How Fraud Detection Works
Fraud detection does not rely on a single check — it is a pipeline of signals evaluated in milliseconds as a transaction moves from checkout to authorization. Each layer adds confidence or raises a red flag before funds are moved.
Signal Collection
At the moment a customer initiates checkout, the system collects device data (browser fingerprint, IP address, operating system), behavioral signals (typing speed, mouse movement, time on page), and transaction attributes (card number, billing address, order value, email).
Velocity and Rule Checks
Static rules fire first because they are fast and cheap. The engine checks whether the card has been used more than N times in the last hour (velocity), whether the billing country matches the IP country, whether the email domain is disposable, and whether the BIN range is associated with elevated fraud rates.
Risk Scoring
A machine learning model receives the full feature set and outputs a fraud score — typically 0–1000. The model has been trained on millions of historical transactions labeled as fraud or legitimate, and it weighs each signal according to its predictive power. High-risk transactions receive a high score.
Decision and Action
Based on the score and configured thresholds, the system takes one of three actions: approve automatically (score below the low-risk threshold), decline automatically (score above the high-risk threshold), or route to a manual review queue for a human analyst to inspect. Some systems trigger step-up authentication via 3D Secure for mid-range scores rather than declining outright.
Feedback Loop
Every outcome — approved transactions that later result in chargebacks, manually reviewed cases, and declined transactions — feeds back into model training. This continuous learning cycle is what makes ML-based systems progressively more accurate over time.
Why Fraud Detection Matters
Poor fraud detection hurts merchants on two fronts simultaneously: fraud losses and false positives. Getting the balance wrong in either direction is expensive.
The scale of the problem is significant. Global payment fraud losses exceeded $48 billion in 2023 (Nilson Report), and are projected to surpass $91 billion by 2028 as card-not-present volume grows. For ecommerce merchants specifically, card-not-present fraud rates are typically 3-5x higher than in-person transactions because the physical card and cardholder are not present to be verified.
The false positive problem is equally serious. Javelin Strategy & Research estimates that false declines cost US merchants over $443 billion per year — dwarfing actual fraud losses. Every declined good customer is immediate lost revenue, and research shows that 40% of customers who experience a false decline will not return to that merchant. Fraud detection that is too aggressive destroys conversion; fraud detection that is too permissive enables chargebacks that can trigger card network monitoring programs.
Transaction monitoring platforms that incorporate real-time feedback loops are better positioned to reduce both fraud and false positives simultaneously, because they continuously recalibrate thresholds based on observed outcomes.
Fraud Detection vs. Fraud Prevention
These terms are often used interchangeably, but they describe different parts of the risk management lifecycle.
| Fraud Detection | Fraud Prevention | |
|---|---|---|
| Goal | Identify fraudulent transactions | Reduce fraud surface area |
| Timing | At or after transaction time | Before transaction is attempted |
| Methods | ML scoring, rules, manual review | Authentication, velocity limits, device checks |
| Example | Flagging a stolen card at checkout | Requiring 3D Secure for high-value orders |
| Output | Approve / Decline / Review decision | Fewer fraudulent attempts reach checkout |
| Failure mode | False positives or missed fraud | Friction that drives legitimate customers away |
The most effective risk programs combine both: prevention reduces the volume of fraud that detection must handle, and detection catches the fraud that slips through prevention controls. Fraud prevention sets the rules of engagement; fraud detection enforces them in real time.
Types of Fraud Detection
Fraud detection approaches vary in sophistication, speed, and adaptability. Most production systems use a combination of all four types.
Rule-Based Detection Static rules are the oldest form of fraud detection: block cards from high-risk BINs, decline orders where billing and shipping country differ, flag transactions over $500 with a new email address. Rules are transparent, auditable, and fast, but they are rigid. Fraudsters learn rule sets and route around them. Rule-only systems have high false positive rates and miss novel attack patterns entirely.
Machine Learning Models Supervised ML models (gradient boosted trees, neural networks) are trained on labeled transaction data to score incoming transactions. They detect non-obvious signal combinations that no human analyst would write as a rule. The downside: models are black boxes, require significant training data to perform well, and can drift when fraud patterns shift faster than retraining cycles. Fraud scoring engines like Kount, Signifyd, and Sift are commercial implementations of this approach.
Behavioral Analytics Behavioral fraud detection monitors how users interact with a page — typing cadence, mouse movement, copy-paste patterns, time between fields. Bots and automated fraud tools behave differently from humans in ways that are hard to spoof. Behavioral signals are particularly effective against account takeover and automated card-testing attacks.
Device Fingerprinting Device fingerprint techniques compile a unique identifier from browser attributes, installed fonts, screen resolution, timezone, and other passive signals. This allows fraud systems to recognize a device across sessions even when cookies are cleared or a new email address is used, making it an essential tool for linking fraud rings.
Best Practices
For Merchants
- Set separate thresholds by product category and order value. A $12 digital download and a $1,200 electronics order carry different risk profiles — the same score threshold should not govern both decisions.
- Review your false positive rate monthly. If your decline rate for legitimate customers exceeds 2-3%, your thresholds are too aggressive and you are losing more revenue than you are protecting.
- Use 3D Secure as a step-up, not a blanket control. Requiring 3DS on every transaction increases friction and reduces conversion. Route only mid-to-high risk scores through 3DS to shift liability while minimizing checkout abandonment.
- Monitor for card-testing attacks. Fraudsters run small test charges ($0.01–$1.00) against stolen card numbers before using them for high-value fraud. Velocity rules on micro-transactions can detect and block these probes early.
- Integrate chargeback data into your fraud system. Chargeback disputes that resolve as fraud should automatically feed back into your blocklists and model training data — closing the loop between detection and outcomes.
For Developers
- Run fraud scoring asynchronously where possible. Parallel execution of fraud checks and payment authorization reduces checkout latency. Only block on the fraud score if it is a hard decline.
- Fingerprint at page load, not at form submission. Device signals collected over the full session are richer than a snapshot taken at the moment of submit. Load fingerprinting scripts early.
- Version your rule sets. Treat fraud rules like code — version control them, document the business rationale for each rule, and review them quarterly. Stale rules are a common source of high false positive rates.
- Build a review queue UI. Manual review should be ergonomic. Analysts who can see the full transaction context (device, IP, behavioral signals, purchase history) make faster and more accurate decisions.
- Test with synthetic fraud data in staging. Before deploying new rules or model versions, validate them against historical fraud samples to confirm the expected decline rate and false positive impact.
Common Mistakes
Over-relying on a single signal Blocking all transactions from a country because of elevated fraud rates will reject large numbers of legitimate customers. Single-signal rules are blunt instruments. Real fraud detection combines multiple independent signals — a transaction from France is not suspicious; a transaction from France on a US-issued card with a shipping address in Russia on a 2-year-old email is.
Ignoring post-authorization fraud Some fraud is not detectable at the time of authorization — account takeover, refund fraud, and triangulation fraud often appear days or weeks after a transaction is approved. Merchants that only run fraud checks at checkout miss a significant portion of their fraud exposure.
Treating all declines as the same A hard decline for a known fraudulent card and a soft decline for a velocity limit breach are fundamentally different signals. Expose decline reason codes to your analytics so you can distinguish between fraud declines and false positives — they require very different remediation strategies.
Not updating rules after fraud pattern shifts Fraud tactics evolve. A rule set optimized against the fraud patterns of 12 months ago may be ineffective against today's attacks. Establish a regular review cadence — at minimum quarterly — and monitor for sudden changes in your fraud rate as a signal that your rules have been routed around.
Setting global thresholds without segmentation A threshold tuned for your average order value will over-decline high-value legitimate orders (which look risky simply because of their size) and under-screen low-value orders that fraudsters use as probes. Segment thresholds by order value, product type, and customer age.
Fraud Detection and Tagada
How Tagada handles fraud detection
Tagada is a payment orchestration platform — it sits between merchants and their processors, applying fraud controls consistently regardless of which acquirer processes a given transaction. This matters because fraud gaps often emerge at the routing layer: a transaction routed to a secondary processor may bypass fraud rules configured only on the primary integration.
Tagada's built-in fraud tooling includes: velocity checks (configurable per card, email, IP, and device), device fingerprinting applied at the session level, and chargeback management workflows that feed dispute outcomes back into risk signals. For merchants using multiple processors under smart routing, Tagada enforces a single fraud policy across all routes — closing the coverage gaps that sophisticated fraud rings actively probe.
Merchants can configure rule thresholds directly in the Tagada dashboard and route mid-risk transactions through step-up authentication without building custom logic in their own codebase. The orchestration layer handles the conditional flow: score below threshold → approve, score in band → trigger 3DS, score above threshold → decline.