Voice of the Industry

Unmasking the top ten fraud types against merchants

Tuesday 9 January 2024 10:28 CET | Editor: Raluca Ochiana | Voice of the industry

Úna Dillon, VP of Advocacy at the MRC, discusses the most common ten types of fraud merchants experienced in 2023 and what they should expect for the following year. 


In today’s rapidly evolving digital landscape, merchants face both immense opportunities and daunting challenges. While ecommerce continues to soar, so does the risk of fraud. As we navigate the complexities, it is crucial for merchants to stay one step ahead of fraudsters. We delve into the top ten fraud types identified in the MRC Annual Fraud & Payments report for 2023, based on a survey of 1,072 ecommerce merchants from across the globe.

As we move further into the digital age, the battle against fraud is ongoing. By staying informed and proactive, merchants can minimise the risks and continue to thrive. By doing so, they not only protect their bottom line but also uphold the trust and confidence of their valued customers. 

In terms of the cost of ecommerce fraud to the industry, the report shows 2.9% of global ecommerce revenue was lost to fraud over the survey period covered, between 2022 and 2023.

1. Phishing/pharming/whaling – These attacks remain highly effective tools in a fraudster’s arsenal. When phishing, cybercriminals use deceptive emails or phone calls to trick individuals into revealing sensitive information, such as login credentials or payment card numbers. Whaling is similar to phishing, but the head of a company is targeted directly. At the same time, pharming is an online scam like phishing, where a website’s traffic is manipulated, and confidential information is stolen. The fraudster produces a fake website and redirects customers who then input their payment credentials, assuming they’re shopping at a genuine store site. Merchants can protect themselves by educating employees about the risks of phishing, implementing robust email security measures, and regularly updating security protocols.

2. First Party Misuse (First party fraud/chargeback fraud) – Occurs when a legitimate customer disputes a transaction with their payment card issuer instead of contacting the merchant for a refund. This fraudulent practice can result in a chargeback, loss of revenue, and damage to a merchant’s reputation. To address this, merchants should have a clear refund policy, maintain detailed transaction records, and communicate effectively with customers to resolve issues. MRC worked with Visa and Mastercard to change rules regarding this issue, and Visa already launched a new rule providing better protection for merchants, enabling them to provide specific evidence to verify the customer disputing a transaction genuinely carried out. Mastercard is due to issue a similar rule change soon.

3. Card testing – An age-old method for fraudsters to determine if stolen card numbers are valid. They use the details to purchase low-value items, such as bus tickets. If the purchase goes through, the details are validated and then used to buy higher-value goods, or to sell the card details, usually on the dark web. Merchants can mitigate this fraud by implementing several solutions, e.g., AVS, CVV matching, velocity checks, CAPTCHA, etc.

4. Identity theft – Where a fraudster uses another person’s name and personal information to obtain credit, loans, and payment cards. They can use social engineering to obtain the information or old-fashioned bin-raiding, where they might find utility bills with personal information. 

5. Coupon/discount/refund abuse – Occurs when a merchant issues discount codes to customers that are easy to predict. Fraudsters guess future codes and receive multiple discounts. Genuine customers can’t redeem codes already used fraudulently, so the merchant gives out even more coupons, or discounts to retain their customers’ loyalty. At the same time, customers may abuse refund policies by faking returns or receipts. 

6. Account takeover – Occurs when fraudsters gain unauthorised access to a customer’s account, typically by stealing login credentials through phishing attacks or data breaches. Once inside, they can make unauthorised transactions, change account details, or even drain funds. Merchants must invest in multi-factor authentication systems, monitor accounts for unusual activity, and educate customers about password security. 

7. Loyalty fraud – Where a fraudster abuses or exploits a merchant’s loyalty reward programme by gaining unauthorised access to loyalty accounts, usually through identity theft. Many consumers don’t notice their points missing and many merchants don’t consider this fraud in financial terms, however, the losses and the potential reputational damage are costly. 

8. Affiliate fraud – Is the use of corrupt marketing practices that can result in an affiliate fraudulently collecting commission not earned. The costs to affiliate programs and merchants are in the millions of dollars. 

9. Reshipping – Occurs when fraudsters manipulate the shopping address to divert goods to their location after a legitimate purchase has been made. This often results in the customer filing a chargeback, causing financial loss for the merchant. To mitigate shipping fraud, merchants can implement strict address verification processes and use geolocation tools. 

10. Botnets – Where a cyber-attacker uses a group of computers or devices to automate mass attacks such as data theft or distributing malware. The attacker will target customer payment data from merchant databases, and then use the details to purchase high-value goods or to sell the information on the dark web. 

In 2023, the threat of fraud looms large for merchants operating in the digital landscape. To protect businesses and customers, merchants must remain vigilant and updated on the evolving tactics of fraudsters. Knowing the fraud trends is the first step towards the detection and prevention of challenges merchants experience. Implementing a comprehensive fraud prevention strategy that combines advanced technology, employee training, and customer education is essential in safeguarding against the top fraud types MRC identified here.

This editorial is part of The Paypers' Fraud Prevention in Ecommerce Report 2023-2024, the ultimate source of knowledge that delves into the world of fraud prevention, revealing the most effective security methods for companies to stay one step away from bad actors and secure their businesses. 

About Úna Dillon

Úna Dillon is MRC VP of Advocacy, bringing the industry voice to Financial Regulators and policymakers, influencing change globally. With 30 years in the industry, she is an Advisor on the European Commission PSMEG and is on the EMVCo Board.



About MRC

The Merchant Risk Council (MRC) is a globally recognised industry association dedicated to enhancing online payments and fraud prevention. Comprising a diverse network of ecommerce professionals and experts, MRC facilitates collaboration and provides valuable insights, tools, and resources to safeguard businesses against online fraud and ensure secure digital commerce experiences.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: fraud prevention, ecommerce, merchants, merchant fraud, cybercrime, chargebacks, first-party misuse, identity theft, phishing, refund fraud, account takeover, bot attacks
Categories: Fraud & Financial Crime
Companies: MRC
Countries: World
This article is part of category

Fraud & Financial Crime


Discover all the Company news on MRC and other articles related to MRC in The Paypers News, Reports, and insights on the payments and fintech industry:

Industry Events