Merchant fraud – the basics: What businesses need to know


Fight fraud with the strength of the Stripe network.

Learn more 
  1. Introduction
  2. What is merchant fraud?
  3. How does merchant fraud work?
  4. What types of businesses are affected by merchant fraud?
  5. How does merchant fraud hurt businesses?
  6. How to prevent merchant fraud
  7. How Stripe can help

Launching a new merchant business has never been easier. In just a few minutes, digital entrepreneurs can set up a storefront and payment gateway. They are then ready to start accepting payments from customers. However, the rise in global e-commerce retail – predicted to increase by 56% to more than US$8 trillion dollars by 2026 – has also created more opportunities for fraudulent actors to exploit vulnerabilities in the payment system. This represents a liability for both consumers and businesses.

The average volume of monthly fraud attacks increased by 9% for US retailers year-on-year, while the average number of successful monthly fraud attempts increased by nearly 45% for mid to large retailers and 27% for small business retailers.

Merchant fraud affects businesses of all sizes and types. Consequences can be severe, including financial losses, reputational damage and legal penalties. We'll cover what businesses need to know about merchant fraud, how it works, the damage it can cause and how businesses can protect themselves.

What's in this article?

  • What is merchant fraud?
  • How does merchant fraud work?
  • What types of businesses are affected by merchant fraud?
  • How does merchant fraud hurt businesses?
  • How to prevent merchant fraud
  • How Stripe can help

What is merchant fraud?

Merchant fraud is a type of fraud in which someone poses as a legitimate business to deceive consumers and make illegitimate profits.

Merchant fraud is primarily a type of criminal activity in which an individual or group seeks to exploit the payment systems and processes that underpin the world of commerce, in order to steal from unsuspecting businesses and consumers.

Merchant fraud can take many forms:

  • Credit card fraud
    One of the most common types of merchant fraud is credit card fraud, in which criminals use stolen or counterfeit credit cards to make purchases. In cases of merchant fraud, stolen credit card numbers might be used to transact with fake businesses to defraud credit card companies. The prevalence of credit card fraud highlights the need for businesses to have tight security protocols and to be able to quickly detect and respond to suspicious transactions.

  • Account takeover fraud
    Account takeover fraud occurs when fraudulent actors gain access to a customer's account credentials, such as their username and password, to make fraudulent purchases. This type of fraud can be more difficult to detect, as it frequently appears as though the legitimate account holder is making the purchase.

  • Phishing scams
    Phishing scams involve fraudulent actors sending emails or messages to individuals, often in an attempt to obtain sensitive information, such as login details or credit card numbers. These scams can be highly sophisticated and can fool even the savviest internet users, making phishing a significant threat to businesses and their customers.

  • Identity theft
    Identity theft occurs when fraudulent actors obtain possession of an individual's personal information, such as their name, address and Social Security number, to make fraudulent purchases or open new lines of credit in their name. Identity theft can have devastating consequences for both individuals and businesses, highlighting the importance of strong data protection and privacy measures.

How does merchant fraud work?

Merchant fraud scams that involve fraudulent actors posing as legitimate businesses can take many forms. In some cases, the fraudulent actors may create fake online storefronts or social media accounts that look like legitimate businesses, with the goal of tricking customers into making purchases. These fraudulent storefronts may offer goods at extremely low prices or advertise hard-to-find items to entice unsuspecting customers.

In some cases, once a customer has made a purchase, the fraudulent actors may either send a counterfeit or inferior product. Alternatively, they may simply disappear without delivering the product at all. In other cases, the fraudulent actors may use the customer's credit card information to make additional fraudulent purchases, leading to further financial damage.

Another example of merchant fraud scams involves the sale of counterfeit goods through online marketplaces. Fraudulent actors may create fake product listings and use stock photos to make it appear as though the products are genuine. Customers who purchase these counterfeit items may receive low-quality or dangerous items, such as toys that are poorly constructed.

What types of businesses are affected by merchant fraud?

Merchant fraud is a growing problem that affects businesses of all types and sizes. While all businesses are at risk of merchant fraud, there are certain industries and business types that tend to see the highest occurrence of fraud.

  • E-commerce
    E-commerce businesses typically see a high occurrence of merchant fraud. This is because online transactions are harder to verify than in-person transactions. Fraudulent actors can exploit vulnerabilities in the payment processing system to steal from businesses and their customers. Digital products, such as software or online courses, are particularly vulnerable because a fraudulent actor, posing as a legitimate customer, can claim that they did not receive the product or did not find it satisfactory.

  • Travel and hospitality
    The travel and hospitality industry is also at high risk of merchant fraud, as it often involves high-value transactions and complex payment processing systems. Fraudulent actors may use stolen credit card numbers to book hotel rooms, flights or hire cars. For example, in 2018, Marriott International experienced a data breach that exposed the financial information of over 500 million customers. The breach was later linked to a Chinese state-sponsored hacking group.

  • Retail
    Retail businesses are also at risk of merchant fraud, as they often sell high-value goods and operate in a fast-paced environment that can make it more challenging to detect fraud in real time. Fraudulent actors may use stolen credit card numbers to purchase expensive items, such as jewellery or electronics, or may engage in "return fraud" by claiming that they returned a product in order to receive a refund, without actually returning the product.

  • Digital goods and services
    Businesses that sell digital goods and services, such as software or online courses, are also highly vulnerable to merchant fraud. In these cases, fraudulent actors might use stolen credit card numbers to purchase digital goods or may dispute the charge after accessing the product and receiving the benefit.

How does merchant fraud hurt businesses?

Merchant fraud can target consumers directly without specifically targeting a legitimate business. However, it can also involve the penetration and exploitation of legitimate businesses. Not only can these scams pose a financial risk to customers, but they can also damage the reputation of legitimate businesses targeted by fraudulent actors. Here are a few key areas where these impacts can be felt:

  • Business reputation
    Merchant fraud that involves fraudulent actors posing as legitimate businesses can damage consumer trust, leading to a decline in sales and revenue. This is especially true in industries where merchant fraud is more prevalent. If a certain type of business becomes associated with fraudulent activity, then even legitimate businesses might have a harder time gaining and keeping consumer trust.

  • Financial losses and chargebacks
    Businesses that fall victim to merchant fraud scams may be subject to chargebacks and other financial liabilities, resulting in revenue losses, as well as additional fees and penalties.

  • Legal consequences
    Businesses that fall victim to merchant fraud scams may also face legal consequences, such as fines or lawsuits, if they are found to have been negligent in their fraud prevention measures.

  • Higher payment processing fees
    An elevated frequency of merchant fraud in some industries or sectors can result in higher payment processing fees for legitimate businesses. To compensate for the increased risk, payment processors may charge higher fees to businesses in high-risk industries or to businesses that have a high incidence of chargebacks. Read more here about how Stripe defines and handles high-risk merchants.

How to prevent merchant fraud

Merchant fraud is a complex and multi-faceted problem that requires constant vigilance and a proactive preventative approach. It's important for businesses to understand the risks of merchant fraud, take measures to protect themselves and create playbooks for taking a proactive approach to tackling merchant fraud. By educating themselves about the different types of merchant fraud and implementing robust fraud prevention measures, businesses can protect themselves and their customers.

Here are some measures that businesses can take to prevent, detect and combat merchant fraud:

  • Implement fraud prevention tools
    Fraud prevention tools such as fraud detection software, address verification systems and device fingerprinting can help businesses to prevent fraudulent transactions. These tools use algorithms to detect and flag suspicious transactions, such as purchases made with stolen credit card information or from a high-risk location.

  • Use 3D Secure authentication
    3D Secure is an extra layer of security that requires customers to enter a password or code to verify their identity when making an online purchase. This can help to prevent fraudulent transactions and protect businesses against chargebacks, which occur when customers dispute charges and demand a refund from the business.

  • Provide employees with fraud prevention training
    Businesses should train employees to recognise the signs of fraud, such as unusual customer behaviour or suspicious transactions. Employees should also know how to report and respond to suspected fraud incidents. This includes proper handling of personal information and secure payment processing.

  • Monitor transactions for unusual patterns
    A good rule when it comes to fraud detection is that if something looks odd, it's worth digging deeper. Businesses should monitor transactions for unusual patterns, such as multiple transactions from the same IP address or multiple transactions from different cards with the same billing address, as these patterns may indicate fraudulent activity. By identifying and flagging suspicious transactions, businesses can prevent fraud before it occurs.

  • Conduct background checks
    A key part of preventing merchant fraud is making sure that you know exactly who is on your team. Businesses should conduct background checks on employees and vendors to ensure that they do not have a history of fraud. This helps to minimise the risk of insider fraud, which occurs when an employee or vendor intentionally commits fraud.

  • Establish robust policies and procedures
    Businesses should establish policies and procedures for preventing and detecting fraud. This includes guidelines for accepting credit cards, verifying identities and handling chargebacks. Policies and procedures should be reviewed and updated regularly and as needed to keep up with new fraud trends. Fraud detection and prevention solutions such as Stripe Radar, which leverages millions of data points from businesses across the world to refine and update its approach to combatting fraud, can make this process much more effortless for businesses by automating it without requiring significant internal resources.

  • Use encryption and secure data storage
    Businesses should use encryption to protect customer data. They should also ensure that their both their physical and digital data storage is secure to prevent unauthorised access to sensitive information. By safeguarding customer data, businesses can help prevent identity theft and protect their own reputation with customers.

  • Stay up to date with fraud trends
    Businesses should stay informed about the latest fraud trends and update their fraud prevention measures. This includes attending industry events, subscribing to newsletters and other publications, and networking with other business owners.

How Stripe can help

For modern businesses, defending themselves against fraud means adopting the right operational protocols and tech solutions, both in house and using third-party providers. For example, Stripe offers a variety of features and tools that can help businesses protect against merchant fraud.

  • Stripe Radar
    Stripe Radar is a powerful and comprehensive fraud detection solution that uses machine learning to identify and block fraudulent transactions. It analyses a variety of data points, such as the customer's location, device information and purchase history, to determine the likelihood of a transaction being fraudulent. If a transaction is flagged as high risk, Stripe can block it automatically or require additional verification steps, such as 3D Secure authentication.

  • Chargeback protection
    Chargebacks can be a major nuisance for businesses, especially when they result from fraudulent transactions. Stripe offers chargeback protection, which covers businesses against fraudulent chargebacks. If a chargeback occurs, Stripe will dispute it automatically on behalf of the business, saving them time and money.

  • Real-time transaction monitoring
    Stripe Radar provides real-time transaction monitoring, which uses machine learning to identify and flag suspicious transactions as they occur, such as those with high-value amounts or those made from high-risk locations. This decreases the amount of time between when a fraudulent transaction is attempted and when it's detected.

  • 3D Secure 2
    Stripe supports 3D Secure 2 (3DS2) on all payments APIs and Checkout, which allows businesses to apply 3D Secure to high-risk payments. 3DS2 is the main card authentication method used to meet Strong Customer Authentication (SCA) requirements in Europe and allows businesses to request exemptions to SCA.

  • Cutting-edge customer authentication
    For businesses that operate in Europe, customer authentication is another important consideration that Stripe upholds. SCA is a requirement of the European Union's Payment Services Directive 2 (PSD2). It requires customers to provide two-step authentication, such as a password or code, when making certain types of online payments. Stripe solutions support adherence to SCA, which can help businesses to prevent fraudulent transactions and reduce the risk of chargebacks.

  • Customisable fraud rules
    Stripe allows businesses to customise their fraud prevention rules to fit their specific needs. For example, businesses can set rules based on the customer's location, IP address or purchase history. This allows businesses to tailor their fraud prevention measures to their particular business model and risk profile.

Across the range of interlocking fraud protection solutions that Stripe offers, these fraud prevention and detection tactics and parameters are evolving constantly to keep up with new fraud trends and help businesses stay one step ahead of potential fraudulent actors. By partnering with Stripe, businesses have access to a best-in-class fraud strategy that performs across their entire commerce ecosystem, without needing to devote significant internal resources to manage it. Learn more here.

The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accurateness, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent attorney or accountant licensed to practice in your jurisdiction for advice on your particular situation.

Ready to get started?

Create an account and start accepting payments – no contracts or banking details required. Or, contact us to design a custom package for your business.