eCommerce fraud defense: tools, tactics and results

• The evolution of eCommerce fraud
• What is eCommerce fraud?
• How does eCommerce fraud work?
• What can businesses do about eCommerce fraud?
• How can Visa help prevent eCommerce fraud?
• User stories
• FAQs

Digital commerce continues to grow at an extraordinary pace, with global online spending forecast to surpass $8 trillion by 2028.¹ And as eCommerce evolves, so does the risk of fraud attacks targeting merchants, issuers and payment networks. As a result, it’s never been more important to strike the right balance between strong, effective risk controls and a seamless customer experience.

Visa supports merchants in managing risk effectively and confidently approving more legitimate orders. But digital fraud doesn’t just impact merchants; it also affects financial institutions and issuers, with one study revealing that up to 30% of customers may leave their bank after a fraud event.²

Payment fraud is a key part of this broader ecosystem challenge, contributing to rising costs, customer attrition, and increased operational pressure. Here, we’ll look closely at how eCommerce fraud continues to evolve — what it is, how it works and how you can stay ahead of emerging threats. You’ll learn about the latest fraud tactics, the AI-driven tools and technologies enabling modern fraud detection and fraud prevention.

eCommerce fraud occurs when online payment systems or shopping platforms are exploited to gain money, goods or sensitive information through deception or error. It often involves the misuse of stolen payment data, fake identities or manipulated transactions — but not all cases are deliberate. Sometimes, legitimate shoppers make unintentional mistakes, which result in disputes that are later classified as fraud. This type of behavior, known as friendly fraud or first-party misuse (FPM), isn’t always criminal in intent but can still have significant financial and operational impacts on merchants.

As digital commerce expands, tactics have grown faster, more complex and harder to manage effectively — and fraud thrives where raw card data, static passwords and siloed signals leave security gaps. What once involved simple card theft has evolved into coordinated, technology-driven schemes that exploit every stage of the online shopping journey — from account creation to checkout and post-purchase disputes. For merchants, issuers and payment providers, this means defending against a dynamic threat that continually adapts to new controls and technologies.

What is card-not-present fraud?

The majority of eCommerce fraud occurs in card-not-present (CNP) transactions, where the physical card isn’t required to complete a purchase. Without in-person verification, fraudsters find more opportunities to exploit stolen or synthetic credentials. Global losses from CNP fraud are forecast to reach $43.6 billion by 2027, making it one of the costliest challenges in digital payments. Compared to card-present (CP) transactions, CNP fraud rates are 7.5 times higher, reflecting the vulnerability of online channels to unauthorized use.³

CNP attacks often overlap with other payment-related threats, such as real-time payment (RTP) fraud, refund and policy abuse and FPM, which is sometimes called ‘friendly fraud’. Each method undermines merchant revenue, increases operational costs and erodes customer trust. For a deeper look at how these patterns intersect with broader payment risks, see our related article on payment fraud.

What are some common eCommerce fraud threats?

eCommerce fraud encompasses a wide range of tactics, each targeting different points in the digital transaction flow. The most prevalent include:

• Account takeover: Fraudsters gain access to legitimate customer accounts through stolen credentials or phishing. Once inside, they make unauthorized purchases or change payment details.
• Merchant fraud: In marketplace environments, fraudulent sellers may accept payments without fulfilling orders, deliver counterfeit goods, or launder stolen funds through fake storefronts.
• New account or identity fraud: Criminals use stolen or fabricated identity information to open new accounts, obtain credit or exploit sign-up promotions.
• Mule schemes: Fraudsters recruit or coerce intermediaries (‘money mules’) to move funds or goods on their behalf, obscuring the true source of the activity and complicating investigation.

eCommerce fraud extends far beyond simple theft and requires constant vigilance, advanced analytics and collaboration across the digital payments industry.

eCommerce fraud doesn’t happen by accident — it’s the result of calculated, technology-enabled tactics that exploit weaknesses across the digital payments journey. Fraudsters today operate like organized businesses, combining stolen data, automation and increasingly, artificial intelligence (AI) to test defenses and scale attacks. They move fast, targeting both technical systems and human behavior to extract maximum value before detection. For merchants, issuers and payment providers, understanding how these tactics work is essential to building layered protection that stops bad actors without disrupting genuine customers. Below is an overview of the most common eCommerce fraud tactics.

What are some common eCommerce fraud tactics?

• Enumeration and card testing: Fraudsters use automated bots to submit large volumes of small, low-value transactions to determine whether stolen or guessed card details are valid. Once a card number is confirmed, it can be exploited for larger purchases or sold on illicit marketplaces.
• Phishing and social engineering: Cybercriminals manipulate individuals (often customers or staff) into revealing confidential data such as login credentials, payment details or one-time passcodes. Once access is gained, fraudsters can move quickly, making unauthorized payments or taking over accounts.
• Skimming and digital skimming: Skimming traditionally involves hardware devices capturing card data at physical terminals, but in eCommerce it has evolved into digital skimming or formjacking. Fraudsters inject malicious scripts into checkout pages or third-party plugins to silently capture payment data as customers enter it online.
• Identity theft and synthetic identities: Stolen or fabricated identity information allows fraudsters to create new customer accounts, apply for credit or make fraudulent purchases. Synthetic identities, which are created by combining real and fake data, are particularly difficult to detect because they often pass standard verification checks.
• Malware and hacking: Attackers exploit vulnerabilities in merchant websites, APIs or third-party integrations to access customer data, manipulate transactions or plant malicious code. Smaller merchants are often targeted due to weaker cybersecurity controls, but large enterprises are not immune to coordinated attacks.

What is the impact of eCommerce fraud on businesses?

• Enterprises and merchants: Beyond direct revenue loss, fraud drives higher chargeback ratios, greater manual review costs and potential damage to brand reputation. However, overly cautious fraud filters can reduce acceptance rates and frustrate genuine customers.
• Consumers: Shoppers experience unauthorized transactions, account lockouts and long resolution times. This can lead to loss of confidence in online shopping and the brands they purchase from.
• Financial institutions: Issuers, acquirers and payment service providers absorb significant losses from fraud reimbursements and operational costs. When fraud erodes trust, customer churn increases, but on the other hand, overcorrection with stricter controls can also reduce approval rates and create friction across the payments chain.
• Payments ecosystem: At a macro level, rising fraud contributes to higher transaction costs, more regulatory oversight and reduced trust in digital commerce. When fraud thrives, everyone in the ecosystem — from merchants to issuers to consumers — feels the impact.

For merchants and enterprises operating eCommerce sites, their strategic focus should revolve around reducing fraud while increasing legitimate approvals. Some practical steps include:

• Implement robust risk and fraud controls across the customer journey without causing unnecessary friction. The goal is to embed risk management within the payment and checkout flow so that good customers are minimally impacted while bad actors are blocked or challenged.
• Shift fraud screening from manual to automated processes. We’re already seeing this trend playing out, with merchants now screening orders digitally (via software or other technologies) at an average rate of 52%, compared to 23% manually (via human analysis).⁴
• Invest in AI and machine learning (ML) tools. Data-driven models can adapt to new fraud patterns faster than rule-based systems alone.
• Use Compelling Evidence (CE) frameworks (such as CE3.0) to block and reverse fraudulent disputes. This strengthens the merchant’s ability to defend against chargebacks and hold the liability with bad actors.
• Maintain strong anti-money laundering (AML) and anti-terrorist financing (ATF) programs in order to meet compliance requirements.
• Adopt a layered defense strategy combining multiple technologies and signals:
  • Network intelligence and shared fraud-data across merchants/issuers
  • Tokenization of payment credentials to minimize exposure
  • Real-time fraud detection (behavioral analytics, velocity checks, device fingerprinting)
  • Fraud management systems (case-management dashboards, alerting)
  • Customer authentication (for example 3DS, biometrics, step-up challenge)
  • Post-purchase monitoring (order anomalies, refund monitoring)
• Monitor, adapt and iterate continuously. Attackers use ever-evolving tactics, so your defense must be proactive and agile.

When these measures work together, the business can cut fraud losses and lift approval rates. At the same time, they can enable more good transactions, fewer false declines and a better customer experience.

Visa provides a comprehensive suite of solutions designed to help merchants, issuers and acquirers mitigate fraud and optimize performance:

• Risk and fraud detection
  • Visa Advanced Authorization (VAA)
  • Visa Risk Manager (VRM)
  • Visa Deep Authorization (VDA)
  • Decision Manager (DM)
  • Fraud Management Essentials (FME)
  • Visa Protect Risk Insights (VPRI)

• Visa enhanced authentication solutions

  • Visa Secure (EMV 3DS)
  • Visa Token Service (VTS)

• Post-purchase and dispute solutions

  • Verifi’s Order Insight for CE3.0
  • Resolve
• Analytics and management
  • Visa Analytics Platform (VAP)
  • Visa Consulting and Analytics (VCA)

Collectively, these solutions leverage Visa’s global network and AI-driven intelligence to prevent over $40 billion in fraud annually. These capabilities enable merchants to turn data into action, defend against evolving threats and grow their eCommerce offer with confidence.

Client identified 27% more fraud with VDA⁵

Visa partnered with a large issuer to tackle the growing challenge of card-not-present (CNP) fraud as digital transaction volumes continued to rise. The issuer’s objective was clear: reduce CNP fraud without increasing false positives, improve approval rates for legitimate transactions and strengthen cardholder trust and brand reputation.

To meet these goals, the issuer participated in a 90-day pilot of Visa Deep Authorization (VDA) across its consumer and small business debit portfolios. VDA uses deep learning and AI-driven risk modeling to assess transaction risk in real time, leveraging Visa’s global network data, cardholder insights and merchant profiles. This advanced approach enabled the issuer to detect more fraudulent transactions while maintaining a seamless experience for genuine customers.

During the pilot, VDA helped identify 27% more fraud for the consumer portfolio and 40% more fraud for small business accounts compared to the issuer’s existing fraud detection system — while maintaining a low false-positive rate of 5:1. This translated into substantial cost savings and a strong return on investment, demonstrating how effectively VDA can enable balanced fraud prevention with customer experience.

VRM helped a client realize a 31% decrease in fraud⁶

A medium-sized issuer in the Asia Pacific region, operating across two markets, was facing above-market fraud rates that were impacting both performance and customer confidence. Determined to reverse this trend, the issuer adopted Visa Risk Manager (VRM) in April 2020 to strengthen its fraud detection and prevention capabilities.

To further enhance outcomes, the issuer expanded its partnership by engaging Visa Managed Services for VRM later that year. This program provides access to Visa’s dedicated fraud experts, who work closely with issuers to fine-tune risk strategies, optimize rule performance and help ensure that the full potential of VRM is realized.

The results were immediate and measurable. Within three months of implementing Visa Managed Services, the issuer’s fraud rate dropped by 31%.⁷ In December alone, the optimized rules deployed through VRM successfully blocked 76% of attempted fraud, a dramatic improvement from 47% just three months earlier. Even more impressive, these gains came with improved precision — the issuer’s false positive ratio fell from 2:1 to under 1:1, demonstrating that fraud was reduced without compromising legitimate customer approvals.