Resource center
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Topic
Region
Perspectives

Common types of online payment fraud and how to prevent them

Get an overview of the fraud you're most likely to see online, with practical ways to combat each kind.

Link to the author's page
Christie Yan Luk
May 19, 2025
Link to the author's page
Common types of online payment fraud and how to prevent them

As ecommerce grows, criminals will inevitably follow the money.

Payments providers, merchants, and ecommerce platforms are locked in a perpetual arms race with fraudsters, who are constantly developing more sophisticated ways to swindle and deceive.

For example, bot attacks, which deploy automated agents to mimic malicious human behaviors, and click farms, which exploit large numbers of low-paid workers to similar effect, both allow criminals to ramp up their efforts, leaving merchants akin to participants in an eternal game of whac-a-mole.

Nevertheless, merchants must use every method at their disposal to fight payment fraud. Failure to do so will not only cost you financially, but expose you to reputational damage.

As a leader in global payments, Checkout.com is committed to helping merchants navigate the evolving fraud landscape. That’s why we’re proud to sponsor the Merchant Risk Council’s (MRC) Fraud Essentials course, an on-demand resource designed to equip businesses with the knowledge and tools needed to combat fraud effectively.

Free course for MRC members. Enroll in the Fraud Essentials course today. Sponsored by Checkout.com

Now you've learned how to accept payments online, you need to know the common types of payment fraud and how to prevent them. 

What is payment fraud?

Payment fraud involves the use of payment credentials to wrongfully gain money, goods or services. 

It may involve deceptive practices such as using another person’s payment details or exploiting refund policies to gain financial benefits. 

How big of a problem is online payment fraud?

Online payment fraud is a significant problem for everyone who buys and sells over the internet. According to the European Banking Authority, payment fraud amounted to €4.3 billion in 2022. And in a recent report, Juniper Research estimated that online payment fraud will exceed $362 billion globally between 2023-2028. The same report predicts the losses to merchants in 2028 alone will be $91 billion. 

Card-not-present transactions (such as payments conducted online or over the phone) are at greater risk from fraudulent activity compared with in-person payments. Why? Online, it’s harder to tell if the customer is legitimate or a fraudster using stolen details.

Fraudulent activities, such as identity theft, phishing, and account takeovers are becoming more complex and increasingly hard to detect. Especially when fraudsters gain access to genuine shopper accounts.

While payment fraud can occur in different ways, it often targets businesses, financial institutions, and consumers shopping online. Criminals can use sophisticated techniques to steal credit card information, bank account details, passwords, and more. They take advantage of weaknesses in security measures. 

Robust Fraud Detection software can help significantly. But you still need to understand what fraud looks like, and the forms it can take. Let’s get an overview of the types of payment fraud. 

Third-party fraud (using stolen payment details)

One of the most common types of payment fraud is stealing someone’s payment details to make purchases in their name. Criminals may do this to obtain in-demand products such as electronics or high-ticket fashion items they can sell for easy money. 

According to the European Banking Authority, around two-thirds of remote card fraud is due to card details theft. In the first half of 2023, it accounted for 64% of remotely-initiated card fraud volume. 

There are several ways to obtain this personal information:

  • Phishing scams: fraudsters use emails, texts, phone calls or social media messages to trick people into providing personal information or clicking on a link that installs malware on their computer.
  • Hacking: a thief forces entry into a secure network or account and steals sensitive information.
  • Social engineering: fraudsters win someone’s trust and then con them into giving up personal information, either over the phone, on social media or in person (more on this, below). 
  • Card skimming: a criminal places a small device on a card reader to steal payment details when a card is swiped.
  • Searching through your trash: a bad actor might search through trash to find personal information that they can use to gain access to shopping accounts or payment details.
  • Purchasing on the dark web: those who steal card details may not be the same ones making fraudulent purchases. Some criminals steal card details then sell them to others on the dark web.

The loss to the customer is clear, but what about businesses? Firstly, you’re likely to have to refund the purchase and potentially pay extra payment costs such as a chargeback fee. If the fraudster bought a physical product, then you’re unlikely to recover that – amounting to another material loss.

You could also incur severe financial penalties from the card payment networks if your chargeback and fraud performance exceed certain limits.

You may also suffer reputational damage if the customer holds you responsible for not protecting their personal information. At best, this risks putting off new or returning customers, but at worst, this could lead to lawsuits and fines for falling foul of compliance regulations.

How to protect your business from payments using stolen cards

If you want to reject unauthorized payments – where a thief is using a victim’s payment card without their knowledge – then you need to confirm the customer’s identity. This is known as authentication, and, in the EEA, it’s a requirement of all card-not-present payments.

Here are the most common ways to do this:

  • 3D Secure (3DS): A payment security protocol developed by EMVCo where the merchant securely shares payment-related data with the issuer. This includes collecting the payment method and device data of the customer, and sending it to the issuer to check if it aligns with the data the issuer has.
  • Two-factor authentication: The customer must complete an additional step to confirm the payment, such as entering a one-time SMS security code or logging into their banking app.
  • One-touch confirmation: If your customer is using an appropriate device, they can use a biometric such as face or fingerprint scan to easily confirm the payment. An example of this would be Google Secure Payment Authentication.

Card testing

Card testing fraud involves making low-value purchases to verify if  stolen card details are available for use. Therefore, it’s a type of third-party fraud: a criminal is using payment details they should not have access to.

These payments will either result in a fraudulent payment authorization or a decline. Both of these are risks to your revenue, reputation, and rates of fraud blocking. You could incur chargebacks and fines.

Card testing fraud can go unnoticed, as low transaction values are common in certain industries, such as mobile gaming, food delivery, or low-cost digital goods. Yet it can have a significant impact on your business, as criminals use bots and automation to boost the scale of their attacks. 

Example

A small merchant selling digital courses faced a mass fraud attack where a bot purchased a million courses using stolen credit cards. The merchant received the money but faced significant issues as the transactions were fraudulent; the cardholders noticed the charges made on their cards and started to request their funds back via their issuer. 

The impact of card testing fraud on merchants

Each chargeback request comes with a merchant fee. So you can see how a mass attack quickly gets expensive. 

Moreover, a high rate of fraudulent payments can result in fines from card brands. If you continue to accept too many fraudulent payments, the card brands can prevent you from accepting payments in the future.

How to prevent card testing fraud

The best way to prevent card testing fraud is to carry out risk-based authentication. This may involve challenging the customer to prove it’s really them making a payment. 

You can also use security measures such as Address Verification System (AVS) checks and Card Verification Value (CVV) checks.

Many card testing fraudsters don’t have valid CVV data, so requiring validation will block these attempts. Stolen credit card numbers are also often missing complete address and ZIP code information. The fraudsters will try to transact with random or partial address data resulting in an AVS mismatch

However, a manual authentication request usually means extra steps in the payment process, and can lead to frustration and abandoned carts for genuine customers.

Therefore, the way in which you tackle card testing fraud will vary according to your specific business model and industry.

Fraud detection systems, which analyze transaction velocity, geographic inconsistencies and other anomalies, can stop such attacks, protecting the merchant from financial loss and reputational damage. It’s wise to consider your average order value, and consider flagging transactions which fall significantly below this threshold. 

Your payment services provider (PSP) could help you to analyze your payments and implement rule-based blocking in a way that’s tailored to your business. Moreover, a PSP can cross-check the use of the same payment credentials elsewhere in its network, and automatically detect suspicious activity such as too many transactions in a single time period or impossible location changes.

Account takeover and social engineering

Another major type of fraud is account takeover, affecting roughly one in four (26%) online merchants. A criminal may create or purchase malware which steals login credentials, and trick the user into downloading it onto their device. The criminal then can then access the account from their own device. Fraud detection systems can usually pick up such account takeover activity, since it will be a new login pattern (new device, IP address, and unusual account behavior). 

Lately, account takeover (ATO) scams are becoming more sophisticated.

If a lucrative account proves difficult to access via technological means, fraudsters may use psychological pressure to convince account holders to transfer funds or provide access through disclosing sensitive data.

Social engineering refers to any kind of interpersonal manipulation tactics used to gain access to sensitive data, such as passwords and payment details. This can involve spoofed emails, phone calls, and websites which seem legitimate, but are actually fakes created by cybercriminals.

Example

At Checkout, we have intercepted fraudulent requests to change merchants’ bank account details. We ensure a rigorous multi-factor authentication process to protect merchant accounts from unauthorized changes to payment details. 

Specialized malware can send a notification to the fraudster once you login to one of your accounts. Then the fraudster takes over the session without the user realizing. This is known as a “remote overlay attack”. The user may see a loading screen or error page while the fraudulent actor carries out criminal activities (such as transferring funds to their own account). 

This is harder for fraud systems to detect, because the user is the one that made the login, so it's not suspicious.

How to fight back against account takeover and social engineering

  • Implement robust authentication methods such as two-factor authentication or multi-factor authentication for altering customer payments data and sensitive account details
  • Limit access to sensitive customer data from both technological and human permission standpoints
  • Educate employees with on the signs of account takeover attempts (for example, the scammer may create a sense of urgency to obtain access to the account) 
  • Set up a reporting system to flag suspicious emails, texts, and messages to your company’s information security team
  • Partner with a large global PSP (like Checkout.com) that can leverage the power of its global network to detect and prevent fraud using insights from across regions, industries, and issuers.

Victim-assisted fraud 

This occurs when an individual is manipulated into authorizing a transaction without realizing they are being scammed. Typically, a fraudster will use psychological tactics to trick the victim into sending a payment (i.e. social engineering). You may see this referred to as Authorized Push Payment (APP) fraud, because the victim makes a genuine payment.

It takes different forms, such as romance scams, fake investment opportunities or pretending to be a trusted entity such as a bank, payment platform, delivery company or another genuine business.

Fintech merchants need to be particularly watchful for signs of such fraud taking place, as customers can lose significant amounts of money. While your platform may not always be liable for reimbursing the lost funds, such fraud can impact your customer satisfaction and brand reputation. For the same reason, ecommerce merchants, logistics firms, delivery companies, and investment platforms need to ensure their fraud strategy works to prevent victim-assisted fraud.

How to fight back against victim-assisted fraud

  • Monitor customers for sudden or materially unusual changes in transaction activity.
  • For suspicious payments, trigger extra stages in the payment flow, such as confirmation of the reason for the transaction.
  • Educate customers on current scams you are aware of which involve your brand. You can do this through website banners, emails, and app notifications.
  • Clearly communicate customers’ rights to refunds or ability to reverse transactions; this can ensure your customers understand that authorized payments cannot be retrieved in most situations.

First-party fraud (the customer makes a wrongful claim)

If somebody uses their own personal data to make a fraudulent financial claim, this is known as “first-party fraud”.

One of the toughest problems for merchants selling goods or services online is when a customer will claim they deserve their money back for a legitimate purchase. This is known as “friendly fraud”.

It’s a particularly common issue in subscription products or services, as customers may forget to cancel a subscription after a trial period, and then raise a dispute on the payment via their issuer.

Chargeback fraud is a type of friendly fraud, and, therefore, also a form of first-party fraud. It’s when a consumer disputes a charge on their payment card, which means the merchant must pay a fee to process the dispute, and potentially, pay the value of the purchase back to the customer.

A customer carrying out chargeback fraud may falsely claim that:

  • They did not authorize a transaction (i.e. a fraudster must have used their card)
  • They never received the goods or services that they ordered (when in fact they did)

In spite of how it sounds, friendly fraud must be taken seriously: 39% of merchants experience it globally. Unless you have the right protocols in place, it can seriously eat into profitability.

Because chargebacks are often initiated by a customer making a legitimate claim, chargeback fraud can be difficult to detect and prevent. In short, it can be hard to prove a customer has dishonest intentions.

The impact of friendly fraud on merchants

Chargebacks can be costly for merchants, as they can result in lost revenue, chargeback fees, and increased future processing costs. According to Mastercard, merchants absorb more than 75% of the financial impact of chargebacks. 

Customers committing chargeback fraud may claim their payment details were used fraudulently – this can result in the payment being marked as fraudulent, which is an important metric for merchants to monitor. Card network penalize merchants with high levels of fraud through increased fees and lower authorization rates.

How to prevent friendly fraud

The best way to prevent chargeback fraud is to offer customer support channels to try and ensure purchase disputes can be settled before the customer raises an official complaint with their issuer. You should clearly communicate refund policies, and maintain reliable procedures for handling customer payment disputes. You should document all transactions and customer interactions – in particular, retaining proof of customer authentication – so that you can use them as evidence in the event of a payment dispute.

You should also require signatures upon receipt of goods, provide tracking information for deliveries, and clearly communicate your return and refund policies to customers.

For known customers who have committed friendly fraud, you can add them to your risk engine’s decline list to automatically block them should they try to transact with you again.

You can learn to reduce chargebacks with strategies outlined in the MRC Fraud Essentials course.

Post-purchase fraud: Refund fraud and returns fraud

Another type of first-party fraud is refund fraud. This is also known as “refund policy abuse” and happens when a customer exploits a refund policy for dishonest gain. It’s the most common type of fraud experienced by merchants online around the world, affecting almost half (47%).

For instance, a customer may complain the goods or services they received were not as described or were somehow defective, and demand a refund – even if what they received was good quality. 

If you cannot prove that the goods or services were delivered in good condition or should have met the customer’s reasonable expectations, you may have to provide a refund. 

Returns fraud is somewhat different: a customer may request a refund and then send back an empty box or an item of lower value than the item purchased. The customer receives their money back, but keeps the product they were supposed to return. Alternatively, the customer may use the item and return it in a damaged condition – this is particularly common in the online fashion industry, where a customer wears an item for a special event and then sends it back to the retailer. Therefore, the merchant can lose both the transaction value and, possibly, the value of the returned product.

Marketplace fraud

Marketplace fraud is a wide-ranging term for any fraud committed on an online marketplace, such as Amazon, eBay, or Etsy. It can take many forms, including:

  • False advertising: Taking payment for popular products, such as designer handbags or electronic devices, which turn out to be fake or simply never arrive
  • Account handover: A fraudster may purchase an existing seller account with a good reputation and then use it to carry out scams
  • Collusion: Working together, a buyer and a seller can misuse the marketplace for financial or material gain. 

Example

For instance, a fraudster makes a purchase from a fake seller. Then the buyer complains their purchase never arrived, and the buyer has disappeared. The buyer claims a refund from the marketplace, which pays the refund due to its buyer protection policy.

The impact of marketplace fraud on merchants

These scams can cause big problems for marketplace owners; if a customer complains about a purchase, the seller may stop responding, leaving the marketplace owner responsible for refunding the amount in order to preserve customer trust and protect the platform’s reputation.

Various types of merchants who can suffer as a result of marketplace scams. For instance, your brand reputation can decrease if a fraudster impersonates your brand or poses as a legitimate reseller of your products or services, and scams your customers.

How to prevent marketplace fraud

With the sheer number of transactions taking place on marketplaces every day, this type of fraud can be difficult to fight. The best first line of defense is to implement strict onboarding criteria for new sellers, including comprehensive identification checks, a review of their track record, an assessment of their financial and credit history, as well as their compliance with any relevant regulations.

You should also monitor fraud rates on a per-seller basis. That way, you can assign precise fraud rules and stricter thresholds to your highest-risk sellers to make it harder for them to engage in fraudulent activity. Fraud detection software can help you do this.

Learn more: What is a merchant of record?

Benefits of fraud protection strategy

Fraud protection is essential for preventing both financial losses and reputational damage for your business, as well as keeping your customers’ data safe. 

Reduce risk of financial loss

Payment fraud can result in significant financial losses through chargebacks, refunds, or loss of goods. Then there’s the risk of fines and higher processing costs that can occur if too much of your payment volume is flagged as fraudulent. Fraud protection tools, such as fraud detection and authentication methods help businesses avoid these losses. 

Protect customer data

Keeping your customers’ data safe is not just important to earn their trust and loyalty, it’s also a regulatory requirement in many industries and regions. You have a responsibility to your customers to ensure your security systems are thorough, and you have fraud protection tools in place to reduce the risk of data leaks, identity theft, and more. 

Build customer trust and loyalty

Reputational damage can go a long way in hurting your revenue. Although this may not be the only reason to protect customer data, it’s certainly a big consideration. The safer it is to spend on your platform, the more customer trust and loyalty you’ll build and maintain, and the more you’ll protect your business from reputational damage. Putting sophisticated fraud protection measures in place means your platform will be the safest it can be for consumers to spend on, giving them one less reason to shop elsewhere. 

Stay compliant

Certain industry and regional regulations require you to uphold a certain level of data security or else face fines and penalties. Often, criminals will take advantage of weaknesses in your systems to commit fraud, which could expose lack of compliance if any corners have been cut. Advanced fraud protection covers all bases on the compliance front, ensuring you’re doing everything you can to protect customer data and your financial assets. 

Prevent payment fraud with Checkout.com

Need help fighting fraud? Fraud Detection Pro is an enterprise-grade solution designed to tackle online payment fraud while balancing risk and maximizing revenue.

Fraud Detection Pro uses a hybrid of artificial intelligence and rules to prevent fraud. AI acts as your first line of defense, identifying patterns of legitimate and fraudulent behavior from vast swaths of data. Checkout.com processes billions of transactions globally, and we incorporate multiple signals on each transaction, such as email, device, and IP data

As valuable as AI is for pattern recognition, it isn’t a silver bullet. It has blind spots, such as identifying edge cases and responding to types of fraud it hasn’t encountered before. This is where rules come in. There are scenarios where you want to block, accept, or send a transaction for further verification, and rules give you the granular control to do this.

Secondly, during a live fraud attack, you must act fast to minimize the impact on your business and rules are the ideal instrument for such use cases.

Fraud Detection Pro has a highly customizable rules engine where you can build rules from an extensive range of rule types and properties, including your own data and machine learning scores. Custom segments let you apply unique risk strategies to different segments depending on their risk profile, such as new customers or high-risk products.

Fraud Detection Pro empowers you with powerful fraud analytics, reporting, and testing, so you can maximize performance and continually evolve your strategy to stay ahead of fraud.

Want to see what Fraud Detection can do for your business?
Download PDF

Stay up-to-date

Get Checkout.com news in your inbox.

Back to top button

Most recent articles

Why trust is the most valuable currency in the digital economy
Blog
May 19, 2025

Why trust is the most valuable currency in the digital economy

Read article
Optimizing the latest App Store payment options for better economics
Blog
May 14, 2025

Optimizing the latest App Store payment options for better economics

Read article
What the shift away from paper checks says about US payments
Blog
May 13, 2025

What the shift away from paper checks says about US payments

Read article
Chief Payments Officers and universal payments education
Blog
May 12, 2025

Chief Payments Officers and universal payments education

Read article
Face authentication: Everything you need to know
Blog
Apr 29, 2025

Face authentication: Everything you need to know

Read article
How to improve payments performance in fintech
Blog
Apr 16, 2025

How to improve payments performance in fintech

Read article
Payment fraud trends (and how to fight them)
Blog
Apr 15, 2025

Payment fraud trends (and how to fight them)

Read article
My Path in Payments: Andres Treviño at L’Oréal
Blog
Apr 14, 2025

My Path in Payments: Andres Treviño at L’Oréal

Read article
MRC collaboration: Thriving starts with education
Blog
Apr 7, 2025

MRC collaboration: Thriving starts with education

Read article
Authentic leadership: The role of belonging in driving gender equity
Blog
Apr 3, 2025

Authentic leadership: The role of belonging in driving gender equity

Read article
How does buy now, pay later work for merchants?
Blog
Apr 1, 2025

How does buy now, pay later work for merchants?

Read article
Celebrating the Women's Community at Checkout.com
Blog
Mar 31, 2025

Celebrating the Women's Community at Checkout.com

Read article
Return to home
May 19, 2025 17:30
May 19, 2025 17:30