s an unavoidable part of online commerce. If you want to reduce chargebacks by blocking more bad guys while smoothing the buying process for the good ones, consider adding device identification to round  out your payment fraud prevention program. Check out our demo or try Fingerprint for free — implementation is less stressful than even a single chargeback dispute!