Global card fraud ran $33.4 billion in 2024 (Nilson Report) — and it's organized like a business: wholesalers, testers, cash-out crews, even customer support. Know the supply chain and the defenses finally make sense.
The most common play in the book. A criminal buys stolen card numbers wholesale — but most are dead. Step one is finding out which still work. Your $1 donation page is their laboratory.
Six species of payment fraud — each with a different victim, defense, and bill-payer:
Breached or phished card numbers used online. The merchant usually eats it (chargeback rules), which is why every checkout runs fraud scoring. Declining share of total fraud — tokenization and 3DS are working.
Credential-stuffing into wallets, bank apps, and merchant accounts with saved cards. Beats card-level defenses because the fraudster is the customer, device and all. Defense: passkeys, device binding, behavioral biometrics.
Real purchase, fake dispute — forgot, regretted, or gamed it. By many industry estimates the largest dispute category by volume, and the hardest to fight: your adversary passed every fraud check, because they're real.
Fraudster lists cheap goods on a marketplace, takes your payment, then buys the real item from a legit store with a stolen card and ships it to you. You got your shoes; the legit store gets the chargeback. Three corners, one loser.
Authorized push payment fraud: fake invoices, "your account is at risk," romance and investment scams — engineered for instant rails where there is no undo. The fastest-growing category worldwide; the UK now forces banks to reimburse most victims, and others are following.
Bust-out merchants: open an account, sell heavily, never ship, vanish with the settlement money — leaving the acquirer holding the chargebacks. This is why merchant onboarding feels like a loan application. It is one.
The defense, in layers — every checkout you've ever used runs this gauntlet invisibly: velocity rules (100 cards from one IP? blocked) → device fingerprinting (is this browser who it claims?) → ML risk scoring (does this purchase fit the pattern?) → 3DS step-up (make the bank check) → manual review (a human, for the weird ones). Each layer is cheap to pass for you and expensive to pass at scale for a bot. That asymmetry is the entire science of fraud prevention.
The defender's handbook: what the models actually look at, decline strategy, monitoring programs, and fraud's geography.