Top e-commerce fraud risks and how to counter them

The digital marketplace has experienced unprecedented growth, with online retail continuing to expand rapidly across global markets. E-commerce sales are projected to surpass $8 trillion by 2027, creating vast opportunities alongside escalating risks. However, this expansion comes with increasingly sophisticated fraudsters who are constantly ‘leveling up’ their tactics. 

This article identifies the five biggest threats facing e-commerce brands in 2025 and provides a guide to best practices for multilayered security defenses to mitigate these threats.

The escalating threat of e-commerce fraud

The financial devastation caused by e-commerce fraud continues to reach staggering proportions. E-commerce fraud is expected to rise from $44.3 billion in 2023 to $107 billion by 2029, representing a 141% increase over five years. Mastercard data indicate that cumulative losses from online payment fraud globally are expected to exceed $343 billion between 2023 and 2027.

The true cost extends beyond direct financial losses. Currently, every $1 lost to fraud costs merchants $3.75, when accounting for wholesale costs, shipping, fulfillment, chargebacks, and processing fees. This year, this cost is expected to reach $4.61 for every $1 lost to fraud, a 37% increase compared to 2020. 71% of organizations have been victims of payment fraud attacks.

The emergence of new payment methods has created additional vulnerabilities, with Buy Now Pay Later services contributing to increased fraud activity. According to industry research, 59% of e-commerce companies have observed an increase in online payment fraud, with many reporting a rise in refund abuse, promotion abuse, and account takeovers.

The five major e-commerce fraud risks in 2025

While there are many boogeymen to fear when it comes to e-commerce fraud, the halfway point of the decade has us trembling the most about: 

1. Phishing and brand impersonation

Phishing remains one of the most pervasive forms of e-commerce fraud, with 10.9% of all phishing attacks in 2024 targeting e-commerce brands specifically. This deceptive practice involves scammers sending fraudulent communications that appear to come from trusted sources, tricking recipients into providing sensitive information or clicking on malicious links.

Brand impersonation represents a sophisticated evolution where criminals create fake websites that perfectly mimic legitimate e-commerce sites. These sites capture payment details and personal information from unsuspecting customers who believe they’re shopping with a trusted retailer.

The danger extends beyond immediate financial theft: 45% of customers who fall victim to fake site scams start to distrust the legitimate organization entirely, even though the merchant was not at fault. Sophisticated phishing kits now utilize evasion detection technologies and token-based systems, making detection increasingly difficult.

2. Friendly fraud (Chargeback abuse)

Also known as ‘first-party misuse,’ friendly fraud occurs when customers dispute charges after receiving satisfactory products or services. Data from Visa suggests that 75% of all chargebacks are likely cases of friendly fraud. This prevalence indicates that friendly fraud accounts for approximately 80% of all chargeback losses for merchants.

Global chargeback volumes are on pace to reach 337 million cases by the end of this year, up from an estimated 265 million in 2022. The value of global chargebacks is set to rise from $33.79 billion this year to $41.69 billion in 2028.

This type of fraud is particularly challenging because it appears legitimate on the surface. 72% of cardholders have stated that convenience has driven them to file a chargeback claim, making it difficult to distinguish legitimate disputes from fraudulent ones.

3. Account takeover (ATO)

Account takeover involves hackers stealing login credentials to gain unauthorized access to customer accounts. Last year, account takeover cases increased by 13% compared to 2023, with this threat escalating significantly across all sectors.

Approximately 29% of US adults have experienced account takeover attacks, resulting in millions of affected consumers. By 2028, merchants are expected to lose a staggering $91 billion to account takeover fraud. It’s not just a problem for brands, but it also impacts consumers. Account takeover fraud currently costs US adults approximately $23 billion. 

4. Card testing

Card testing involves fraudsters repeatedly attempting to validate stolen credit card information through numerous small transactions using automated scripts. Also known as ‘card cycling’, this fraud tactic involves using automated scripts to test stolen card numbers by initiating small transactions en masse, particularly targeting e-commerce purchases and online donations.

Card testing is recognized as one of the fastest-growing forms of e-commerce fraud, with merchants experiencing thousands of small-value transaction attempts in short timeframes. The automated nature creates substantial operational challenges, as acquiring banks may flag targeted merchants as risky and potentially decline future transactions when they notice excessive authorization volume.

Credit card fraud losses in the United States alone are projected to eclipse $12.5 billion by the end of this year, with card testing contributing significantly to these figures. The danger extends beyond immediate processing costs, as successful validation enables fraudsters to sell verified card data on dark web marketplaces at premium prices, funding further criminal activity.

5. Remote access attacks

Remote access attacks, where criminals exploit legitimate remote desktop or admin tools to tunnel directly into a retailer’s environment, are now a top e-commerce fraud vector. There was an 8% spike in sales during the 2024 Black Friday/Cyber Monday rush compared to 2023, according to Help Net Security. Remote Desktop Protocol abuse has been reported in 90% of incidents handled by a leading cybersecurity company in the past year.

Attack crews, such as Scattered Spider, pair slick help-desk impersonation with trusted utilities like AnyDesk or TeamViewer, slipping past whitelists and then harvesting credentials and payment data. This playbook was on display in the July 2025 ransomware hits on British retailers. Restricting remote-access software, logging every session, and enforcing fresh MFA for staff with elevated rights are now baseline countermeasures.

Proactive defenses: Best practices for multilayered security

It’s never wise to depend on a single layer or solution. You need to create a web where cyber criminals can get tangled in, and this means: 

Leveraging advanced fraud detection tools

Modern fraud prevention requires sophisticated technological solutions. E-commerce companies utilize an average of five fraud detection tools, with credit card verification services (55%), identity verification services (50%), and internal customer order history analysis (34%) being the most commonly used.

AI-powered solutions and machine learning algorithms have become vital for detecting anomalies and suspicious behavior in real-time. These systems analyze vast amounts of transaction data to identify patterns that human analysts might miss, including behavioral biometrics that detect when unauthorized users attempt to make purchases.

75% of e-commerce companies plan to increase fraud prevention budgets over the next 12 months, with 20% planning increases of at least 20%. This investment is crucial, given that fraud management can consume a significant portion of yearly revenue.

Strengthening authentication measures

Two-factor authentication (2FA) or multi-factor authentication (MFA) is considered the most effective tool for combating fraud by the majority of e-commerce merchants. These systems provide an additional layer of security by requiring identity verification through multiple methods, such as passwords combined with SMS codes or biometric data.

CAPTCHAs and bot detection tools are commonly used for account takeover prevention. For credit card transactions, implementing the Address Verification System (AVS) and CVV2 verification helps prevent fraud by cross-referencing billing addresses and security codes with the issuing bank’s records.

Integrating robust Know Your Customer (KYC) controls

Know Your Customer policies are an effective line of defence against synthetic identities and money-mule accounts that bankroll wider e-commerce fraud. Yet execution still lags: 41% of North American merchants flag weak identity verification at account creation as their biggest vulnerability, outstripping issues at checkout or login.

Closing that gap means embedding automated, risk-based KYC into the checkout stack.

Strategic investment and targeted countermeasures

Effective fraud prevention requires a multilayered approach that combines technology, processes, and human oversight. Manual screening can be effective, but it is also time-consuming, so many merchants are scaling back on manual reviews in favor of automated solutions.

For chargeback claims, 90% of e-commerce merchants use compelling evidence to contest fraudulent disputes. Clear product descriptions, transparent return policies, and detailed transaction records provide documentation needed to successfully dispute illegitimate chargebacks.

Brand impersonation requires advanced detection methods, including AI-powered solutions to identify fake websites. Domain monitoring services can detect when cybercriminals register similar domain names or create websites that resemble legitimate ones.

Consumer education and regulatory compliance

Consumer education plays a vital role in preventing fraud. Customers should regularly monitor their accounts, create unique passwords, enable multi-factor authentication, and verify secure URLs (HTTPS) when shopping online. They should be made aware of security risks, such as browser extensions that can steal login details.

Regulatory compliance has become increasingly important. Legislation like the UK’s Economic Crime and Corporate Transparency Act 2023 makes ‘failure to prevent fraud‘ a corporate offense, emphasizing the need for clear policies and processes. Achieving and maintaining PCI DSS compliance is crucial for safeguarding sensitive card data.

Supply chain fraud risks are escalating, including employee kickbacks, counterfeit goods, and financial fraud. Companies need comprehensive risk management strategies addressing vulnerabilities throughout their operational ecosystem.

Protecting your business against e-commerce fraud

E-commerce fraud remains a significant and rapidly evolving challenge for online retailers. With fraud losses projected to reach $107 billion by 2029, implementing comprehensive prevention strategies is critical. Understanding the major fraud risks and investing in multilayered security measures is essential so businesses can protect their margins, revenue, and customer trust. While eliminating fraud may be unrealistic, leveraging advanced technology to verify identities and detect threats is essential for creating a safer online marketplace.