The shift to digital payments has benefited commerce as well as fraudulent actors. Online payment fraud is a risk of ecommerce, especially since recent high-profile breaches have exposed many Australians’ financial data. In 2025, scams cost Australians more than $2 billion Australian dollars (AUD).

Below, we’ll discuss how payment fraud types work and solutions worth implementing.

Highlights

• Card-not-present (CNP) fraud accounts for most card fraud losses in Australia.

• Effective fraud prevention layers multiple controls (e.g., velocity checks, address verification, 3D Secure authentication) instead of relying on any single mechanism.

• Strong fraud tools apply machine learning across a global transaction network. This gives Australian businesses access to a broader range of fraud signals.

What is payment fraud in Australia?

Payment fraud is any attempt to obtain money or goods through deception in a transaction, and it is a financially damaging form of cybercrime. In 2024, Australian businesses lost more than $152 million AUD to payment redirection scams. CNP environments, where the physical card never changes hands, are particularly vulnerable to fraud.

How does payment fraud work in Australia?

Payment fraud often follows a predictable sequence, even when the specific method varies. Criminals first obtain Card details, account credentials, or personal information through phishing attacks, data breaches, or purchasing stolen data on dark web marketplaces. Recently, several high-profile breaches have occurred in Australia, and the cardholder data exposed in those incidents can be used for fraud.

After fraudulent actors have the data, they verify it by running low-value transactions across multiple businesses to confirm which card numbers are active. These attacks often go unnoticed until the larger fraudulent purchases follow. With verified credentials in hand, criminals then make purchases directly or sell the validated card data to others who will. In CNP fraud, this means buying high-value, easily resalable goods that can be converted to cash quickly.

In account takeover (ATO) scenarios, fraudulent actors change shipping addresses, drain store credit, or use saved payment methods before the legitimate account holder notices. The business is usually the last to know. By the time a chargeback is requested, the goods are gone.

What are common types of payment fraud that affect Australian businesses?

CNP fraud, ATO, and friendly fraud are three of the most common fraud types that affect Australian businesses. Here’s how each works:

• CNP fraud: This is Australia’s most prevalent fraud category, representing 90% of total card fraud in 2023, and it happens when stolen Card details are used to make online purchases. Big-profile breaches compound the risk by exposing a large volume of card data. A fraudulent actor with access to a list of verified Australian card numbers can run automated purchase attempts across hundreds of businesses simultaneously.

• ATO: ATO fraud targets your existing customers instead of exploiting raw card data. A fraudulent actor gains access to a legitimate customer account, usually through credential stuffing (i.e., when stolen username and password combinations from one breach are tried across other platforms), then uses saved payment methods and account history to make purchases. This fraud is more difficult to catch because the Transaction looks like it’s coming from a known customer. A shipping address change or a sudden high-value order might be the only warning sign.

• Friendly fraud and dispute abuse: Friendly fraud occurs when a genuine cardholder makes a legitimate purchase and then disputes it with their bank, claiming it was unauthorised. Sometimes, this is deliberate (the customer keeps the goods and recovers the money). Other times, it’s caused by genuine confusion (the customer doesn’t recognise the business name on their statement). Either way, the business bears the cost. In Australia, the chargeback process puts the burden of proof on the business, and winning a dispute takes time and administrative effort.

How can Australian businesses detect and prevent payment fraud?

Fraud prevention is a set of layered controls. The right combination depends on what you’re selling, to whom, and through which channels.

Common methods include:

• Velocity checks and transaction monitoring: Card testing attacks are often detectable through velocity signals. You might see multiple small transactions from the same Internet Protocol (IP) address, device, or card number in a short time. Setting thresholds that flag or block these patterns stops the testing phase before the larger fraud follows. Payments infrastructure typically offers some version of this, but the rules must be tuned to your transaction profile.

• Card verification value (CVV) matching and address verification: CVV matching requires the three- or four-digit security code from the physical card. Address verification service (AVS) checks (i.e., comparing the billing address entered at checkout against what the card issuer has on file) are another option. Neither is foolproof, but using them together raises the cost of fraud attempts and prevents the laziest attacks.

• Manual review queues: Some transactions warrant human eyes. Orders with mismatched billing and shipping addresses, first-time customers who are placing large orders, and purchases that ship to freight forwarders are worth reviewing before fulfilment. The economics of manual review depend on your order volume and average order value, but having a clear escalation path matters.

• Know your own patterns: Your historical transaction data is one of your most useful tools for online payment fraud detection. Unusual peaks in orders from specific geographies, sudden increases in declined cards, or new customers who disproportionately buy gift cards are all worth investigating. These signals won’t appear in generic fraud rules, so you have to know what normal looks like for your business.

• 3D Secure 2 (3DS2): This protocol authenticates online card transactions and often happens silently in the background through device fingerprinting and behavioural data. In some cases, it can shift liability for fraud-related chargebacks from the business to the card issuer. That liability shift is a concrete risk reduction mechanism for Australian businesses that sell to customers.

Stripe Radar is Stripe’s built-in fraud detection system. Because Stripe processes payments for millions of businesses globally, Radar can identify fraud patterns across that entire network. While no fraud system eliminates fraud entirely, Radar reduces risk and shifts the economics. It can handle automated and opportunistic fraud that would otherwise require substantial manual effort to catch, but remember that determined, sophisticated attacks still require human attention.

How Stripe Radar can help

Stripe Radar uses AI models to detect and prevent fraud, trained on data from Stripe's global network. It continuously updates these models based on the latest fraud trends, protecting your business as fraud evolves.

Stripe also offers Radar for Fraud Teams, which allows users to add custom rules addressing fraud scenarios specific to their businesses and access advanced fraud insight.

Radar can help your business:

• Prevent fraud losses: Stripe processes over $1 trillion in payments annually. This scale uniquely enables Radar to accurately detect and prevent fraud, saving you money.

• Increase revenue: Radar's AI models are trained on actual dispute data, customer information, browsing data and more. This enables Radar to identify risky transactions and reduce false positives, boosting your revenue.

• Save time: Radar is built into Stripe and requires zero lines of code to set up. You can also monitor your fraud performance, write rules and more in a single platform, increasing efficiency.

Learn more about Stripe Radar or get started today.