Friendly fraud isn’t so friendly: how first-party misuse is reshaping ecommerce

Fraud expert Dajana Gajic-Fisic tackles the evolution of first-party misuse, how it reshapes accountability in digital commerce, and the need for a better dialogue to navigate new challenges in the risk management landscape.

Consumer protection in payments is one of the great success stories of modern finance. Strong dispute rights builds trust in credit cards, debit cards, and digital payments. When transactions are unauthorised, consumers can report them and, often, receive provisional credit while the issue is investigated.

These safeguards worked. Card usage expanded. Ecommerce scaled globally. Mobile wallets became routine. Trust fuelled participation. But the payments ecosystem now faces a different kind of challenge — one that doesn’t fit neatly into the traditional definitions of fraud.

A growing share of disputes are not driven by stolen credentials or criminal interference. Instead, they are initiated by legitimate cardholders who authorised, participated in, or benefitted from the transaction. This phenomenon — often called first-party misuse or ‘friendly fraud’ — is no longer a marginal issue. It is reshaping how merchants, issuers, and risk teams think about accountability in digital commerce.

The issue is not whether consumer protections should exist. They must. The question is whether today’s dispute framework fully reflects how modern commerce actually works.

What first-party misuse is and is not

First-party misuse occurs when a legitimate cardholder disputes a transaction that was not the result of third-party fraud. Common scenarios include disputing a charge after receiving and keeping merchandise, a parent disputing a purchase made by a child, filing due to buyer’s remorse, skipping a merchant’s refund process and going straight to the bank, or mistaking an unfamiliar billing descriptor for fraud.

This is distinct from:

• Third-party fraud, involving stolen cards or compromised credentials;
• Merchant error, such as duplicate billing or failure to deliver;

In genuine fraud cases, consumer protections are clearly justified. But, when a transaction was authorised, the dispute process often begins the same way procedurally. The merchant must prove authorisation and compliance, while the burden largely rests with them.

Intent varies. Some cases stem from confusion and others from frustration. Some may be opportunistic. But intent is difficult to prove, and the system is designed to presume good faith. However, in today’s environment, the design creates new risk dynamics.

The frictionless dispute era

Commerce is instant and so are disputes. Mobile banking apps now allow consumers to view transactions in real time, select a charge, tap ‘report a problem’, choose a reason code, and then submit a claim – all in matter of seconds. Provisional credit may be applied before the merchant even sees the dispute.

From a consumer perspective, this is empowering and efficient. But when friction disappears, behaviour changes. Filing a dispute can feel easier than contacting customer support. A delayed shipment, unclear return policy, or dissatisfaction with a service can escalate into a formal chargeback within minutes.

The original dispute system required deliberation. The modern one requires a few taps.

This shift does not imply widespread bad faith. It does, however, change incentives, and incentives shape outcomes.

Social media and the normalisation of disputes

A new variable has entered the equation: social influence. On platforms like TikTok and Instagram, creators sometimes frame disputes as a reliable workaround, stating that if a company is unwilling to issue you a refund, you can just dispute the transaction. And, since banks usually side with the customers, they will receive the money back instantly.

Often, this advice is rooted in genuine frustration. But short-form content can oversimplify complex regulatory processes. When disputes are portrayed as routine, low-risk tools rather than formal fraud mechanisms, social proof begins to normalise their use.

The dispute channel — originally designed primarily for unauthorised fraud – risks becoming a default resolution path for dissatisfaction. That distinction matters.

The risk shift in ecommerce

First-party misuse is creating a measurable shift in the ecommerce risk management landscape.

When a dispute is filed, the consumer often receives provisional credit, funds are withdrawn from the merchant, the merchant must submit evidence, and the issuer is the one determining the outcome.

Even when merchants provide strong documentation such as proof of delivery, authentication data, policy acceptance, outcomes are not guaranteed.

The financial impact extends beyond the transaction – from chargeback fees to operational labour, high monitoring ratios, increased processing costs, or exposure to card network compliance programmes.

For smaller businesses, cumulative losses can be significant. For larger merchants, dispute ratios directly affect acquiring relationships and network standing.

As first-party misuse rises, merchants are adjusting by heavily investing in post-transaction monitoring, tightening refund policies, strengthening identity verification, deploying AI-driven representment tools, or increasing prices to offset losses.

Risk management teams are now spending as much energy on authorised disputes as on preventing criminal fraud. In some verticals, first-party misuse is outpacing third-party fraud as the dominant chargeback driver. This is not merely an operational issue. It is a structural shift.

The regulatory backbone – built for a different speed

The foundation of today’s dispute rights rests on longstanding consumer protection frameworks such as Regulation Z (credit) and Regulation E (debit). These rules were critical in limiting consumer liability for unauthorised transactions and establishing investigation timelines and remain essential.

However, they were designed decades ago, in a slower, paper-based financial system. While amended over time, their core dispute architecture has not been fundamentally rebuilt for instant digital authorisation, immediate digital goods delivery, mobile-first dispute initiation, or real-time provisional credit.

As commerce has accelerated dramatically, the dispute framework has evolved incrementally, not structurally. The result is a growing tension between protection and proportionality.

Accountability without deterrence

Proving intentional misuse is difficult. A cardholder may claim:

• Non-recognition
• Confusion
• Family member use
• Descriptor misunderstanding

Financial institutions are understandably cautious about alleging misconduct and most cases remain administrative, whereas enforcement is rare.

When the likelihood of consequence is low and the filing process is frictionless, incentives shift. Even if misuse represents a minority of total transactions, at scale, the impact becomes material.

Loss concentration increases and merchants absorb most downstream financial consequences. The system assumes consumer vulnerability — but modern commerce distributes power differently than it did in the 1970s.

Secondary effects across the ecosystem

Rising first-party misuse does not remain isolated to individual merchants but contributes to higher consumer prices, shorter return windows, stricter authentication measures, and reduced flexibility in digital offerings.

Financial institutions face heavier investigative workloads whereas resources that should prioritise genuine fraud are diluted across ambiguous disputes. Ironically, misuse can weaken the very protections designed to defend legitimate fraud victims.

A constructive path forward does not weaken consumer protection but strengthens balance.

Potential areas for discussion include:

• Clearer differentiation between unauthorised fraud and service disputes;
• Better consumer education at the point of dispute initiation;
• Context-sensitive verification steps before provisional credit;
• Improved issuer–merchant data collaboration;
• Updated regulatory guidance reflecting mobile-first commerce.

The goal is not restriction. It is alignment.

Protection, accountability, and the question we should be asking

First-party misuse sits at the intersection of regulation, technology, behaviour, and economics. It reflects how systems evolve and how incentives evolve with them.

Consumer protections remain fundamental to a functioning payments ecosystem. Trust is the cornerstone of digital commerce, and without strong safeguards against unauthorised use, participation would erode. That principle is not in question.

What is in question is whether existing frameworks are sufficiently aligned with modern transaction speed, digital delivery models, and frictionless dispute tools. As commerce accelerates and behaviour adapts, the mechanisms designed to protect must ensure they are not unintentionally distorting responsibility or concentrating loss in ways that undermine long-term sustainability.

Regulations should not serve as shields for imbalance, nor as convenient justification for inaction. They are meant to protect all participating sides in the ecosystem — consumers, merchants, and financial institutions alike. When protections become structurally one-sided, strain inevitably follows.

The conversation may now need to shift. The central question is no longer what are we protecting, and who are we protecting? It may be time to also ask what behaviours are we enabling? What incentives are we reinforcing? And should modern commerce require modern guardrails around how protections are exercised?

Protection and accountability are not opposing forces. A resilient system requires both. This  dialogue is no longer optional. It is overdue.

 

About the author

Dajana Gajic-Fisic is VP of Fraud Strategy for The Wolfe Companies LLC and has been in the fraud industry for over 20 years. Currently, Dajana oversees risk operations and oversees payment security, transactional fraud screening, ATO, policy abuse, and any additional post fulfilment risks to which merchants may be exposed. During her career, Dajana had the opportunity to work with reputable retail brands, as well as financial institutions, including JD Sports, Versace, Hugo Boss, Nars, Shiseido, La Prairie, Puma, The Limited, MCM, Cole Haan, Barclaycard US, and Macy’s CCCS. For having a unique approach towards fraud and successes that followed, Dajana was named by Retail Info Systems the 2019 Industry Pacesetter. In 2020, Dajana’s fraud team has been named Merchant Fraud Team of the year, for the continuous training and support to the fraud fighting community. In 2022, Dajana has been named Titan of Ecommerce by Riskified for her vision and contributions to the fraud fighting industry.