Chargeback Fraud: Detection, Prevention & Recovery

What Is Chargeback Fraud?

Chargeback fraud refers to the abuse of the chargeback mechanism to reverse a transaction the perpetrator either didn't make (true fraud) or did make but wants to undo (friendly fraud). The term encompasses two distinct phenomena with very different causes, different detection signals, and different prevention strategies.

True fraud occurs when a criminal uses stolen card credentials — obtained through data breaches, phishing attacks, card skimming, or dark web purchases — to make purchases. The legitimate cardholder discovers the charges and disputes them. The merchant faces a chargeback for transactions they processed in good faith, often with no indication at the time that the card was stolen.

Friendly fraud (also called first-party fraud or chargeback abuse) occurs when a legitimate cardholder disputes a transaction they actually made. The cardholder may claim they never received the goods, that the goods didn't match the description, that they cancelled the subscription, or that they don't recognise the charge — often knowing these claims are false. Industry research estimates that 60–80% of all chargebacks are friendly fraud cases.

Both types result in chargebacks that count against the merchant's ratio and require active management. The strategic responses differ significantly.

True Fraud: Causes and Patterns

True fraud in e-commerce flows from several distinct sources:

Data breaches: Large-scale compromise of payment databases exposes millions of card credentials at once. Criminals purchase this data on dark web markets and use it systematically before cards are cancelled. Merchants have no direct exposure to the breach itself — they are victimised when the stolen credentials are used on their platform.

Phishing: Criminals impersonate legitimate businesses (banks, payment services, e-commerce platforms) to deceive cardholders into entering their payment details. The stolen credentials are then used for purchases or sold.

Card skimming: Physical devices attached to ATMs or payment terminals capture card data from magnetic stripes. Skimmed card data is used for card-present fraud and, increasingly, for online CNP transactions.

Card testing: Once criminals obtain card credentials, they test them with small transactions before making larger purchases. A spike in low-value failed transactions from a single IP or device is the primary card testing signal.

Account takeover: Criminals access legitimate customer accounts via credential stuffing (testing username/password combinations exposed in other breaches) or phishing. They then change the shipping address and make purchases from the compromised account.

Friendly Fraud: Causes and Patterns

Friendly fraud occurs for both intentional and unintentional reasons, and the distinction matters for response strategy.

Intentional friendly fraud occurs when a cardholder knowingly files a false dispute to obtain both the goods and a refund. Common triggers include: purchase regret (the buyer doesn't want to go through the return process), repeat offending (some customers systematically dispute purchases across multiple merchants), or deliberate exploitation (buying high-value items with the intention to dispute from the outset).

Unintentional friendly fraud occurs when a cardholder disputes a legitimate charge in good faith, without realising they're filing a false claim. Common causes: unclear billing descriptor (doesn't match the brand name), forgotten subscription, family member's purchase (spouse, child) disputed by the primary cardholder, or genuinely misunderstanding the return/cancellation policy.

The distinction affects both prevention and response. Intentional fraudsters should be blocked from future purchases and contested aggressively. Customers who disputed accidentally can often be retained with improved communication and clearer processes.

Detecting True Fraud Before Fulfilment

The best defence against true fraud chargebacks is detecting the fraud before the transaction is fulfilled — ideally before it's even processed. Fraudulent orders share detectable signals:

• IP/billing address mismatch: IP address geolocation inconsistent with the billing or shipping address
• AVS failure: Address Verification Service mismatch between entered address and card-registered address
• CVV failure: Card security code rejection at time of processing
• Velocity signals: Multiple orders from the same IP, device, or email address in a short window
• Reshipping addresses: Known freight forwarder or reshipping service addresses
• Email structure: Randomly generated email addresses (common in automated fraud)
• First purchase + high-value order: No prior purchase history with immediate high-value order
• Device fingerprint anomalies: Browser/device signals inconsistent with stated location or purchase pattern

Payment processors with machine learning fraud scoring (Stripe Radar, Shopify Fraud Analysis) evaluate these signals in real time and flag or block high-risk orders. Custom rule creation in Stripe Radar for Fraud Teams or similar tools allows merchants to fine-tune risk thresholds for their specific product mix and customer base.

Detecting Friendly Fraud

Distinguishing intentional friendly fraud from legitimate disputes requires examining transactional and behavioural signals:

Signals that suggest intentional friendly fraud:

• Disputed reason directly contradicts data the merchant holds (e.g., "never received" when carrier shows delivery confirmation)
• Dispute filed immediately after a failed refund request or contentious support interaction
• Disputed item was high-value and easily resellable
• Multiple prior disputes from the same customer account or address
• Account created shortly before the disputed transaction
• Post-dispute evidence of product usage (digital product accessed after alleged non-receipt)

Signals that suggest an unintentional dispute:

• Long customer history with no prior disputes
• Billing descriptor doesn't clearly match the brand name
• Transaction occurred 45–120 days before the dispute (forgotten purchase)
• Small transaction amount (convenience fraud is less common for low-value orders)
• Subscription with no renewal reminder sent before the charge

Prevention: Eliminating the Fraud Opportunity

Fraud prevention operates at two levels: preventing fraudulent transactions from processing, and reducing the incentive for legitimate customers to dispute valid transactions.

3D Secure 2.0 is the most impactful tool against true fraud. Transactions authenticated via 3DS2 shift fraud liability from the merchant to the issuing bank. If the card is later claimed as stolen, the issuing bank is responsible — not the merchant. Enabling 3DS2 on eligible transactions eliminates merchant liability for the entire fraud chargeback category on authenticated orders.

Strong fraud scoring and risk rules catch true fraud before fulfilment. AVS and CVV requirements, velocity rules, country blocks, and ML-based scoring reduce the number of fraudulent transactions that complete. Orders that don't complete don't produce chargebacks.

Clear billing descriptors prevent the most common unintentional friendly fraud trigger. If the bank statement shows your exact brand name, customers can identify the charge without disputing. Update your descriptor to your brand name — not your holding company or a payment processor prefix.

Proactive communication prevents disputes by keeping customers informed. Shipping notifications, delivery confirmations, and subscription renewal reminders ensure customers have the information they need to contact you directly rather than their bank.

Easy returns and cancellations remove the chargeback incentive. Customers who can easily return a product or cancel a subscription without friction will typically choose that path over filing a dispute. The chargebacks avoided typically outweigh the increased returns.

Recovering Losses Through Representment

When prevention fails and a fraud chargeback is filed, the recovery route is representment — contesting the dispute with evidence that disproves the cardholder's specific claim.

For true fraud chargebacks (without 3DS): These are the hardest to win. Without an authentication record, the merchant must establish that the legitimate cardholder made the purchase using behavioural signals: IP address geographically consistent with the cardholder's billing address, device fingerprint matching prior authenticated sessions, AVS match, prior purchase history from the same card, and post-purchase interactions that imply cardholder involvement. Visa's Compelling Evidence 3.0 framework allows merchants to challenge certain 10.4 disputes by demonstrating two or more prior undisputed transactions with matching signals — a significant shift in the fraud chargeback landscape.

For friendly fraud chargebacks: These are generally more winnable because the transaction was legitimate. The key is evidence that directly contradicts the cardholder's specific claim: carrier delivery confirmation for "never received"; product specifications and photos for "not as described"; renewal reminder emails and documented authorisation for "cancelled subscription."

Win rates vary significantly by reason code, evidence quality, and whether the dispute is true fraud or friendly fraud. Merchants who track win rates by reason code systematically improve their evidence collection and response quality over time — and identify which dispute types are most efficiently handled through acceptance or outsourcing rather than in-house response.

Blocking Repeat Fraud

Some customers dispute systematically and repeatedly. Confirmed fraud perpetrators — whether true fraud or intentional friendly fraud — should be blocked from future transactions:

• Block the specific card number and associated account
• Block the email address used for the disputed account
• Block the device fingerprint associated with the fraud order
• Block the shipping address if it received a fraudulent order

Be calibrated when blocking addresses — shared addresses (apartment buildings, office parks) and employer-issued devices can create false positives. The goal is blocking the specific perpetrator, not their building or employer's device fleet.

Chargeback alert services (Verifi, Ethoca) share signals across merchant networks, providing early warning of cardholders with active dispute patterns before they file a formal chargeback. These services allow proactive refunds that prevent the fee and ratio impact, and identify repeat disputants across the merchant ecosystem.