How Fraud Works
Fraud in the payments context follows a predictable pattern: an attacker obtains or fabricates credentials, exploits a gap in verification, and converts that access into financial gain before detection. Understanding each step helps merchants and developers build effective controls at the right points in the transaction lifecycle.
Credential Acquisition
The fraudster obtains usable payment credentials — stolen card numbers from data breaches, phishing attacks, synthetic identity construction, or purchases on dark-web marketplaces. Bulk card data sells for as little as $5–$20 per record, making large-scale attacks economically viable.
Account or Identity Validation
Before attempting a large transaction, fraudsters typically run low-value probing transactions (often $1 or less) to verify the card or account is live and unblocked. These micro-authorizations fly under many basic fraud rules.
Transaction Execution
Once validated, the fraudster places orders — typically high-value, easily resellable goods (electronics, gift cards, luxury items), or digital goods that can be monetized instantly. Speed matters: they act before the legitimate cardholder notices or the issuer flags the account.
Monetization
Physical goods are reshipped to intermediaries (reshipping mules), resold on secondary markets, or converted to cryptocurrency. Digital goods and gift cards are used or liquidated immediately.
Chargeback or Writeoff
When the legitimate cardholder or issuer detects the unauthorized activity, a dispute is filed. The merchant typically absorbs the loss in card-not-present environments — paying back the transaction value plus chargeback fees.
Why Fraud Matters
Fraud is not a niche risk — it is a material operating cost for every merchant that accepts digital payments. The scale of the problem, combined with its direct impact on margins and customer trust, makes fraud management one of the most consequential disciplines in modern commerce.
Global ecommerce fraud losses exceeded $48 billion in 2023, according to Juniper Research, and are forecast to surpass $107 billion annually by 2029. For context, that projected figure exceeds the GDP of many mid-sized economies. A separate LexisNexis study found that every $1 of fraud loss actually costs merchants $3.75 when accounting for fees, administrative overhead, and lost merchandise — a multiplier that makes even modest fraud rates financially damaging.
False Positives Cost as Much as Fraud
Research by Javelin Strategy found that false declines — legitimate transactions rejected because of overly aggressive fraud rules — cost U.S. merchants an estimated $443 billion in 2023, dwarfing actual fraud losses. Over-filtering is not a safe default.
Beyond direct financial loss, fraud erodes customer trust, triggers payment processor reviews, and can result in excessive chargeback ratios that lead to account termination by card networks. Visa and Mastercard impose monitoring programs on merchants whose chargeback rates exceed 1% of transactions, with fines and eventual processor termination as consequences.
Fraud vs. Chargebacks
Fraud and chargebacks are closely related but not synonymous. Conflating the two leads to poor risk decisions — optimizing for one without understanding the other.
| Dimension | Fraud | Chargeback |
|---|---|---|
| Definition | Intentional deception for financial gain | Forced reversal of a transaction via the cardholder's bank |
| Initiator | Criminal or dishonest party | Cardholder (legitimate or not) |
| Always linked? | Not all fraud triggers a chargeback | Not all chargebacks involve fraud |
| Merchant liability | High in CNP without SCA | High unless liability shifted (e.g., 3DS) |
| Resolution path | Fraud tools, authentication, monitoring | Dispute representment, chargeback management |
| Friendly fraud | Borderline — disputed | Yes — this is a chargeback without true fraud |
Types of Fraud
Fraud takes many forms across the payment stack. Merchants must recognize the variety to apply the right controls.
True fraud is unauthorized use of stolen payment credentials by a third party — the most classic form. Friendly fraud occurs when a legitimate cardholder disputes a genuine transaction, claiming it was unauthorized. Identity fraud involves the creation or takeover of accounts using another person's personal information.
Account takeover (ATO) is a growing threat in which attackers gain access to an existing customer account — often via credential stuffing using breached username/password pairs — and make purchases or transfer funds. Synthetic identity fraud combines real and fabricated data to create fictitious personas that are difficult to detect with standard verification.
Refund fraud exploits returns policies: the fraudster makes a genuine purchase, then returns a different or counterfeit item while keeping the original. Triangulation fraud involves a fraudster posing as a seller on a marketplace, collecting buyer payments for goods they never possess, and then using stolen cards to fulfil orders — making the fraud invisible to the buyer.
Best Practices
Effective fraud management requires coordinated effort across business operations and technical implementation. A layered strategy consistently outperforms any single point of control.
For Merchants
Establish a clear fraud policy before going live, including acceptable chargeback thresholds, velocity limits per customer and payment method, and escalation procedures. Segment your product catalogue by risk: digital goods and gift cards warrant stricter controls than physical, slow-to-resell items. Implement 3D Secure 2 (3DS2) for high-risk transactions — it shifts liability to the issuer when authentication is completed successfully and improves the customer experience compared to legacy 3DS1.
Monitor chargeback ratios weekly, not monthly. By the time a monthly report surfaces a spike, hundreds of additional fraudulent transactions may have been processed. Work with your acquirer to understand which card BINs and geographies are generating the most disputes, and apply targeted rules accordingly.
For Developers
Integrate velocity checks at the API layer — limit how many payment attempts a single device fingerprint, IP address, or email address can make in a rolling time window. Use tokenization for stored payment methods to reduce the value of any credential exposure. Implement behavioral analytics on checkout flows: abnormal typing cadence, instant form completion, and copy-pasted card numbers are strong fraud signals.
Webhook handlers for fraud and dispute events should be idempotent and trigger immediate downstream actions — cancelling unfulfilled orders, flagging accounts, and logging device data. Avoid surfacing detailed decline reasons in API responses; giving fraudsters specific feedback (e.g., "CVV mismatch" vs. "do-not-honor") accelerates enumeration attacks.
Common Mistakes
Even well-resourced merchants make systematic errors in their fraud prevention strategies.
Treating fraud rules as static. Fraud patterns evolve continuously. Rules written 12 months ago may no longer match current attack vectors, while inadvertently blocking a growing segment of legitimate customers. Rules require regular review and sunset processes.
Ignoring velocity probing. Small-value test transactions are the clearest signal of an upcoming large fraud attempt. Without explicit rules for micro-authorization velocity, merchants give attackers a free reconnaissance window.
Over-indexing on AVS/CVV alone. Address Verification Service and CVV checks reduce risk but are not fraud-proof. Fraudsters routinely purchase fullz (complete card data including billing address) that pass both checks. These signals should be inputs into a broader scoring model, not standalone gates.
No post-authorization monitoring. Fraud detection should not stop at authorization. Order pattern analysis, delivery address clustering, and device reuse across multiple accounts can surface fraud rings that individual transaction checks miss.
Siloed data. Keeping fraud data separate from CRM, support ticket, and chargeback data creates blind spots. A customer who has filed three disputes in six months should influence the risk score on their next transaction, but only if those signals are connected.
Fraud and Tagada
Tagada is a payment orchestration platform, and fraud management is a first-class concern at the orchestration layer. Because Tagada sits between merchants and multiple payment processors, it is uniquely positioned to apply consistent fraud controls regardless of which downstream processor handles the transaction.
Orchestration-Level Fraud Control
With Tagada, merchants can configure global fraud rules — velocity limits, 3DS2 triggers, BIN-level blocks — that apply uniformly across all connected processors. This prevents fraud from exploiting gaps between processor-specific rule sets and ensures consistent risk policy even as routing logic shifts transactions between providers.
Tagada's routing engine can also route high-risk transactions to processors with stronger issuer relationships or better authorization rates under 3DS2, improving the balance between fraud protection and genuine customer acceptance.