E-commerce & Card Fraud - Money Movement & Transaction Fraud

E-commerce fraud is the use of stolen card data, false identities, or abused chargeback rights to extract goods or money from online merchants. It splits roughly into three buckets: card-not-present fraud by external attackers, friendly fraud by real cardholders abusing the dispute system, and merchant-side fraud where the business itself is the criminal. Each bucket loads costs onto a different party.

The Phantom Buyers

Priya noticed the pattern on week three.

It started with a single chargeback. $1,200 laptop, purchased Monday, delivered Wednesday, disputed Friday. Standard card-not-present fraud. She flagged it and moved on.

Then seven more. Then fourteen. All high-value electronics. All delivered successfully. All disputed as unauthorized.

But here's what didn't fit: the chargebacks came from cardholders in Boston, Phoenix, Seattle. The orders shipped to Atlanta, Tampa, Portland. Different cities entirely.

She checked the shipping addresses. Real people lived there. Real people who had ordered, received their items, and left positive reviews.

Priya pulled the delivery confirmation photos. Smiling customers holding their new laptops. Happy buyers who had no idea they were in the middle of a crime.

Priya found the name on one of the Atlanta deliveries. Sent a message through the retailer's customer service system. "Quick follow-up on your recent laptop order. Mind if I ask where you first heard about us?"

The reply came the next morning. "I ordered through TechDealsUSA.com. Got a great price, 40% off. Is there a problem?"

There it was. The customer had never heard of Luxe Electronics. She'd ordered from a fake storefront that took her money, then used stolen cards to fulfill the order through the real retailer. The Boston cardholder whose card was charged had never ordered anything.

Triangulation fraud. The fake storefront took orders from real customers at discount prices. Fulfilled them using stolen cards on legitimate retailers. Everyone got what they wanted, except the real cardholders.

Three weeks. $47,000 in fraudulent purchases. All paid for with stolen credit cards.

This story is fictional, but the patterns are real.

Why This Matters

In Payment Systems 101, you learned how card transactions flow through multiple parties and why the authorization-settlement gap creates opportunities for fraud. In Wire & ACH Fraud, you saw how criminals exploit irreversible payment rails for high-value theft.

E-commerce fraud operates differently. Card transactions offer something wire transfers don't: the possibility of reversal through chargebacks. Chargebacks cut both ways. They protect consumers from fraud, but criminals and dishonest customers alike exploit the same protection for profit.

Global e-commerce fraud losses run in the tens of billions annually and continue to grow. North America accounts for a disproportionate share of the global total.

What makes e-commerce fraud unique is its variety. Criminals can attack merchants directly using stolen card data. Customers themselves can become fraudsters through false chargeback claims. Third parties can insert themselves as invisible middlemen. And the same transaction data that makes online shopping convenient also makes identity theft easier than ever.

How Card-Not-Present Fraud Works

Why is card-not-present fraud the dominant attack?

Card-present fraud requires physical access to a card. A criminal needs a skimmer, a cloned card, or the actual stolen wallet. Card-not-present (CNP) fraud requires only data: the card number, expiration date, CVV, and maybe a billing address. This data can be bought in bulk on criminal marketplaces for as little as $10-40 per card (as covered in Criminal Infrastructure).

CNP fraud dominates online commerce. The shift to online shopping during and after 2020 accelerated this trend worldwide.

Why CNP Fraud Is Hard to Stop

When you swipe a physical card at a store, the terminal reads data from the chip that can't be copied. The merchant sees you. Security cameras record the transaction. These friction points deter fraud.

Online, none of these safeguards exist. The criminal enters card data from a coffee shop in another country. Device fingerprints can be spoofed. Addresses can be faked or rerouted. By the time the real cardholder notices the charge, the goods are gone.

What does a typical CNP attack look like?

A typical CNP attack unfolds in stages:

Card acquisition: The criminal obtains card data through phishing, data breaches, skimming, or dark web purchases
Card testing: Small purchases ($1-5) verify the card works before larger orders
Velocity burst: Multiple high-value orders placed quickly, often to different addresses
Reshipping or resale: Goods go to drops, get reshipped internationally, or resold immediately

Steps 2 and 3 (card testing and velocity bursts) are the operational core of carding operations; the same crews that test stolen cards against e-commerce checkouts also pivot to direct account takeover when a card unlocks a stored payment method on a logged-in account.

Merchants bear most of this risk. When a cardholder disputes a CNP transaction, the merchant loses both the merchandise and the payment. This is the "liability shift" in action: without chip verification, the merchant is responsible for fraud.

Triangulation Fraud: The Three-Party Scheme

Triangulation fraud is hard to detect because no single victim realizes they're part of a fraud until the chargebacks arrive.

How It Works

Three parties form the triangle:

Party	Role	What They Experience
The customer	Unsuspecting buyer	Finds amazing deal online, orders product, receives it, happy
The fraudster	Secret middleman	Runs fake storefront, collects customer payment, orders from real retailer using stolen cards
The cardholder	Actual victim	Gets unauthorized charges on statement, files chargeback

The customer never knows they participated in fraud. They paid money, received goods, and left a positive review. The legitimate retailer fulfilled a real order to a real address. Only later, when the chargeback arrives from a different person in a different city, does the crime become visible.

Why Triangulation Is Growing

Triangulation fraud has become widespread among online merchants. One criminal network operated over 75,000 fake e-commerce storefronts, scamming more than 800,000 shoppers across the US and Europe, processing over $50 million in fraudulent orders over three years.^[3]

The scheme thrives because:

Price arbitrage attracts victims: Fake storefronts advertise prices 20-50% below retail, luring bargain hunters
Customers have no reason to complain: They received what they ordered
Stolen card data is cheap and abundant: Hundreds of millions of card records circulate on dark web marketplaces each year, so supply isn't a problem
Chargebacks take time: The fraud window between order and dispute can be weeks or months

The Retailer's Double Loss

When triangulation fraud hits, the legitimate retailer loses twice. They shipped the product. Then the chargeback reverses the payment. They're out both the merchandise and the revenue, plus chargeback fees. For small and mid-sized merchants, these losses can reach six figures in a single quarter.

Friendly Fraud (First-Party Fraud)

Not all e-commerce fraud involves stolen card data. Sometimes the cardholder is the fraudster.

What It Looks Like

Friendly fraud, also known as first-party fraud, occurs when a legitimate customer makes a purchase, receives the product, and then disputes the charge as unauthorized. They keep the item and get their money back.

This isn't a gray area. A 2023 Socure survey found that 40% of Americans say they know someone who has committed first-party fraud, and 35% admitted to doing it themselves.^[4] A follow-up survey covering the 2024 holiday season found that 40% of Gen Z shoppers admitted to committing first-party fraud over those holidays.^[5]

Why It's So Common

Several factors drive friendly fraud:

Ease of disputes: Banks make it simple to file chargebacks, often with a single phone call or app button
Low perceived risk: Most friendly fraudsters face no consequences
Consumer confusion: 72% of cardholders don't understand the difference between a chargeback and a refund^[6]
Buyer's remorse: Regret over a purchase leads some customers to claim fraud rather than request a return

The Scale of the Problem

First-party fraud has surged, with 35% of Americans admitting to committing it.^[4] Friendly fraud now accounts for the majority of all chargebacks, costing merchants enormous sums annually.

The damage compounds. Every dollar lost to fraud costs merchants $4.61 in 2025, accounting for investigation, fees, and operational overhead.^[6]

The Chargeback System's Design Flaw

Chargebacks exist to protect consumers from unauthorized transactions. When a criminal steals your card number and makes purchases, you shouldn't have to pay. Regulation Z limits consumer liability on credit cards to $50, and most banks waive even that.

But the system assumes disputed transactions are genuinely unauthorized. When customers abuse this protection, the burden falls entirely on merchants. Banks have little incentive to investigate friendly fraud claims because they recover the funds either way. Merchants can contest chargebacks through "representment," but they win only about 18% of contested cases on net.^[6]

Refund and Return Abuse

Beyond chargebacks, customers exploit refund policies directly.

Common Schemes

Wardrobing: Buying clothing, wearing it once (keeping tags hidden), then returning it as "unworn." Particularly common for special occasion items like prom dresses, suits, and party outfits.

Empty box claims: Customer reports the package arrived empty or with wrong contents. They keep the item and receive a refund.

Item not received (INR) claims: Customer claims the order never arrived, despite delivery confirmation. Especially effective for items left at doorsteps without signature.

Return fraud: Returning a different, cheaper, or broken item inside the original packaging. Or returning stolen merchandise to a store that sells the same item.

Scale

Refund and policy abuse has become one of the most common forms of e-commerce fraud, impacting a large share of global merchants. In the US alone, return fraud cost retailers an estimated $103 billion in 2024.^[7]

Buy Now, Pay Later Fraud

BNPL services like Klarna, Affirm, and Afterpay have created new fraud opportunities by extending instant credit with minimal verification. But what makes BNPL fraud different from traditional card fraud isn't just the speed of approval. It's who bears the risk.

The BNPL Risk Model

Traditional card fraud works like this: criminal uses stolen card, merchant ships goods, chargeback hits, merchant loses both the goods and the money. The merchant bears the fraud loss.

BNPL works differently. When a customer checks out with Klarna or Affirm, the BNPL provider typically pays the merchant upfront (minus a fee). The customer then owes the BNPL provider, not the merchant. The specific arrangements vary by provider and contract. Some BNPL providers absorb all non-payment risk. Others have chargeback mechanisms, holdback reserves, or clawback provisions that shift some risk back to merchants.

But those protections only work against legitimate merchants who stick around. A fraudulent merchant planning to disappear doesn't care about clawbacks. They'll be gone before anyone tries to claw anything back.

BNPL transaction values are projected to grow from $334 billion in 2024 to $687 billion by 2028.^[8] Fraud grows with it.

Consumer-Side BNPL Fraud

The attacks you'd expect all work on BNPL:

Synthetic identity fraud. Criminals create fake identities by combining real Social Security numbers (often from children, the elderly, or deceased individuals) with fabricated personal details. These synthetic identities pass basic verification and accumulate BNPL credit they never intend to repay. Synthetic identity fraud has been growing rapidly, and BNPL's lighter verification requirements make it a particularly attractive target.

Bust-out schemes. Fraudsters create accounts, build a brief payment history to increase credit limits, then max out multiple BNPL accounts simultaneously across different merchants. They disappear with the goods.

Friendly fraud crossover. BNPL users dispute legitimate purchases, claiming the transaction was unauthorized or the item was defective. The same chargeback abuse patterns from credit cards now apply to BNPL.

Merchant-Side BNPL Fraud

BNPL is attractive to fraudulent merchants because providers pay quickly and verification is light. The scheme might involve real customers, fake customers, or both. Either way, the BNPL provider pays out and the merchant disappears.

Fake customer schemes. The merchant creates synthetic identities or recruits accomplices to pose as "customers." These fake customers make BNPL purchases. The BNPL provider pays the merchant. The fake customers never pay back. No real goods change hands, or the same items get "sold" repeatedly.

Real customer scams. The merchant advertises products at attractive prices and accepts BNPL at checkout. Real customers place orders. The BNPL provider pays the merchant. The customers never receive what they ordered, or receive junk instead. The merchant vanishes. Customers are stuck with BNPL debt for goods they never got.

Phantom transactions. A fraudulent merchant processes BNPL transactions for purchases that never happened. They might generate fake order confirmations and shipping tracking (easy enough to fabricate). The BNPL provider pays out. By the time anyone investigates, the merchant has closed shop.

BNPL bust-out. Similar to card processing bust-out, but targeting BNPL specifically. A merchant integrates with multiple BNPL providers, runs volume for a few weeks, collects payments, then disappears. BNPL providers are left chasing a ghost.

Why BNPL Fraud Is Hard to Stop

BNPL providers face a dilemma. Their value proposition is instant approval at checkout. Add friction, lose customers to competitors. But that speed means minimal verification.

The merchant gets paid quickly because that's the point. Delay merchant payments, merchants won't offer BNPL at checkout. But fast payment means fraudulent merchants can extract money before anyone detects the problem.

And because BNPL is relatively new, fraud patterns are still emerging. The playbooks that work for card fraud don't map perfectly. BNPL providers are learning expensive lessons about who to trust.

Marketplace Fraud: Both Sides of the Transaction

Platforms like Amazon, eBay, Etsy, and Facebook Marketplace host millions of independent sellers and buyers. Both sides can commit fraud.

Seller-Side Fraud

Non-delivery scams: Seller collects payment, never ships the product, and disappears. Common on new seller accounts with suspiciously low prices.

Counterfeit products: Fake designer goods, knockoff electronics, or unauthorized replicas sold as authentic. The luxury goods market loses approximately $30 billion annually to counterfeits sold through online marketplaces.

Bait and switch: Listing shows one product; buyer receives an inferior substitute. Listings might show name-brand items but deliver generic alternatives.

Hijacked seller accounts: Criminals gain access to established seller accounts with positive feedback. They list high-demand items at attractive prices, collect payments, and vanish. The legitimate seller's reputation provides cover.

Buyer-Side Fraud

False claims: Buyers claim items arrived damaged, defective, or not as described when they were fine. They return nothing or ship back a different item.

Feedback extortion: Buyers threaten negative reviews unless the seller provides partial refunds or free additional items.

Return switch: Buyer purchases a genuine item, returns a counterfeit or broken version in the same packaging.

Platform Liability Questions

When fraud happens on a marketplace, who's responsible? Platforms generally disclaim liability for third-party transactions. This leaves buyers and sellers to resolve disputes, often with the platform acting as reluctant arbiter. Consumer protection varies dramatically by platform, payment method, and jurisdiction.

Merchant Fraud: When Businesses Are the Criminals

Everything above assumes the merchant is the victim. But sometimes the merchant is the perpetrator.

Merchant fraud flips the script. Instead of criminals attacking businesses with stolen cards, the business itself exists to commit fraud. These operations exploit the trust that payment processors extend to merchants, extracting as much money as possible before disappearing.

Getting a Fraudulent Merchant Account

Before criminals can process payments, they need a way to accept them. This has become remarkably easy.

Individual seller accounts. Modern payment platforms like Stripe, Square, PayPal, and Shopify make it relatively easy to start selling online. KYB (Know Your Business) requirements have tightened considerably since 2020 (government ID, SSN or EIN, bank account ownership checks, and ongoing transaction monitoring are now standard), but criminals still exploit gaps by opening "individual" or "sole proprietor" accounts using stolen or synthetic identities. The verification bar is high enough to deter casual fraud, but not enough to stop determined attackers with quality identity data.

Fake business documentation. For processors that require more verification, criminals forge what they need: LLC paperwork, business licenses, bank statements. They don't actually register anything. A professional-looking website and a virtual office address complete the illusion.

Shell company purchases. Rather than building from scratch, some criminals buy existing businesses with established merchant accounts. A struggling retail store or dormant company with processing history is worth more to fraudsters than its legitimate assets. The new "owners" inherit the merchant account and its processing limits.

Insider collusion. In some cases, employees at acquiring banks or payment processors approve applications they know are fraudulent. They receive a cut of the proceeds. These schemes are harder to detect because the account looks legitimately approved from the outside.

Bust-Out Schemes

Once criminals have a merchant account, the bust-out begins. The goal is to extract maximum value before the account gets shut down.

Quick hit. The criminal processes as many transactions as possible immediately, staying just under the velocity limits that trigger automatic review. A merchant approved for $50,000 monthly volume might process $45,000 in the first week across hundreds of small transactions. By the time fraud alerts fire, the money has already settled and been withdrawn.

Slow burn. Some operations play a longer game. They process legitimate-looking transactions for weeks or months, building trust and increasing their approved limits. Then they strike: a massive burst of fraudulent volume over a few days, followed by account abandonment. The higher limits mean bigger payouts.

Volume play. Rather than maximizing a single account, some criminals open many merchant accounts across different processors. Each account stays under the radar with modest transaction volumes. But twenty accounts processing $20,000 each adds up to $400,000. When chargebacks eventually hit, the criminals have moved on.

The transactions themselves might be entirely fake (phantom sales with no actual customers), or they might use stolen card numbers to "purchase" goods that don't exist. Either way, the merchant collects the funds, and the chargebacks arrive after the money is gone.

Transaction Laundering

Transaction laundering uses a legitimate merchant account to process payments for a different, usually illegal, business. The merchant account holder might not even know it's happening.

Here's how it works: a criminal operates an illegal online pharmacy, gambling site, or other prohibited business. They can't get their own merchant account because processors won't approve those business types. So they find a legitimate merchant (a gift shop, a consulting firm, whatever) and route their transactions through that merchant's account. The gift shop's statement shows thousands of sales. In reality, those "sales" are payments for illegal pills or offshore gambling.

Sometimes the legitimate merchant is complicit, taking a percentage for lending their account. Sometimes they've been compromised and don't know their account is being used. Either way, the acquiring bank sees apparently normal retail transactions while actually processing payments for prohibited goods and services.

Why Merchant Fraud Matters to Investigators

Merchant fraud connects to the broader criminal supply chain covered in Criminal Infrastructure. The same networks that sell stolen card data also sell "aged" merchant accounts, fake business documentation, and insider contacts at processors.

When chargebacks spike from a particular merchant, it's worth asking: is this merchant a victim of fraud, or is this merchant the fraud? The answer shapes everything about the investigation.

Mobile Commerce Fraud

Mobile shopping introduces additional attack surfaces.

Fake Shopping Apps

Criminal developers create apps mimicking legitimate retailers. These appear in app stores (sometimes bypassing review processes) or distribute through sideloading. Users enter payment credentials, which are harvested. Some fake apps actually process orders through triangulation schemes.

Mobile-Specific Vulnerabilities

Location spoofing: Fraudsters fake their GPS location to bypass geographic restrictions or manipulate local pricing.

SIM swapping: Criminals port a victim's phone number to a new SIM card they control. This intercepts SMS verification codes, enabling account takeover of shopping accounts, BNPL services, and payment apps.

One-tap purchase abuse: Mobile wallets and saved payment methods reduce checkout friction, but they also mean a compromised device enables immediate fraud without entering card details.

The Cross-Border Dimension

E-commerce fraud becomes exponentially harder to address when it crosses borders.

Why International Fraud Thrives

Jurisdiction fragmentation: A fraudster in Country A runs a fake website hosted in Country B, victimizing customers in Country C, using stolen cards from Country D. No single law enforcement agency has clear authority.

Currency arbitrage: Fraudsters exploit exchange rate differences and price disparities between regions.

Shipping complexity: International returns are expensive and time-consuming. Many victims don't bother pursuing small-value fraud across borders.

Legal barriers: Evidence collection, asset freezing, and prosecution require international cooperation that rarely materializes for individual fraud cases.

Money Movement After E-commerce Fraud

Once criminals extract value from e-commerce fraud, the cash-out follows familiar patterns:

Resale: Stolen goods sold through secondary markets, often internationally
Gift card conversion: Items purchased with stolen cards converted to gift cards, then to cash
Reshipping networks: Goods sent to domestic drops, repackaged, and shipped overseas
Cryptocurrency conversion: Proceeds converted to crypto through exchanges or peer-to-peer trades

Key Takeaways

Card-not-present fraud dominates online commerce because stolen card data is cheap and verification is limited.
Triangulation fraud hides victims from each other by inserting a fake storefront between customers and legitimate retailers.
Friendly fraud has become normalized with over 40% of Americans knowing someone who has committed it.
Chargebacks protect consumers but create merchant vulnerability because the system assumes disputed transactions are unauthorized.
BNPL shifts fraud risk from merchants to providers. Because BNPL providers pay merchants upfront, fraudulent merchants can exploit this through collusion schemes and phantom transactions.
Marketplace fraud operates from both buyer and seller sides, exploiting platform trust systems.
Merchant fraud flips the script. Sometimes the business itself is the criminal, using fraudulent merchant accounts for bust-out schemes or transaction laundering.

Key Terms

Term	Definition
Bust-out scheme	Fraud where a merchant builds processing capacity, then runs massive fraudulent volume and disappears
Card-not-present (CNP)	Transaction where the physical card isn't present, such as online or phone orders
Chargeback	Bank reversal of a transaction at cardholder's request, returning funds and penalizing merchant
Drop address	Location used to receive fraudulently obtained goods, often vacant or rented
First-party fraud	Fraud committed by the customer themselves, not an external criminal
Friendly fraud	Legitimate customer disputes a valid purchase, claiming it was unauthorized
BNPL (Buy Now, Pay Later)	Instant credit service allowing purchases with deferred or split payments
Representment	Merchant's process of contesting a chargeback with evidence
Synthetic identity	Fake identity created by combining real data (like SSN) with fabricated details
Transaction laundering	Using a legitimate merchant account to process payments for an illegal business
Triangulation fraud	Scheme where criminals operate fake storefronts and fulfill orders using stolen cards
Wardrobing	Buying items to use temporarily, then returning them for a refund

References

3. PYMNTS - Online Merchants Grapple With Surge in Triangulation Fraud↗

4. Socure — The Fraud Next Door: First-Party Fraud Runs Rampant in America (October 2023)↗ — Survey of 1,000 U.S. adults (data collected October 1-3, 2023): 35% admit committing first-party fraud, 40% know someone who has.

5. Socure - Holiday First-Party Fraud Survey 2024↗

6. Chargebacks911 - Chargeback Statistics 2025↗

7. Appriss Retail/Deloitte - Consumer Returns in the Retail Industry 2024↗

8. Juniper Research - BNPL Transaction Value to Rise 106% by 2028↗

All Categories