Online store fraud: Types, detection, and prevention

Radar
Radar

Fight fraud with the strength of the Stripe network.

Learn more 
  1. Introduction
  2. Key takeaways
  3. What is online store fraud?
  4. What are the common types of fraudulent online purchases?
    1. Stolen card fraud
    2. Card testing
    3. Friendly fraud
    4. Refund and return abuse
  5. How does online store fraud affect businesses?
    1. Chargebacks and account standing
    2. Processing costs
    3. Inventory and fulfilment losses
    4. Slower operations
  6. How can online stores detect fraudulent purchases?
    1. Order-level red flags
    2. Behavioural and account-level signals
  7. What are the best fraud prevention strategies for online stores?
    1. Require CVV and AVS checks
    2. Use 3D Secure (3DS) selectively
    3. Set velocity rules
    4. Tighten return and refund policies for risk segments
    5. Hold higher-risk orders for review
    6. Keep records
  8. Is your online store protected against fraud?
  9. How Stripe Radar can help

Online store fraud happens when someone obtains goods, services, or money from an ecommerce business through deception. It affects businesses in ways that don’t always appear immediately. A fraudulent transaction clears checkout, prompts fulfilment, and looks identical to a legitimate sale until the chargeback lands or the return package arrives empty. The card networks put liability for those losses on businesses by default, which means that detection and prevention are a necessary part of running an ecommerce business. By 2029, the number of chargebacks is expected to reach 359 million globally.

Below, we’ll go over common fraud types that target online stores, how to spot suspicious orders before they ship, and what a practical prevention setup looks like for businesses.

Key takeaways

  • Fraudulent purchases often look identical to legitimate ones at checkout, which makes preshipment detection a cost-effective point of intervention.

  • Chargebacks are a visible cost of fraud, but elevated dispute rates also prompt card network monitoring programmes that can threaten a business’s ability to accept payments.

  • A combination of checkout controls, velocity rules, and machine learning–based fraud detection gives businesses a layered defence that grows with order volume.

What is online store fraud?

Online store fraud is a deceptive or illegal transaction. It looks like a real purchase and processes like one. The damage arrives later in the form of chargebacks, reversed revenue, and lost inventory that has already been shipped.

What are the common types of fraudulent online purchases?

Four fraud types account for much of what online stores encounter. Each one looks different at the transaction level, but in each case, the business absorbs the loss.

Stolen card fraud

Someone obtains card credentials through phishing, data breaches, or criminal marketplaces and uses them to place orders before the real cardholder notices. High-value, easily resold items are common targets. When the legitimate cardholder disputes the charge, the business loses both the product and the revenue, and often absorbs a chargeback fee too.

Card testing

Before using stolen cards at scale, criminals run small test transactions to verify which cards are still active. Businesses with guest checkout and no velocity controls are frequent targets. Even if the tests don’t result in completed purchases, they generate authorisation fees and can prompt risk flags with the payment provider.

Friendly fraud

A real customer places a legitimate order, receives the goods, and then files a chargeback claiming the item never arrived, that the purchase was unauthorised, or that the product was defective. This type of fraud is particularly hard to fight because the transaction itself was real. Winning a dispute through chargeback representment typically requires delivery confirmation, Internet Protocol (IP) address logs, account history, and communication records.

Refund and return abuse

With this type of abuse, a customer returns an empty box, returns the wrong product, or claims nondelivery after receiving an order. It doesn’t generate chargebacks, but it erodes margins. Repeat offenders are often invisible until you look at the pattern across months of return data.

How does online store fraud affect businesses?

Online store fraud carries costs that exceed the original transaction amount. Here’s how to think about the full picture.

Chargebacks and account standing

The most immediate cost of online store fraud is the chargeback: the bank reverses the transaction, the business loses the revenue, and the goods are usually already gone. Card networks set thresholds on dispute rates and fraud levels. Businesses that exceed them enter monitoring programmes with escalating fees, and ultimately they can lose the ability to accept card payments entirely.

Processing costs

Fraud history signals risk to payment providers and underwriters. As a result, businesses with elevated chargeback ratios often pay more per transaction across the board, which means a compounding cost that hits every sale.

Inventory and fulfilment losses

Physical goods that ship before fraud is detected are usually unrecoverable. Digital goods are even more exposed because there’s nothing to intercept in transit.

Slower operations

Fraud response takes time and manual review queues grow. Policies tighten in ways that create friction for legitimate customers because a return policy designed to catch abuse can frustrate honest buyers. The costs don’t stay contained to the fraud itself.

How can online stores detect fraudulent purchases?

Detection can happen in both individual orders and patterns across orders or sessions. While no single signal confirms fraud every time, certain combinations warrant closer review.

Order-level red flags

As a business owner, make sure you pay close attention to your individual orders and watch for anomalies.

Here are some indicators that suggest fraud:

  • Billing and shipping address mismatch: This is especially suspicious when the shipping address is a freight forwarder, package reshipping service, or a different country than the billing address.

  • Expedited shipping on a first order: Fraudulent actors need goods fast, before the card is flagged. A first-time customer who chooses overnight shipping on a high-value order is worth scrutinising.

  • Multiple cards, one shipping address: Several failed card attempts before a successful one, all sent to the same delivery address, is a classic stolen card signal.

  • Unusually large order quantities: Ordering 10 units of an item that customers typically buy one of, particularly for resalable goods, fits a fraud or resale pattern.

  • Email addresses that look autogenerated: These might look like long random strings of characters, disposable domains, or addresses that don’t match the name on the order.

  • Inconsistent geolocation: When an IP address places the customer in one country, the billing address is in another, and the card was issued in a third, that inconsistency is a red flag.

Behavioural and account-level signals

If you examine orders as a whole, you’ll see different patterns emerge. Card testing appears as a spike in authorisation attempts: many cards, small amounts, short time frames, often from the same IP or device fingerprint. Account takeovers often show a login from an unfamiliar device or location followed immediately by a large order or an address change. Return abusers tend to cluster, which means the same customer account or household repeatedly tests the boundaries of your return policy. These patterns are difficult to catch with manual review alone, especially at high volume.

What are the best fraud prevention strategies for online stores?

No configuration stops all fraud without also blocking real customers. You want to reduce fraud to a manageable level and keep checkout intact for real transactions. Here are some best practices.

Require CVV and AVS checks

Card verification value (CVV) checks confirm the buyer has the physical card. Address verification service (AVS) checks compare the billing address against bank records. Neither is foolproof, but both help deter fraud, and you can set these checks to autodecline a transaction whenever there’s a mismatch in information.

Use 3D Secure (3DS) selectively

3D Secure (3DS) adds an authentication step—a one-time code or biometric confirmation—for higher-risk transactions. When the issuer authenticates the transaction, liability for fraudulent chargebacks shifts away from the business. The trade-off is a more involved checkout process, so many businesses apply it to orders with an elevated risk rather than universally.

Set velocity rules

You can limit the number of orders or authorisation attempts from a single IP address, device, or card within a rolling time window. This directly disrupts card testing.

Tighten return and refund policies for risk segments

You don’t have to apply the same policy to every customer. It can be beneficial to block refunds on digital goods after download, require photo evidence for damaged item claims, or flag accounts with multiple prior disputes.

Hold higher-risk orders for review

Instead of autofilling everything, build a queue for orders that hit multiple risk signals simultaneously. A short review window before shipping is typically a small cost compared to an unrecoverable loss.

Keep records

Collect and retain IP address, device fingerprint, delivery confirmation, email correspondence, and login history for every transaction you might need to dispute. Winning chargebacks depends on documentation.

Is your online store protected against fraud?

Many businesses discover their exposure when a fraud wave hits. By then, the losses are real, and the card network notices are already in motion. Closing the gap requires treating fraud as an ongoing operations problem rather than a one-time setup.

Start with your chargeback rate. If it’s above 0.5%, you already have a problem worth investigating. Once it goes above 1%, businesses in most industries can face penalties from payment providers and card networks. If it’s below 0.5%, it’s still worth examining the data already in your payments dashboard to determine which transaction types are driving what risk.

Card testing patterns change. Friendly fraud peaks in certain product categories and seasons. Return abuse follows policy gaps. The businesses that stay ahead of these issues pay attention and adjust when the patterns shift. Since manual review doesn’t typically scale well, tools such as Stripe Radar are built into the payments flow to evaluate every transaction as it comes in.

How Stripe Radar can help

Stripe Radar uses AI models to detect and prevent fraud, trained on data from Stripe's global network. It continuously updates these models based on the latest fraud trends, protecting your business as fraud evolves.

Stripe also offers Radar for Fraud Teams, which allows users to add custom rules addressing fraud scenarios specific to their businesses and access advanced fraud insights.

Radar can help your business:

  • Prevent fraud losses: Stripe processes over $1 trillion in payments annually. This scale uniquely enables Radar to accurately detect and prevent fraud, saving you money.

  • Increase revenue: Radar's AI models are trained on actual dispute data, customer information, browsing data and more. This enables Radar to identify risky transactions and reduce false positives, boosting your revenue.

  • Save time: Radar is built into Stripe and requires zero lines of code to set up. You can also monitor your fraud performance, write rules and more in a single platform, increasing efficiency.

Learn more about Stripe Radar or get started today.

The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accuracy, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent lawyer or accountant licensed to practise in your jurisdiction for advice on your particular situation.

More articles

  • Something went wrong. Please try again or contact support.

Ready to get started?

Create an account and start accepting payments – no contracts or banking details required. Or, contact us to design a custom package for your business.
Radar

Radar

Fight fraud with the strength of the Stripe network.

Radar docs

Use Stripe Radar to protect your business against fraud.