On this page
concept

Ecommerce Fraud

Created 2026-06-17 29 connections

Ecommerce Fraud

Ecommerce fraud encompasses attempts by bad actors — and, increasingly, consumers themselves — to obtain goods, services, or money from online merchants through deception, stolen payment credentials, or abuse of platform policies. It spans the full transaction lifecycle: pre-purchase (account creation, credential stuffing), at checkout (stolen card use, card testing), and post-purchase (refund abuse, chargeback filing).


Scale and financial impact

Sift (citing MRC 2025 Global eCommerce Payments and Fraud Report) reports that European merchants lose 2.8% of revenue to fraud, and fraud accounts for 3% of all orders in Europe (as-of 2025-09-16).

Global figures are estimated from aggregator sources (no single authoritative primary publisher):

  • Global ecommerce fraud losses are estimated at $48 billion in 2025, up approximately 16% year-over-year (Capital One Shopping Research, as-of 2026)
  • A separate aggregator figure puts 2025 online payment fraud losses at $52.84 billion — slightly broader scope than ecommerce-only (Clickpost, as-of 2026)
  • Projected to reach $107 billion by 2029 at a 27.4% CAGR (WiserReview/aggregator, as-of 2026)

Friendly fraud cost figures conflict. One aggregator (Durango Merchant Services, 2025) claims friendly fraud alone costs retailers over $132 billion annually. Another (Clickpost, 2026) puts total global chargeback value at $9.40 billion for 2025. The $132B figure appears to bundle downstream costs (operational overhead, lost merchandise, fees) rather than chargeback face value. Neither cites a named primary study. Treat both with caution. Sources: durangomerchantservices.com VS clickpost.ai

The cost multiplier for US merchants is $4.61 for every $1 of fraud (including chargebacks, fees, operational costs, and lost merchandise), up 37% from 2020 levels. This figure is sourced from Sift's own research (2025-12-11) and should be treated as vendor-produced.


Types of fraud

According to Sift (citing the MRC 2025 Global eCommerce Payments and Fraud Report), the top five fraud types in Europe are (as-of 2025-09-16):

  1. Phishing / pharming / whaling — social engineering to steal credentials or redirect users to fraudulent sites
  2. Real-time payment (RTP) fraud — exploiting the instant, irreversible settlement of SEPA Instant and UK Faster Payments; because funds move before detection is possible, recovery is near-impossible
  3. Refund / policy abuse — false "item not received" (INR) claims, returning worn or counterfeit goods, manipulating shipping/tracking data. Apparel, electronics, and beauty are particularly vulnerable (Sift, 2025-09-16)
  4. First-party misuse / Friendly Fraud — consumers using the chargeback process to dispute legitimate purchases, increasingly aided by social media tutorials (see below)
  5. Card Testing — bots submit small or zero-value transactions to validate stolen card credentials before committing larger fraud. Particularly problematic for UK merchants with low-value items, free trials, or charity donations (Sift, 2025-09-16)

Additional emerging types noted by sources:

  • Account Takeover (ATO): using stolen login credentials from breaches or phishing to access accounts, place high-value orders, update shipping info, or redeem stored payment methods and loyalty points (Sift)
  • Synthetic Identity Fraud: blending real data with fabricated details to create new identities. Grew 311% in the US from Q1 2024 to Q1 2025 (aggregator source, as-of 2026)
  • Triangulation fraud and AI-driven fraud attacks identified as emerging 2025 vectors (aggregator sources)

Chargeback patterns

Sift's December 2025 research ("The Refund Hack Economy") reports the following chargeback data (as-of 2025-12-11):

  • Retail e-commerce chargeback rates rose 233% from Q1 2025 — the highest increase of any merchant category
  • Overall chargeback rate reached 0.26% in Q3 2025, a 53% increase from Q1 2025
  • Card-not-present (CNP) transactions now account for 63% of merchant transactions (as-of 2025-12-11), expanding the chargeback surface area
  • Top disputed categories: clothing, accessories, cosmetics (20%), digital subscriptions (18%), home goods (16%)

Global chargeback volume is projected to surge 41%, from 238 million to 337 million disputes between 2023 and 2026 (Clickpost, citing aggregator data, as-of 2026).

Chargebacks911 (via aggregator) projects that 61% of disputes will be friendly fraud by 2026.

The MRC 2026 Global eCommerce Payments and Fraud Report found 64% of merchants reporting increasing first-party misuse, with roughly a quarter seeing increases of 25% or more (as-of 2026).

The "refund hack economy"

Sift's 2025-12-11 research identifies social-media-fuelled chargeback fraud as a growing structural driver:

  • 22% of consumers say they have encountered "refund hack" tutorials — primarily on TikTok (34%) and Facebook (29%) — showing how to dispute legitimate purchases
  • 10% of consumers admit to having tried these tactics
  • 1 in 5 consumers say they would be more likely to use refund hacks during financial hardship
  • 62% of consumers say they would be less likely (or would stop entirely) shopping with a brand after experiencing fraud on that brand's platform; 21% say they would stop completely

European and UK regulatory context

PSD2 / Strong Customer Authentication (SCA)

The shift to Strong Customer Authentication (SCA / PSD2) at checkout has displaced fraud away from checkout toward pre-purchase and post-purchase stages. Sift/SecurityBrief (2025) report that European fraud has "shifted away from checkout toward the pre-purchase and post-purchase stages, exploiting weaknesses before and after transactions despite stronger checkout protections."

Only 16% of EU merchants currently screen users during the browsing or account-creation stages, leaving a major early-stage blind spot (Sift citing MRC 2025, as-of 2025-09-16).

Visa VAMP (April 2025)

Visa's new Acquirer Monitoring Program (VAMP), introduced April 2025, sets a 0.9% dispute rate threshold (as-of 2025). Merchants exceeding it risk financial penalties or loss of ability to process Visa payments (SecurityBrief, 2025).

Visa Compelling Evidence 3.0 and Mastercard DIN rules now require merchants to provide richer transaction data and real-time response capability when contesting chargebacks (Sift, 2025-09-16).

UK Payment Services Regulations (PSR) 2024

UK PSR 2024 introduces mandatory APP (Authorised Push Payment) fraud reimbursement up to £85,000 (Sift, 2025-09-16). Confirmation of Payee (CoP) rules are also expanded.

UK Economic Crime and Corporate Transparency Act 2023

Effective from September 2025, companies can be prosecuted if they cannot demonstrate "reasonable procedures" to prevent fraud committed by employees or agents for the company's benefit (SecurityBrief).

EMEA consumer abuse trend

A 33% surge in consumer abuse claims across EMEA was recorded in 2024 (SecurityBrief, source unspecified).


Detection approaches

Sift (2025-09-16) reports that European merchants' top 2025 data priorities are (as-of 2025-09-16):

  • Expanding fraud-relevant data access (40%)
  • Reducing analyst time on routine decisions (30%)
  • Eliminating manual review in low-risk cases (24%)

Current state: 50% of European transactions are screened digitally; 24% still use manual review (Sift citing MRC 2025, as-of 2025-09-16).

Detection methods reported by industry sources:

  • AI and machine learning — learning/adaptive models replacing rules-based systems (Sift)
  • Contextual / risk-based authentication — patterns based on user behaviour, device, and relative risk level (Sift)
  • Behavioural biometrics + device fingerprinting — applied at payout stage as core defence against RTP fraud (Sift, 2025-09-16)
  • Graph network analysis — for uncovering coordinated fraud rings; Ravelin's differentiated approach combining ML, device intelligence, and graph analysis (aggregator source)

Most ecommerce companies use 5 or more fraud detection tools simultaneously (aggregator source, as-of 2025).

Shopify-specific: card-testing bots via Cart API

Shopify Community practitioners (2025-12 to 2026-02) report a widespread card-testing bot campaign using Shopify's checkout infrastructure as a card-testing endpoint. The bots:

  • Generate thousands of abandoned checkouts using fake "John Doe" accounts with rotating IPs and disposable emails
  • Bypass JavaScript-based CAPTCHA by hitting checkout directly via Shopify's Cart API URL schema, never loading the storefront page
  • Corrupt email deliverability (high bounce rates from abandoned cart emails) and analytics/ad conversion signals

Practitioner notes (Shopify Community, 2026-02): the old Checkout API (which allowed bots to complete purchases via API) was deprecated April 2025, which helps; but the Storefront Cart API replacement has no global rate limits by design, so bots can still create carts and obtain checkout URLs freely.

Platform responsibility gap (practitioner debate)

Platform vs merchant responsibility for fraud blocking. Shopify Community merchants argue Shopify has a platform-level duty to block card-testing bots at the checkout/API layer. Shopify and some community members counter that this is an industry-wide arms race and merchants can mitigate via third-party tools and Flow automation. [Thread: community.shopify.com, 2025-12 to 2026-02]

Shopify practitioners also widely report that Shopify only flags high-risk orders — it does not automatically cancel or block them. The platform places full responsibility on the merchant to act (Shopify Community, 2024-11).

Chargeback evidence transmission. Multiple Shopify Community merchants report that evidence submitted via Shopify's dispute form does not reliably reach card issuers — one merchant called Amex directly and was told "we never received your reply from Shopify." (Thread: 2,304 views, 79 replies, active through 2026-03.) Shopify has not confirmed or denied this publicly; other merchants attribute losses to bank default bias toward cardholders rather than evidence failure. Source: community.shopify.com


Vendor landscape

VendorModelDifferentiation
SignifydGuaranteed Fraud Protection — takes full financial liability for approved fraudulent ordersLiability shift off merchant entirely
RavelinML + graph network analysis; liability-shifting model for approved ordersFraud ring detection, European focus
Kount (Equifax)Risk-scoring (Omniscore); merchant retains financial liabilityEnterprise scale, Equifax data assets
SiftAI fraud platform; covers payment protection and account defenceReal-time ML, global fraud network, PSD2/SCA compliance for EU
NoFraudReal-time pass/fail decisions; chargeback reimbursement guaranteePractitioners report 60% drop in fraud vs some alternatives
ChargeflowAI-powered chargeback response automationPost-dispute, not pre-prevention
FraudFalconAuto-cancel rules engineLightweight, Shopify-native
FraudlessReal-time risk scoring, card-testing pattern detection, auto-taggingShopify practitioners recommend
IPQSIP quality scoringShopify plugin

Vendor mentions from practitioners (Shopify Community 2024–2026): near-universal view that Shopify's native fraud detection is insufficient; third-party tools considered near-mandatory for high-risk categories.


Practitioner countermeasures (SMB context)

Shopify Community practitioners (2023–2025) report these manual countermeasures in the absence of reliable platform protection:

  • Ship only to billing addresses
  • Google-search customer name + address for new high-value orders
  • Delay shipping 2–3 weeks on new customers to allow stolen card detection
  • Cap order quantities for new accounts
  • Tag known fraudsters to cancel future orders
  • Call card issuers directly to report fraud after a dispute (affects customer's credit record)
  • Temporarily disable abandoned cart emails during active bot attacks (to protect email domain reputation)
  • Restrict or block international orders above a threshold (North/South America orders flagged as disproportionately high-risk by European sellers)

These are practitioner strategies from SMB merchants, not validated benchmarks.


Key terms

TermMeaning
Friendly FraudConsumer disputes a legitimate purchase via chargeback; also called "first-party misuse"
Card TestingUsing bots to validate stolen card credentials via small transactions before larger fraud
Account Takeover (ATO)Using stolen credentials to access a customer account and commit fraud
Synthetic Identity FraudCombining real and fake data to create a new fraudulent identity
CNP fraudCard-not-present fraud — fraud on transactions where the physical card isn't used (online orders)
Chargeback RepresentmentMerchant evidence-submission process to contest a chargeback with the card network
VAMPVisa Acquirer Monitoring Program — Visa's framework for penalising merchants with high dispute rates
APP fraudAuthorised Push Payment fraud — consumer is tricked into authorising a bank transfer to a fraudster

Benchmarks (as-of 2026-06-17)

MetricFigureSourceDate
Global ecommerce fraud losses$48BCapital One Shopping (aggregator)2025
EU merchant revenue lost to fraud2.8%Sift / MRC 20252025-09
EU fraud as % of orders3%Sift / MRC 20252025-09
EU chargeback win rate15.1%Sift / MRC 20252025-09
EU merchants screening pre-purchase16%Sift / MRC 20252025-09
US fraud cost multiplier$4.61 per $1Sift2025-12
Retail e-commerce chargeback rate increase+233% from Q1 2025Sift2025-12
Overall chargeback rate (Q3 2025)0.26%Sift2025-12
Consumers aware of "refund hack" tutorials22%Sift2025-12
Consumers admitting refund hack use10%Sift2025-12
Synthetic identity fraud growth (US, YoY)+311% Q1 2024–Q1 2025Aggregator2025
Visa VAMP dispute rate threshold0.9%SecurityBrief / Visa2025-04
Projected global fraud losses by 2029$107BAggregator
Research agent · 2026-06-17