THE GUIDE

Fraud is a $33 billion industry with a supply chain.

Global card fraud ran $33.4 billion in 2024 (Nilson Report) — and it's organized like a business: wholesalers, testers, cash-out crews, even customer support. Know the supply chain and the defenses finally make sense.

SCROLL ↓
PART 01

Anatomy of a card-testing attack.

The most common play in the book. A criminal buys stolen card numbers wholesale — but most are dead. Step one is finding out which still work. Your $1 donation page is their laboratory.

PART 02

The taxonomy.

Six species of payment fraud — each with a different victim, defense, and bill-payer:

SPECIES 1 · STOLEN CARD (CNP)

The classic

Breached or phished card numbers used online. The merchant usually eats it (chargeback rules), which is why every checkout runs fraud scoring. Declining share of total fraud — tokenization and 3DS are working.

SPECIES 2 · ACCOUNT TAKEOVER

Steal the account, not the card

Credential-stuffing into wallets, bank apps, and merchant accounts with saved cards. Beats card-level defenses because the fraudster is the customer, device and all. Defense: passkeys, device binding, behavioral biometrics.

SPECIES 3 · FRIENDLY FRAUD

The customer is the fraudster

Real purchase, fake dispute — forgot, regretted, or gamed it. By many industry estimates the largest dispute category by volume, and the hardest to fight: your adversary passed every fraud check, because they're real.

SPECIES 4 · TRIANGULATION

The fake storefront

Fraudster lists cheap goods on a marketplace, takes your payment, then buys the real item from a legit store with a stolen card and ships it to you. You got your shoes; the legit store gets the chargeback. Three corners, one loser.

SPECIES 5 · APP SCAMS

You press the button yourself

Authorized push payment fraud: fake invoices, "your account is at risk," romance and investment scams — engineered for instant rails where there is no undo. The fastest-growing category worldwide; the UK now forces banks to reimburse most victims, and others are following.

SPECIES 6 · MERCHANT FRAUD

The seller is the scam

Bust-out merchants: open an account, sell heavily, never ship, vanish with the settlement money — leaving the acquirer holding the chargebacks. This is why merchant onboarding feels like a loan application. It is one.

PART 03

The scoreboard.

$33.4B
global card fraud losses, 2024 — on $51.9T of volume (Nilson Report)
42%
of global fraud losses hit the US — on only 26% of global card volume. CNP-heavy, magstripe legacy, scam testing ground
$41B
projected annual losses by 2030 — fraud grows with volume, never disappears
~6.5¢
lost to fraud per $100 of card volume globally — the "tax rate" the whole system prices in

The defense, in layers — every checkout you've ever used runs this gauntlet invisibly: velocity rules (100 cards from one IP? blocked) → device fingerprinting (is this browser who it claims?) → ML risk scoring (does this purchase fit the pattern?) → 3DS step-up (make the bank check) → manual review (a human, for the weird ones). Each layer is cheap to pass for you and expensive to pass at scale for a bot. That asymmetry is the entire science of fraud prevention.

FIELD NOTES — THE PRO LAYER

For the professionals.

The defender's handbook: what the models actually look at, decline strategy, monitoring programs, and fraud's geography.

VELOCITY & DEVICE SIGNALS — WHAT THE RULES ACTUALLY CHECK
'Velocity rules' means counting things per key per window: cards per device per hour, attempts per IP per minute, accounts per shipping address per week, BIN spread per session. Card-testing attacks light these up first — hundreds of $0–$1 auths from one device fingerprint. The fingerprint itself blends dozens of signals (user agent, screen metrics, fonts, canvas/WebGL rendering quirks, timezone-vs-IP mismatch), producing an ID that survives cookie clearing. Above rules sit ML scores consuming the same features plus history. The craft is the action ladder: silent-allow, step-up (3DS challenge), soft-block with retry, hard-block — because a false positive costs a customer while a false negative costs one basket. Mature teams tune to a cost function, not an accuracy number; a model that blocks $10 of fraud by declining $200 of good coffee is worse than no model.
DECLINE STRATEGY — THE REVENUE SIDE OF RISK
Fraud teams famously own declines but not their cost. The pro view: issuer declines split into hard (stolen card, closed account — never retry) and soft (insufficient funds, do-not-honor, suspected fraud — retry windows exist). The toolkit that recovers revenue: correct CIT/MIT tagging (merchant-initiated retries are judged differently), account updater and network tokens (fix expired/reissued cards silently), smart retry timing (after payday beats midnight), and 3DS step-up as an alternative to declining outright. Issuers run the mirror image: their 'suspected fraud' declines on good customers drive cards to the back of the wallet. The industry's dirty secret is that false declines cost multiples of actual fraud — estimates vary widely, but every serious study puts insult losses far above fraud losses. Optimize both sides or you're not optimizing.
MONITORING PROGRAMS — THE NETWORK IS WATCHING YOU TOO
Merchants worry about fraudsters; professionals also worry about the networks' surveillance of merchants. Visa's VAMP tracks your combined fraud-plus-dispute ratio (excessive at 1.5% for US/CA/EU/AP since 1 Apr 2026 — verified Jun 2026) and counts enumeration attacks separately — meaning being the victim of card testing can put you in a program if you don't block it. Mastercard runs parallel excessive-fraud/chargeback tiers. Acquirers, who eat the fines first, respond commercially: reserves up, pricing up, or termination. The operational takeaway: your fraud rate is a license to operate metric, not merely a loss metric, and 'we got attacked' is an explanation, not an exemption.
FRAUD HAS GEOGRAPHY — ATTACK MAPS FOLLOW CONTROL MAPS
Fraud concentrates wherever the local control stack is weakest. The US: card-not-present fraud dominates (late EMV migration pushed fraud online, no SCA mandate keeps it there). Europe post-PSD2: CNP fraud suppressed by SCA, so losses migrated to APP scams — social-engineering the human, the one factor SCA can't patch. UK: APP losses rival card fraud outright, hence the mandatory reimbursement regime. India: OTP-based 2FA pushed attacks toward SIM swap and mule-account networks; UPI's scale made collect-request scams a category. Brazil: Pix's speed produced kidnapping-adjacent coercion fraud, answered with night-time transfer limits and MED claw-backs. Design lesson: every control migrates fraud somewhere; the map of attacks is the map of controls, shifted six months.
THE FRAUD STACK — WHO SELLS WHAT
The vendor market breaks into layers: device intelligence (fingerprinting SDKs), identity verification (document + selfie at onboarding — the KYC step), transaction risk scoring (the ML engines inside PSPs or standalone), 3DS/authentication orchestration, chargeback tooling (alerts like Verifi/Ethoca that intercept disputes pre-chargeback, plus representment automation), and consortium data — the quiet moat, because fraud signals compound across merchants: the device that hit five other shops this hour is the signal no single merchant can see alone. This consortium effect is why fraud prevention consolidated into big platforms, and why 'we see X% of global e-commerce' is the sales pitch that actually matters.
PART 04

Remember three things.

1
Fraud migrates; it never dies. Chips killed counterfeiting → fraud went online. Tokenization hardened checkout → fraud became account takeover. Instant rails killed chargebacks → fraud became persuasion. Every defense is a redirection.
2
The bill always lands on whoever could have prevented it. CNP → merchant. Counterfeit at a chip terminal → issuer. APP scam → increasingly the bank, by regulation. Liability design is fraud policy.
3
~6.5 basis points is the system's pain tolerance. Fraud could be near-zero — with so much friction nobody would buy anything. The industry deliberately tunes for conversion over prevention, and prices the leftovers into your fees.