Skip to main content

Fraud

Fraud prevention illustration 20 min read
On this page

Fraud hurts twice. You lose money on bad orders, then you lose more when you panic and block good customers.

You don't pick a single fraud strategy. You run a series of bets and keep the ones that improve your loss-adjusted margin.

Pick Your Mode​

πŸ”§
Operator
Actions for this week. Configure processor rules, set up AVS/CVV, tune velocity limits.
Start: Processor Rules Config
πŸ“Š
Analyst
Metrics and measurement. Fraud rates, false positives, rules vs ML analysis.
Start: Fraud Metrics
πŸ“š
Reference
Codes and patterns. Fraud types, card-present vs CNP, liability rules.
Start: Fraud Types
Popular
βœ“
AVS & CVVStart Here
The basics everyone should use
πŸ”
3D SecurePopular
Liability shift for online transactions
⚑
Velocity Rules
Quick wins for fraud detection
βš™οΈ
Processor Rules Configuration
Free tools first
🎭
Fraud Types
Know what you're fighting

Before You Do Anything Else​

Most merchants buy fraud tools before doing the basics. Do these first:

  1. Configure your processor's built-in fraud tools. Stripe Radar, Braintree rules, Adyen RevenueProtect. These are free or cheap and catch obvious stuff. β†’ Processor Rules Configuration
  2. Use AVS and CVV. Turn them on. Decline on full mismatch. β†’ AVS & CVV
  3. Prefer chip/tap for in-person. If you're still swiping, stop. EMV shifts liability. β†’ Card-Present Fraud
  4. Secure your terminals (card-present). Check for skimmers, isolate from your network, use P2PE if possible. β†’ Terminal Security
  5. Fix your descriptor and communication. "I don't recognize this charge" is the most preventable dispute type. β†’ Descriptors and Comms
  6. Make refunds easy. A refund costs 3%. A chargeback costs $50+. β†’ Refund Strategy
  7. Be cautious with real-time bank payments. RTP and FedNow are irrevocable. β†’ FX and Settlement
If You Only Have 2 Hours This Week
  1. Pull your last 20 chargebacks and classify them: actual fraud vs. friendly fraud vs. merchant error
  2. Call 2 customers who disputed. Ask what actually happened.
  3. Check if your chargeback ratio is trending up or down

That's it. Everything else can wait.

Scale Matters

Under $100K/month: Your processor's built-in tools are enough. Your "fraud" is probably friendly fraud, so focus on chargebacks instead. Don't buy a fraud vendor yet.

$100K–$1M/month: Turn on AVS + CVV, configure your processor's rules, and watch your chargeback ratio. Test one rule change per month.

Over $1M/month: Time for dedicated fraud tooling. Evaluate vendors and run a pilot on one segment before going all-in. Read the Selection Guide.

Over $10M/month: You need a person, not just tools. Build the fraud function. Layer experiments across segments and instrument everything.

Fraud Prevention Setup Path​

Build your fraud defenses in this order. Each step builds on the previous.

PhaseWhenInvestmentExpected Impact
BasicsDay 1Free/includedCatch 60-70% of obvious fraud
Intermediate$50k+/mo volume$500-2k/moReduce fraud 30-50% more
Advanced$500k+/mo volume$5k+/moFine-tune last 10-20%

Don't skip ahead. Most merchants who buy ML fraud tools without doing basics are wasting money.

What's Actually Happening to You? (loss type diagnosis)

Merchants often misdiagnose their fraud problem. Different loss types require different responses.

Loss Types (Merchant-Recognizable Buckets)​

Loss TypeWhat It IsPrimary Response
Unauthorized transaction fraudStolen card used on your site/store3DS, device signals, velocity rules
Friendly fraud / chargeback abuseCustomer lies about receiving goods or authorizing chargeClear comms, delivery proof, CE 3.0
Account takeover (ATO)Criminal gains access to customer accountStep-up auth, device fingerprinting
Refund / return abuseCustomers exploit return policiesPolicy limits, abuse detection
Promo / loyalty abuseCoupon stacking, fake referrals, trial cyclingVelocity rules, device linking
Identity / signup abuseFake accounts, synthetic identitiesIDV, device fingerprinting
Marketplace / seller fraudBad actors on your platformPlatform-specific controls
Bank payment fraud (ACH/RTP)Unauthorized or fraudulent bank transfersAccount verification, irrevocability awareness
Quick Classification Exercise

Pull your last 30 losses. Classify each one:

  • Stolen card (third-party)
  • Customer lying (first-party)
  • Customer forgot or regrets (friendly fraud)
  • Your mistake (merchant error)

If more than half are friendly fraud, you don't have a fraud problem. You have a customer experience problem.

Who's Behind It (actor types and what works against each)

Different actors require different responses:

TypeWhoYour ExposureWhat Works
Third-PartyCriminal with stolen cardFull liability until you shift it3DS, device signals, velocity
First-PartyYour customer, lyingChargebacks you'll probably loseBetter policies, clear descriptors
Friendly FraudCustomer who forgot or regretsWinnable chargebacksTransaction enrichment, clear billing
Synthetic IdentityManufactured identityBust-out after credit builtMostly an issuer problem
Account TakeoverCriminal with stolen loginDepends on your auth flowDevice fingerprinting, step-up auth

The uncomfortable truth: Most small merchant "fraud" is first-party or friendly fraud. Stolen cards are dramatic but less common than customers claiming they didn't authorize a charge they definitely made.

Liability Shift: What Actually Protects You (3DS, EMV, CE 3.0)

Not everything that helps you detect fraud shifts liability. The distinction matters.

MethodShifts Liability?When It Applies
3D Secure (3DS)βœ… YesCNP transactions where cardholder authenticates
EMV Chip (contact)βœ… YesCP transactions; counterfeit liability shifts to issuer
EMV Contactless/Tapβœ… YesCP transactions; same as chip
Visa CE 3.0βœ… YesRepeat CNP customers with prior undisputed transactions
AVS❌ NoHelps you decline; doesn't shift liability
CVV/CVC❌ NoDefense tool, not liability tool
Signature on delivery❌ NoWins disputes; doesn't shift liability
Device fingerprinting❌ NoDetection tool only

The hierarchy: 3DS > Chip/Tap > Visa CE 3.0 > Everything else. If you want liability off your plate, 3DS is the answer. Everything else just helps you make better decisions.

Card-Present vs. Card-Not-Present​

Different worlds, different fraud, different experiments.

Card-present (retail, restaurants): Your main risk is counterfeit cards, which EMV chip largely solved. If you're still swiping, stop. Chip/tap shifts counterfeit liability to the issuer. Remaining risk is mostly employee fraud and return abuse.

Card-not-present (ecommerce, phone orders): This is where the real fraud lives. No chip to verify, no signature that matters. You're relying on AVS, CVV, device signals, and 3DS. Default liability is on you unless you authenticate with 3DS.

Most of this site focuses on CNP fraud because that's where merchants have real decisions to make.

Network Thresholds (Visa and Mastercard dispute monitoring programs)

Visa and Mastercard will put you in monitoring programs (and eventually shut you down) if your dispute rate gets too high. These are dispute ratios, not fraud ratios. Friendly fraud counts. The networks don't care why you're getting disputes.

Key thresholds: Processors typically flag you around 0.9% (the old VDMP threshold). Visa's VAMP merchant excessive is 2.2% (tightening to 1.5% in 2026) with 1,500+ disputes. Mastercard ECM starts at 1.5% + 100/month. If you're above 0.5%, start worrying. If you're above 0.75%, act now.

See Network Programs Reference for all thresholds, fee schedules, and timelines. See Reduce Chargebacks Fast for the emergency playbook.

Detection

Start here: Rules vs. ML. Most teams under $10M should start with rules.

⚑
Velocity Rules
The 80/20 of fraud detection. Quick wins that catch obvious patterns.
πŸ“±
Device Fingerprinting
When it works, when it doesn't. Browser vs native considerations.
πŸ”
Evidence Framework
Tier 1 vs Tier 2 indicators. What signals actually matter.
πŸ‘οΈ
Manual Review
Building a review queue that doesn't waste time.
Prevention
βœ“
AVS & CVV
The basics everyone should use. Free and effective.
πŸ”
3D Secure
Liability shift and when it's worth the friction.
πŸ“ˆ
Risk Scoring
Building or buying a scoring system.
Vendors

Under $1M: Use your processor's built-in tools. Stripe Radar is fine. Don't buy anything else yet.

$1M-$10M: If you want to outsource the decision, look at Signifyd or Riskified (chargeback guarantees) or Forter (decisions only, no guarantee by default). Test a guarantee model on a segment before going all-in. If you want control, look at Kount or Sift. If account-level fraud (ATO, onboarding) is your problem, look at Sardine.

Over $10M: Layer tools. Consider Sardine for device/behavior alongside a transaction scoring tool.

πŸ—ΊοΈ
Vendor Landscape
Full breakdown of who does what in the fraud prevention market.
πŸ“‹
Selection Guide
How to evaluate and choose the right tools for your business.

Operations​

Day-to-day fraud operations: managing your review queue, maintaining block lists, reviewing rule performance, and responding to fraud spikes.

Running Fraud Operations covers the full daily/weekly/monthly operational checklist.

Metrics​

Fraud Metrics covers what to measure: fraud rate, false positive rate, detection rate, and benchmarks by vertical.

Next Steps​

New to fraud prevention?
  1. Fraud Economics - Understand the math
  2. AVS & CVV - The basics everyone should use
  3. Processor Rules - Free tools first
Experiencing fraud now?
  1. Survive a Fraud Attack - Stop the bleeding
  2. Velocity Rules - Quick wins
  3. Manual Review - Triage suspicious orders
Building a fraud program?
  1. Rules vs ML - Choose your approach
  2. Vendor Selection - When to buy tools
  3. Fraud Metrics - What to measure
New to fraud prevention?

Start with The Guide, Pathway 3: Protecting from Fraud, a beginner-friendly 20-minute walkthrough that covers what fraud looks like, how to set up free protections, and what to monitor. This page is the full deep dive.

Looking for a definition?

See the Glossary for quick definitions of payments and fraud terms.

See Also​

πŸ’³ ChargebacksπŸ’° PaymentsπŸ“‹ Compliance🚨 Network ProgramsπŸ“Š Benchmarks
Last updated on