The fraud a small store actually sees
Card fraud against small online stores is rarely sophisticated. It arrives in four familiar shapes, and knowing which one you are looking at determines the right response.
- Stolen-card fraud: a criminal uses someone else's card details, and the real cardholder later disputes the charge
- Friendly fraud: a genuine customer disputes their own purchase, sometimes through confusion over an unfamiliar statement descriptor, sometimes cynically to keep goods free
- Card testing: bots fire small transactions at your checkout to validate stolen card numbers, leaving a spike of declines and gateway fees
- Triangulation: fraudsters list your products on a marketplace, take real buyers' money, then order from you with stolen cards and ship to those buyers
Each has a different fix: screening and 3DS2 for stolen cards, clear descriptors and evidence packs for friendly fraud, and rate limiting with CAPTCHA on the payment endpoint for card testing.
Fraud signals worth screening for
You do not need enterprise tooling to catch most bad orders. A short manual check on automatically flagged orders catches the bulk of them.
- Billing and shipping addresses in different countries, or delivery to a known freight-forwarding address
- First-time customer, unusually high basket value, fastest shipping option selected
- Multiple failed payment attempts or several different cards tried in one session
- Disposable or gibberish email addresses that bear no relation to the customer name
- IP location far from both billing and shipping address, allowing for legitimate VPN use
- Several orders to one address under different names, or one card used across multiple accounts
One signal alone is usually innocent; impatient real customers choose express shipping too. Two or three together justify a pause: hold despatch and email or phone to verify. Genuine customers respond quickly; fraudsters tend to vanish.
Need a hand with this?
Our team delivers E-Commerce Development for UK businesses — with a free initial consultation, transparent fixed quotes and no lock-in contracts. Tell us what you're working on →
Getting 3DS2 right
3-D Secure 2 is the authentication layer behind "confirm this payment in your banking app". Under UK and EU strong customer authentication rules it applies to most online card payments, but the detail that matters commercially is the liability shift: when a transaction is authenticated through 3DS, liability for fraud chargebacks generally moves from you to the card issuer.
- Confirm 3DS2 is active in your gateway; Stripe's hosted checkout handles it automatically, and Radar rules can force a challenge on high-risk orders
- Do not force a challenge on every transaction: challenges add friction and abandonment, and legitimate exemptions exist for low-value and low-risk payments
- A sensible default is letting the gateway request exemptions on low-risk orders while triggering 3DS on flagged ones, so the liability shift lands exactly where you need it
- Remember 3DS addresses disputes coded as fraudulent transactions; it does nothing against "item not received" or "not as described" claims
Use the tooling you already pay for
Most small stores already own respectable defences and simply have not switched them on.
- Shopify's built-in fraud analysis flags risk indicators on each order; pair it with a rule that holds high-risk orders out of auto-fulfilment
- Stripe Radar scores every payment and supports custom rules, such as reviewing any order over £300 where the shipping country differs from the card country
- PayPal Seller Protection covers eligible transactions when you ship tracked to the address on the transaction page, so never ship anywhere else
- WooCommerce, BigCommerce and Adobe Commerce have equivalent anti-fraud extensions; guaranteed-decision services such as Signifyd only earn their fee at meaningful volume
- Maintain a block list of emails, addresses and device fingerprints from confirmed past fraud
One cheap fix outperforms its size: set your card statement descriptor to the trading name customers actually recognise. A surprising share of "fraud" disputes are just confusion at the bank statement.
Fighting a chargeback: build the evidence pack once
When a dispute arrives you have a short, fixed response window, often two to three weeks depending on the scheme and your provider. Merchants who win consistently are not lucky; they have a template ready and only fill in the specifics.
- The order record: items, amounts, timestamps, IP address and device data from your platform
- Proof of delivery: tracking showing delivered status to the address given, with signature or courier photo where available
- Customer communications: emails, chat logs, and any post-purchase messages they engaged with
- Identity corroboration: AVS and CVV match results plus the 3DS authentication outcome
- For repeat customers, prior undisputed orders; Visa's Compelling Evidence 3.0 rules allow some fraud disputes to be defeated by showing two earlier undisputed transactions sharing data points such as device or IP
- A one-paragraph cover narrative naming the dispute reason code and stating how each exhibit rebuts it
Write that narrative for a human who will skim: reason code first, rebuttal second, exhibit list last. A tight page beats a forty-page PDF dump.
Key Takeaway
Screen every order against a short signal list, let 3DS2 carry the risk on suspicious transactions rather than blocking them outright, and keep a pre-built evidence template so chargeback responses take twenty minutes, not two hours. Fight disputes where you hold delivery proof and matching customer data; refund quickly where you do not. Above all, watch your dispute rate, because scheme monitoring programmes hurt far more than any single lost order.
When to eat the loss
Fighting everything is a mistake. Each chargeback carries a fee, commonly in the £15 to £25 range, plus your time, and disputes you fight and lose still count against your record. Card schemes run monitoring programmes that flag merchants whose dispute rates climb towards roughly 1% of transactions, and the consequences, from fines to eventually losing card processing, dwarf any single order.
- Refund proactively when a customer contacts you before disputing; a refund is cheaper than a chargeback even when you suspect nonsense
- Fight when you hold delivery proof plus identity evidence, particularly on higher-value orders
- Concede low-value fraud-coded disputes that lack 3DS authentication, where your win rate will be poor
- Track disputes as a rate rather than a count, and treat any upward trend as a checkout or screening fault to fix at source
Fraud defence is mostly configuration, templates and habit rather than expensive software. If you want your checkout, gateway rules and dispute process hardened properly, our team can help.
