Global e-commerce fraud losses exceeded $40 billion in 2022 and are projected to reach $48 billion in 2025. Despite that scale, many e-commerce operators still assume merchant fraud is a problem reserved for enterprise-level retailers. It is not. Fraudsters target businesses of every size, and the consequences extend well beyond a single disputed transaction. This article breaks down what merchant fraud is, who it targets, which schemes are most active right now, how compliance demands are shifting in 2026, and what specific steps your organization can take to reduce exposure before losses appear on your balance sheet.
Table of Contents
- Understanding merchant fraud and its impact
- Common types of merchant fraud and how they work
- Evolving trends: Friendly fraud, real-time payments, and compliance pressure
- How to detect and prevent merchant fraud
- A critical perspective: Why prevention beats reaction every time
- Ready to strengthen your merchant fraud defenses?
- Frequently asked questions
Key Takeaways
| Point | Details |
|---|---|
| Merchant fraud is widespread | Fraud schemes target businesses of all sizes, costing merchants billions globally. |
| Common fraud types evolve | Card testing, laundering, and friendly fraud are increasing in sophistication and scale. |
| Compliance matters | Staying ahead of mandates and monitoring dispute ratios helps avoid penalties and account termination. |
| Prevention is essential | Early detection and proactive defenses reduce risk and financial loss for e-commerce operators and banks. |
Understanding merchant fraud and its impact
Merchant fraud is a broad term covering illicit activity that exploits merchant accounts, payment systems, or transaction processes for financial gain. It includes schemes where fraudsters pose as legitimate buyers, manipulate refund systems, or use stolen payment credentials to extract goods or cash. Unlike traditional theft, merchant fraud often leaves no immediate physical trace, which is precisely what makes it dangerous for e-commerce operators who rely on digital transaction records as their primary signal.
No business is automatically safe based on size alone. Small merchants are attractive targets because they often lack dedicated fraud teams or advanced monitoring tools. Mid-sized businesses face risk because they process enough volume to make automated attacks worthwhile. Large retailers, meanwhile, are targeted for their brand recognition and the scale of returns they process. Every segment carries distinct vulnerabilities, and a single undetected fraud pattern can cascade into systemic loss.
The financial picture is stark. Merchants lost $44.3 billion to fraud in 2024, with that figure projected to reach $107 billion by 2029. These are not abstract forecasts. They represent real revenue eroded across thousands of businesses, many of which never recover full margin.
Fraud does not just cost you the transaction value. It costs you the product shipped, the chargeback fee, the investigation time, and the potential account termination.
Beyond raw financial loss, the operational consequences compound quickly:
- Revenue loss: Fraudulent transactions result in unrecoverable product or service costs.
- Chargebacks: Each disputed transaction triggers fees and consumes staff time to contest.
- Compliance risk: Elevated dispute ratios can trigger card network penalties or merchant account termination.
- Reputational damage: Repeated fraud incidents signal weak controls to partners, banks, and customers alike.
Understanding this full picture is the first step toward building fraud protection solutions that match your actual risk profile rather than your assumptions about it.
Common types of merchant fraud and how they work
Fraudsters do not rely on a single method. They cycle through tactics based on what yields results, and many attacks combine multiple techniques for greater effect. Below are the most active schemes targeting merchants today.
Card testing involves running small, low-value transactions against a list of stolen card numbers to identify which ones are valid before using them for larger purchases. Account takeover (ATO) occurs when attackers gain unauthorized access to existing customer accounts and exploit stored payment methods or loyalty points. Payment laundering involves fraudsters setting up fake storefronts to process illegitimate funds through a real payment system. Bust-out fraud unfolds when a merchant or buyer builds a legitimate-looking transaction history before abruptly maxing out credit and disappearing. Tester merchant schemes involve criminals creating merchant accounts specifically to validate stolen card data at scale.
Card testing and ATO are frequently automated using bots, which can run thousands of validation attempts per hour without triggering standard rate limits.
| Scheme | Method | Typical Target | Bot Use | Warning Signs |
|---|---|---|---|---|
| Card testing | Small auth attempts | Any merchant | High | Spike in micro-transactions |
| Account takeover | Credential stuffing | Retailers with loyalty programs | High | Unusual login locations |
| Payment laundering | Fake storefronts | Payment processors | Moderate | Mismatched business activity |
| Bust-out fraud | Credit history manipulation | Acquirers, lenders | Low | Sudden high-volume orders |
| Tester merchant | Fraudulent merchant setup | Acquiring banks | Moderate | New merchant, high decline rates |
A typical fraud attack unfolds in a predictable sequence:
- Fraudsters acquire stolen card data or credentials from dark web markets.
- They set up automated scripts or bots to run low-value test transactions.
- Validated cards are segmented by card type, issuer, and available balance.
- Higher-value transactions are executed against confirmed accounts.
- Goods are shipped to third-party drop addresses or converted to gift cards.
- Chargebacks or account disputes are filed to cover tracks.
Using advanced fraud detection methods to identify these patterns early is critical to stopping the cycle before it escalates.
Pro Tip: Watch for clusters of small transactions from newly created accounts, particularly if they share device fingerprints or billing address patterns. This is a reliable early signal of card testing activity.
Evolving trends: Friendly fraud, real-time payments, and compliance pressure
Core fraud schemes remain active, but the risk landscape in 2026 is shaped heavily by three converging forces: the rise of friendly fraud, the growth of real-time payment rails, and tightening card network compliance mandates.
Friendly fraud, also called first-party misuse, occurs when a legitimate customer makes a purchase and then disputes it with their bank, falsely claiming non-receipt or unauthorized use. Friendly fraud accounts for 36% of global fraud cases and is projected to reach 337 million incidents by 2026. There is genuine debate across the payments industry about who bears responsibility: merchants argue banks issue chargebacks too readily, while issuers contend merchants fail to provide adequate transaction evidence.
Real-time payments introduce a structurally different threat. Because RTP transactions settle instantly and are typically irrevocable, the window for fraud detection is compressed to seconds. There is no batch processing delay to catch anomalies before funds move.
In real-time payment environments, fraud prevention must operate at the speed of the transaction itself. Post-settlement recovery is rarely feasible.
Compliance pressure is intensifying simultaneously. Visa VAMP mandates set a combined fraud and dispute ratio threshold of 0.9% for 2026, with acquirers authorized to terminate merchant accounts that consistently exceed it. TC40 reports, which track fraud claims filed by issuers, now factor directly into ratio calculations even when 3D Secure liability shifts apply.
For compliance officers, the monitoring checklist has grown considerably:
- Dispute ratio: Track by card network and merchant category code separately.
- TC40 incidents: Monitor issuer-filed fraud reports in near real time.
- RTP fraud incidents: Establish velocity rules specific to instant payment rails.
- Chargeback win rates: Segment by reason code to identify procedural weaknesses.
- Merchant account health scores: Flag accounts approaching network thresholds before penalties trigger.
Pro Tip: Track chargeback sources and dispute outcomes by card network rather than in aggregate. Visa and Mastercard use different threshold structures, and a combined view can obscure network-specific compliance risk until it is too late to act.
How to detect and prevent merchant fraud
With both the threat types and compliance context established, here is a structured approach to reducing your exposure in practical terms.
- Analyze transaction data systematically. Review velocity patterns, device fingerprints, IP geolocation, and billing-to-shipping address mismatches on a regular basis. Anomalies that appear minor in isolation often form recognizable clusters when viewed across a longer time window.
- Implement rules-based controls and machine learning filters. Velocity rules limit how many transactions a single device, IP address, or card can attempt within a defined period. Machine learning models add adaptive scoring that adjusts as fraud tactics evolve.
- Update anti-fraud technology regularly. Fraudster tactics evolve continuously, and static rule sets degrade in effectiveness over time. Quarterly reviews of your detection logic are the minimum acceptable cadence.
- Train front-line and compliance staff. Human review remains essential for edge cases that automated systems flag but cannot conclusively resolve. Staff who understand ecommerce fraud protection guidelines can make faster, more accurate decisions.
- Establish a rapid response protocol. Define escalation paths before a fraud event occurs. Who owns the investigation? Who contacts the acquiring bank? What is the timeline for dispute filing?
Tester merchants exceeded 1,350 in 2025, and RTP fraud affected 45% of merchants surveyed that year, signaling that financial institutions must expand monitoring beyond traditional card-based transaction reviews.
Pro Tip: Set automated alerts for sudden spikes in failed authorization rates or dispute volume. A 20% spike over a 48-hour window often precedes a larger fraud event and creates a critical intervention window before losses compound.
Cross-functional communication between your compliance team, operations staff, and technology team is not optional. Fraud signals detected in one department often only make sense when combined with data held by another. Structuring regular data-sharing sessions ensures that your merchant monitoring solutions are informed by the complete operational picture rather than siloed views.
A critical perspective: Why prevention beats reaction every time
Here is what 15-plus years working in fraud strategy consistently confirms: organizations that treat fraud response as a compliance checkbox almost always pay more than those that treat it as an operational discipline. The math is straightforward. A chargeback costs you the transaction amount, a processing fee, a chargeback fee ranging from $20 to $100, and staff hours to contest it. A fraud event that goes undetected for 60 days multiplies that cost across every transaction in the window.
The reactive mindset persists because fraud losses often appear quietly, distributed across SKUs, regions, or card types in ways that do not immediately trigger alarm. By the time a pattern is visible on a chargeback report, the damage has already been done for weeks.
We at Intelligent Fraud see the same pattern repeatedly: businesses invest in fraud defense strategies only after a significant loss event forces the issue. The businesses that consistently outperform on fraud metrics are those that build detection into their operational cadence from day one, treating fraud signals as leading indicators rather than lagging ones. Anticipating fraud before it surfaces on a dispute report is not an aspirational goal. It is an operational standard that technology and process discipline can reliably achieve.
Ready to strengthen your merchant fraud defenses?
If this article has made one thing clear, it is that merchant fraud is not a static threat you can address once and set aside. The schemes evolve, the compliance mandates tighten, and the financial consequences of inaction grow year over year.
At Intelligent Fraud, we provide detection tools, chargeback management resources, and strategic guidance designed specifically for e-commerce operators and financial institutions navigating this environment. Whether you are building your first fraud prevention framework or auditing an existing one, our ecommerce fraud resource library and chargeback prevention tips give you the practical foundation to act with confidence. Start with a clear picture of your current exposure, then build from there.
Frequently asked questions
What is merchant fraud in e-commerce?
Merchant fraud in e-commerce refers to illicit schemes targeting merchants through transaction abuse, payment laundering, and chargeback misuse. Common mechanics include card testing and ATO, where stolen credentials are validated at scale using bots.
How much does fraud cost online merchants each year?
Global merchant fraud losses reached $44.3 billion in 2024 and are projected to climb to $107 billion by 2029, reflecting consistent annual growth driven by increasingly automated attack methods.
What is friendly fraud and why is it rising?
Friendly fraud occurs when legitimate customers falsely dispute valid charges with their issuing bank. It is rising because dispute processes favor cardholders by default, and friendly fraud cases are projected to reach 337 million globally by 2026.
How can merchants detect fraud early?
Merchants detect fraud early by monitoring unusual transaction velocity, setting automated alerts for authorization spikes, and applying machine learning scoring. RTP fraud affected 45% of merchants in 2025, reinforcing the need for real-time detection across all payment rails.
Recommended
- Intelligent Fraud – Safeguard your business with cutting-edge solutions for fraud prevention, abuse detection, and chargeback management
- High-risk merchants: what it means and how to navigate it | Merchant Solutions Corp
Discover more from Intelligent Fraud
Subscribe to get the latest posts sent to your email.
