$48B Lost to ecommerce fraud globally in 2023
3x The real cost of every $1 lost to fraud
80% Of fraud involves stolen credentials, not hacking.
You fulfilled the order. You shipped the product. Then, three weeks later, a chargeback lands in your inbox and suddenly you're out both the goods and the money, while your payment processor is already eyeing your dispute rate. If this sounds familiar, you're not alone, and you're definitely not the one doing anything wrong. Online fraud has gotten sophisticated enough that even experienced merchants get caught off guard. The good news? Ecommerce fraud prevention isn't as complicated as the fraudsters want you to think. Once you know what you're actually looking for, much of it becomes pattern recognition, and you can build real defenses around those patterns.
What Exactly Is Ecommerce Fraud?
Ecommerce fraud is any deceptive act that results in financial loss for a merchant, customer, or payment provider during an online transaction. It's a broad category, and that breadth is part of what makes it tricky. The fraud affecting a dropshipping store looks different from the fraud affecting a digital software brand, which in turn looks different from what an enterprise fashion retailer deals with.
At its core, most fraud comes down to two things: someone using information or resources that aren't theirs, or someone exploiting a policy gap in your business. Knowing which type is targeting your store shapes how you respond.
The Most Common Types of Online Fraud (And How They Actually Work)
Card-Not-Present Fraud: Stolen card details used for online purchases where no physical card is needed. The most common type by volume.
Friendly Fraud: A real customer disputes a legitimate charge, claiming they never received the item or didn't authorize the purchase.
Account Takeover (ATO): Fraudsters use stolen credentials to log into existing customer accounts and make purchases or redirect rewards.
Refund & Return Fraud: Returning items that were never purchased (wardrobing), or claiming a non-delivery to get a refund and keep the goods.
Promo Abuse: Creating multiple fake accounts to exploit welcome offers, referral bonuses, or first-time discount codes repeatedly.
Triangulation Fraud: A fraudster places your goods between a fake storefront and a real buyer, using stolen cards to fulfill orders.
Each of these has a different fingerprint. Some show up in your order data. Some show up in customer service tickets. And some only become visible after you've already taken the loss, which is exactly why a detection-first mindset matters.
Red Flags You Can Actually Spot in Real-Time
Most fraud leaves traces. The problem is that merchants aren't always looking in the right places. Here are the signals worth paying attention to on every order, especially high-value ones.
Shipping and billing addresses don't match, especially if the shipping address is a freight forwarder or reshipping hub. Legitimate customers occasionally do this, but it's worth a second look on large orders.
Email address looks machine-generated, random strings of letters and numbers, or a very new Gmail/Outlook account with no digital footprint when cross-referenced.
Multiple orders from the same IP with different cards are a strong indicator of card testing, where fraudsters run small transactions to verify which stolen card details still work.
Express shipping on a first-time order, fraudsters want goods fast, before the card is flagged. Overnight shipping requests from new accounts on high-value items are a classic signal.
Orders placed via a VPN or Tor exit node, most legitimate shoppers don't mask their IP. If the IP location contradicts the billing address country, that's a meaningful mismatch.
Unusually high order value on a first purchase, especially for luxury goods, electronics, or items with high resale value. Fraudsters aren't cautious; they go for maximum gain per transaction.
Worth noting: No single signal is conclusive. A mismatch on shipping and billing might just be a gift order. It's the combination of multiple flags on the same transaction that warrants holding or reviewing the order.
How to Build a Practical Ecommerce Fraud Prevention Stack
There's a version of fraud prevention that involves buying a $40,000 enterprise tool and hoping it does the heavy lifting. That's not what most stores need, especially in the early- to mid-growth stage. What actually works is a layered approach: small, specific controls that stack on top of each other.
1. Enable AVS and CVV verification at checkout
Address Verification Service (AVS) checks whether the billing address matches what's on file with the card issuer. CVV verification confirms the buyer physically has the card. These are basic but effective first filters, and they're already built into most payment processors. Make sure they're turned on, and configure failed-match orders to hold for review rather than auto-cancel (which can frustrate legitimate customers).
2. Use a fraud scoring tool that fits your volume
Tools like Signifyd, Kount, or even Shopify's built-in risk analysis assign a risk score to every order based on dozens of signals, including device fingerprint, IP reputation, order velocity, and more. At low to mid volume, even a basic rule-based system can catch a significant portion of fraudulent orders without requiring manual review of every transaction.
3. Set velocity rules for card testing
Card testing is almost always volume-based; bots will try dozens or hundreds of small transactions in a short window. Set a rule that flags or blocks multiple failed payment attempts from the same IP or device within a defined time period. Even a simple rate limit on checkout attempts can shut down a card testing attack before it scales.
4. Verify high-risk orders manually before fulfillment
For orders above a certain value threshold, you'll define this based on your margins and typical order size, and build a quick human review step. This doesn't have to be elaborate: a 90-second check of the order details against the red flags above, with a follow-up email to the customer if anything seems off. Most legitimate customers respond quickly; fraudsters usually don't.
5. Document everything for chargeback defense
Even with the best ecommerce fraud prevention setup, some chargebacks will come through. When they do, your ability to dispute them depends entirely on documentation: IP logs, delivery confirmations, correspondence with the customer, and signed order confirmations. Capture and store this automatically for every transaction; it's cheap insurance against friendly fraud.
What About Customer Experience? Won't All This Friction Hurt Sales?
It's a fair question, and it's one of the reasons many merchants underinvest in fraud controls. The fear is that adding friction kills conversions. But the data on this is more nuanced than the concern suggests. Friction that's invisible to legitimate users, like backend fraud scoring, IP analysis, or device fingerprinting, adds zero checkout friction. Friction that matters is the blunt kind: demanding phone verification on every single order, adding captchas to every page load, or holding all orders for 48-hour manual review.
The goal of smart fraud prevention is to increase friction for fraudsters without increasing it for legitimate customers. Good fraud-scoring tools are built precisely around this distinction. Strong customer retention depends partly on building a trustworthy, secure experience that makes buyers feel confident their data is protected, which is why fraud prevention and customer experience are more aligned than they're at odds.
The Bottom Line
Fraud isn't going away. If anything, it gets more sophisticated every year, partly because the tools available to fraudsters have improved and partly because the volume of ecommerce transactions gives them more surface area to work with.
But merchants aren't helpless here. Most fraud exploits predictable patterns, and predictable patterns can be detected, scored, and acted on before the loss happens. Start with the basics: AVS and CVV on, a fraud scoring layer in place, velocity rules for card testing, and a clear manual review process for high-risk orders. Then build from there as your order volume and risk profile grow.
You don't need a perfect system. You need a system that's harder to crack than the average target, and that's more achievable than it sounds.
Frequently Asked Questions
What is the most common type of ecommerce fraud?
Card-not-present (CNP) fraud is the most common type by volume. It happens when a fraudster uses stolen credit card details to make purchases online, no physical card needed. Because the card never needs to be swiped, it's much harder to catch than in-person fraud. Friendly fraud (legitimate customers disputing real charges) is a close second, particularly for stores with a high-return-rate product category.
How do I know if my ecommerce store is being targeted by fraud?
The early signs include: a spike in failed payment attempts (often card testing), multiple orders shipping to the same address under different names, an unusual uptick in chargeback requests, or orders with mismatched billing and shipping details. Some fraud is obvious in real time; other types (like friendly fraud) only surface weeks later, when the dispute arrives. Setting up automated alerts for these patterns in your payment processor or fraud tool is the fastest way to catch activity early.
Does Shopify have built-in fraud protection?
Yes, Shopify includes a basic fraud analysis tool that flags orders as low, medium, or high risk based on signals like IP location, card verification results, and order patterns. It's a useful starting point, but not a complete solution on its own. For stores with significant order volume or high-value products, pairing Shopify's built-in analytics with a dedicated fraud-scoring app like Signifyd or NoFraud provides substantially better protection and chargeback coverage.
What is friendly fraud, and how can I prevent it?
Friendly fraud (also called chargeback fraud) happens when a real customer disputes a legitimate charge claiming they never received the item, don't recognize the transaction, or that it was unauthorized. It's called "friendly" because it comes from someone who actually made a purchase, not an outside bad actor. Prevention comes down to documentation: delivery confirmation with tracking, clear product descriptions that match what was received, and a record of all customer communication. If you can show the dispute is invalid, most card networks will side with you.
How much does ecommerce fraud prevention software cost?
It varies widely by solution type. Entry-level fraud tools and Shopify apps typically run $20–$100/month for low-volume stores. Mid-tier solutions with machine-learning-based scoring (like Kount or Sift) generally start at $500–$1,500/month and scale with transaction volume. Enterprise platforms with chargeback guarantees (like Signifyd) often charge a percentage of protected order value, typically 0.1% to 0.5%. For most growing stores, starting with a mid-tier tool and scaling up as order volume increases is the most cost-efficient path.