Skip to main content

SMB Fraud Checklist

TL;DR
  • Most SMBs don't have a fraud problem - they have a descriptor problem, a refund policy problem, or a friendly fraud problem
  • Fix operations first. Tools come later
  • Free fixes prevent more chargebacks than most paid tools for businesses under $500K/month
  • Match your fraud investment to your revenue tier - don't overbuy
On this page

Every other fraud page assumes you'll read 10 pages, learn the theory, and figure out what to do. This one doesn't. This is the "just tell me what to do" page for SMBs processing under $1M/month. Follow the checklist in order. Stop when your numbers are healthy.

Do You Actually Have a Fraud Problem?

Before spending anything on fraud prevention, figure out what's actually happening. Pull your last 20 chargebacks and sort them into four buckets:

CategoryWhat It Looks LikeExample
True fraudStolen card, cardholder never ordered"I never made this purchase" from a new customer shipping to a different state
Friendly fraudCustomer lying or confusedCustomer received product but claims they didn't
Billing confusionDidn't recognize the charge"What is STRP*XYZCO on my statement?"
Service issuesProduct problem, never arrived"Item was broken" or "never delivered"

Here's the key insight: If more than 50% of your chargebacks are NOT true fraud, a fraud tool won't help. You have an operations problem, not a fraud problem.

The Free Fixes (Do These First)

These cost nothing and take less than a day. Do all of them regardless of your fraud situation.

1. Fix Your Billing Descriptor (10 minutes)

Your billing descriptor is what shows up on your customer's bank statement. If it says "SQ*RANDOM123" instead of your brand name, customers dispute charges they actually made.

Impact: Prevents 15-25% of "unrecognized charge" disputes.

How: Go to your processor's dashboard and change your statement descriptor to your customer-facing brand name. Include your website or phone number if space allows. See Descriptors and Communication for step-by-step instructions.

2. Require CVV on All Transactions (5 minutes)

CVV (the 3-digit code on the back of the card) is already enabled on most processors. Verify it's required and that you're declining transactions without a CVV match.

Impact: Blocks the lowest-effort stolen card fraud.

How: Check your processor settings. Stripe, Square, and most modern processors require CVV by default.

3. Make Refunds Easier to Find (30 minutes)

Customers dispute charges when they can't figure out how to get a refund. If your refund process requires three emails and a carrier pigeon, they'll call their bank instead.

Impact: Prevents customers from escalating billing questions to disputes.

How: Add a "billing question?" or "need a refund?" link to your receipt emails, website footer, and checkout page. Make the path obvious. See Refund Policy for guidance on balancing accessibility with abuse risk.

4. Send Confirmation and Shipping Emails (1 hour)

Order confirmation and shipping notification emails serve as proof of purchase and delivery. They also remind customers what they ordered and what the charge will look like.

Impact: Creates evidence trail for representment and reduces "I didn't order this" disputes.

How: Enable order confirmation and shipping notification emails through your e-commerce platform or payment processor. Include the billing descriptor in the confirmation so customers know what to expect on their statement.

5. Make Subscription Cancellation Easy (30 minutes)

If customers can't cancel, they dispute. A cancellation costs you revenue. A dispute costs you revenue plus a fee plus ratio damage.

Impact: Prevents 10-15% of subscription-related disputes.

How: Add a visible "cancel subscription" option in your account portal. Send renewal reminders 7-14 days before charging.

By Revenue Tier

Once the free fixes are done, your next steps depend on your volume.

Under $50K/month

Do: The free fixes above. That's it.

Don't buy: Fraud tools, scoring services, or alert subscriptions. At this volume, the tool cost likely exceeds your fraud losses. Your time is better spent on operations.

$50K - $250K/month

Add:

  • 3D Secure on orders over $200 from new customers (shifts fraud liability to the issuer)
  • RDR/Ethoca alerts if your chargeback ratio exceeds 0.5%

Don't buy: Full fraud scoring platforms. The ROI doesn't work yet.

$250K - $500K/month

Add:

  • Tune your processor's built-in fraud rules (velocity limits, address mismatch blocking)
  • Ethoca and/or RDR alerts if not already active
  • Monthly review of chargebacks by reason code to spot patterns

Start tracking: Fraud rate by channel, product category, and customer type.

$500K - $1M/month

Add:

  • Evaluate dedicated fraud tools (Stripe Radar for Fraud Teams, Kount, Signifyd) - see Vendor Selection Guide
  • Manual review for orders exceeding 2x your average order value
  • Weekly fraud review meeting (15 minutes, pull the numbers)

Start tracking: False positive rate, review queue volume, fraud-to-sales ratio by segment.

Over $1M/month

You need a dedicated fraud person or a managed fraud vendor. The checklist approach no longer scales. See the Vendor Selection Guide for evaluating platforms, and Economics of Fraud for building a business case.

The Math That Matters

Before buying any fraud tool, run this calculation:

Monthly tool cost = Per-transaction price x Monthly transaction count

Example:
  Fraud tool at $0.07/txn x 10,000 txns/month = $700/month

Compare against:
  Actual monthly fraud losses = $____

If the tool costs more than your losses, don't buy it.

This sounds obvious, but vendors sell on fear. They'll show you industry averages and worst-case scenarios. What matters is YOUR numbers. Pull your actual fraud losses for the last 6 months, average them, and compare.

Also factor in false positives. A fraud tool that blocks 2% of legitimate orders at $100 AOV and 40% margin costs you more in lost revenue than most SMBs lose to fraud. See Economics of Fraud for the full calculation.

What NOT to Do

Don't buy fraud tools before $500K/month. At lower volumes, free fixes and processor-native rules handle the vast majority of cases. You're paying for peace of mind, not measurable prevention.

Don't block international orders. Most international orders are legitimate. Blanking out entire countries because of a few bad transactions costs you far more in lost revenue than the fraud. Use 3DS for international orders instead - it shifts liability without blocking the sale.

Don't ignore chargebacks. Chargebacks compound. Network monitoring programs (VAMP, ECM) have thresholds. If you cross them, you face penalties, fines, and potential termination. Even a handful of unaddressed chargebacks per month can push a low-volume merchant over the threshold.

Don't assume all fraud is stolen cards. For most SMBs, friendly fraud (customers who received their order but dispute anyway) exceeds true fraud. A fraud scoring tool won't catch a real customer lying to their bank. Better evidence and clear policies will.

Next Steps

Your chargebacks are mostly billing confusion or service issues?

  1. Fix your descriptor - 10 minutes, biggest impact
  2. Review your refund policy - Make it easier to refund than dispute
  3. Read the SMB Prevention Priorities - Ranked action list

You have a real fraud problem (stolen cards, account takeover)?

  1. Enable 3D Secure - Liability shift on risky orders
  2. Understand fraud economics - Build the business case
  3. Evaluate vendors - When you're ready for tools

Your chargeback ratio is climbing fast?

  1. Set up alerts - Stop chargebacks from filing
  2. SMB Prevention Priorities - Do things in the right order
  3. Understand friendly fraud - It's probably not what you think
Last updated on