Last updated May 13, 2026 with current cost-of-fraud benchmarks, refreshed money-mule data, and an expanded view on how trust-led decisioning helps merchants tell genuine shoppers from coordinated abuse.
Ecommerce fraud has not stood still. Bots are faster, identities are more synthetic, social engineering is more confident, and the line between a frustrated shopper and a coordinated abuse pattern is harder to draw at first glance. The brands handling it well are the ones treating fraud prevention less like a gate and more like an intelligence layer.
The economics keep the pressure on. LexisNexis Risk Solutions’ 2025 True Cost of Fraud study found that US merchants now incur an average cost of $4.61 for every $1 of fraud they lose, up sharply from $3.00 in the previous year’s study. Verizon’s 2025 Data Breach Investigations Report flagged a doubling of third-party-involved breaches to 30% of incidents, and external actors continue to drive most confirmed breaches in the dataset.
Below are seven patterns Wyllo’s risk intelligence team is seeing across thousands of ecommerce merchants right now, with the playbook for each. Less reaction. More reason.
1. Thorough Documentation Is Still the Single Biggest Lever in Chargeback Defense
The pattern: merchants who lose chargeback cases consistently are usually the ones who can’t quickly produce purchase date, product description, shipping confirmation, customer communications, invoice, and supporting context. Skilled fraudsters know this and tend to target merchants with thin documentation.
What helps: instrument every transaction so it produces a complete record by default. Save the email thread. Save the chat log. Save the device fingerprint, the IP, the delivery photo, the signature, the order modification history. The card networks have expanded what merchants can submit as compelling evidence (Visa’s CE 3.0 rules are the most visible example), and the merchants who win representment at scale are the ones whose evidence is in order before the dispute lands.
Pair the documentation discipline with two-factor authentication for merchant-side accounts. Microsoft research found 2FA blocks 99.9% of automated account attacks, and Google’s joint study with NYU and UC San Diego found SMS-based 2FA stops 100% of automated bot attacks, 96% of bulk phishing, and 76% of targeted attacks. 2FA is one of the highest-ROI controls a merchant can deploy on internal systems.
2. Domain and Shipping-Location Mismatches Hiding Behind “Matching” Billing Details
The pattern: fraudsters routinely use school or institutional email domains paired with shipping addresses that don’t match the cardholder’s region, while manipulating billing and shipping addresses to appear identical at first glance. The order passes a casual eye-test but cracks under closer review.
What helps: build verification flows that look beyond the headline match. Cross-reference the email domain against the shipping geography. Look for institutional email patterns paired with consumer-style orders. Watch for billing and shipping fields that match exactly but disagree with the rest of the order’s signals (device location, IP, language settings).
For the merchant side of the equation, multi-factor authentication remains essential. Verizon’s 2025 DBIR continues to show that external threat actors dominate breach incidents, and third-party access pathways are now involved in 30% of confirmed breaches. MFA across employee accounts, vendor portals, and admin tooling is one of the few controls that meaningfully compounds.
3. Background Checks Reveal the Network Behind Suspicious Orders
The pattern: a high-risk order that looks like a one-off often connects to a registered agent, business address, or device fingerprint already tied to ongoing investigations. The connection is invisible at the transaction level. It only surfaces when the merchant (or the merchant’s risk partner) pulls on the right thread.
What helps: enrich orders with the kinds of signals that don’t sit inside the cart, including business registration data, prior incidents associated with the entity, device reputation, and behavioral fingerprints across other merchants in the network. This is one of the highest-leverage moves a risk team can make. A single $200 chargeback that turns out to be one node in a $10K abuse cluster pays for the workflow many times over.
It also pays to be vigilant about package rerouting. Fraudsters frequently place orders using the cardholder’s address as the shipping address, then call the carrier (or customer service) to redirect the package post-shipment. Work with shipping partners to block address changes after dispatch on flagged orders.
4. Copycat Sites and Triangulation Fraud Are Trapping Real Shoppers
The pattern: a fraudster clones an established brand’s website (or sets up a marketplace listing) offering the merchant’s products at a discount. Real shoppers buy what they think is a deal, the fraudster places a real order from the genuine merchant using stolen card data, drops the buyer’s address as the ship-to, and pockets the price difference. The legitimate merchant absorbs the chargeback later. The shopper sometimes contacts the real brand about an “order” they think they placed.
What helps: monitor for unauthorized brand impersonation through trademark and domain-watching services, and set alerts for spikes in customer-service contacts about orders that don’t exist in your system. On the order side, look for the giveaway signals: stolen-card identity matches paired with shipping addresses that don’t fit the cardholder profile, repeat orders from different “customers” all shipping to the same neighborhood, sudden volume in items that resell well on secondary marketplaces.
If it seems too good to be true on the consumer side, it usually is. Communicating clearly with your customers about which channels are official is one of the best brand-protection moves available.
5. Foreign-Card Mismatches and Other Quiet Transaction-Detail Tells
The pattern: an order arrives with a foreign-issued card paired with credentials that don’t match the cardholder’s country, language preference, or device location. Individually each signal looks small. Together they tell a clear story.
What helps: invest in the people and tooling that scrutinize transaction detail at the level pure-AI systems miss. A first-pass score from an automated system is necessary but rarely sufficient on its own for the highest-risk orders. The merchants seeing the strongest approval rates pair AI-driven decisioning with human review on the orders where context matters most. The goal is not to add friction; it’s to recover legitimate orders that a stricter, simpler system would block.
This is one place where false declines quietly cost more than fraud does. Approving the good orders that look risky on the surface is the unglamorous, compounding part of fraud prevention.
6. Card Testing and Call Bombing as One Connected Move
The pattern: fraudsters validate stolen card data by running small test charges on ecommerce sites. They pair the real cardholder’s billing details with arbitrary emails and shipping addresses, and then often follow up with repeated phone calls to customer service designed to confirm and accelerate the order. Social engineering on the call side is increasingly polished.
What helps: rate-limit suspicious checkout patterns (multiple cards on the same session, multiple sessions with similar fingerprints, rapid retries after declines), and train customer-service teams to recognize the patterns of pressure-tactic outreach. A repeat caller who can answer the easy questions confidently but pushes back when asked for additional verification should be a flag, not a fast track. Document everything; the call logs are useful evidence later if a chargeback follows.
Mastercard’s research on card testing found that roughly a third of global ecommerce merchants are affected by card-testing attacks, and the volume is climbing as fraudsters layer AI-driven automation into the workflow.
7. Money-Mule Schemes That Now Target Older, More “Legitimate-Looking” Account Holders
The pattern: fraudsters target vulnerable individuals through romance scams, fake employment offers, and contrived friendships, then leverage those relationships to register cards in the victim’s name and use the victim’s address to receive and forward packages. The orders look textbook legitimate (real person, real address, real card) right up until they aren’t.
The demographics have shifted. UK regulator data shows over 225,000 money-mule-linked accounts were closed in 2024 alone, a 23% year-over-year increase. Lloyds Bank reported a 73% rise in money-mule accounts held by people over 40, suggesting fraudsters are increasingly recruiting older account holders whose larger, less-flagged transaction histories help illicit funds blend in. Social platforms (Instagram, Snapchat, encrypted messaging) are now common recruitment channels.
What helps: prevent package rerouting at the carrier level. Watch for new accounts whose shipping behavior shifts dramatically after the first order (different drop-off addresses, sudden forwarding patterns, mailbox-cluster receivers). Cluster orders by device, address, and behavior to surface the relationship between accounts that look unrelated on the surface. Mule fraud is one of the hardest patterns to catch without journey-level intelligence, because each individual transaction can look completely clean.
How Wyllo Helps
The thread connecting all seven patterns is the same: connected signals across the customer journey reveal what transaction-level review misses. That is what Wyllo, the CX-first risk intelligence platform, is built around.
Three pieces of the platform do the most work against the patterns above:
- Wyllo Payment Fraud Protection pairs AI-driven decisioning with human fraud experts who review the orders where context matters most. This is the workflow behind the highest approval rates on hard orders. Precision over paranoia.
- Wyllo Claim and Policy Abuse Prevention catches account takeover, mule activity, and policy exploitation upstream, before they turn into refunds, chargebacks, or escalations.
- Wyllo Chargeback Management turns representment into an AI-driven workflow that wins more disputes with less manual case-building.
Designed to think ahead. Built for what’s next.
Frequently Asked Questions
What are the most common ecommerce fraud patterns in 2026?
The seven patterns Wyllo’s team is seeing most often: thin documentation undermining chargeback defense, domain and shipping-location mismatches behind matching billing details, suspicious orders connected to flagged business entities or networks, copycat-site and triangulation fraud, foreign-card mismatches that pure AI misses, card testing paired with call-bombing social engineering, and increasingly sophisticated money-mule schemes targeting older account holders.
How much does ecommerce fraud actually cost a merchant?
LexisNexis Risk Solutions’ 2025 True Cost of Fraud study puts the total cost at $4.61 for every $1 of fraud lost by US retail and ecommerce merchants, up from $3.00 in the prior year’s study. The number includes processing fees, lost merchandise, operational time, and adjacent costs that don’t show up on a chargeback summary alone.
Is two-factor authentication still effective in 2026?
Yes, especially against automated attacks. Microsoft and Google research show 2FA blocks ~99.9% of automated account attacks and SMS-based 2FA stops essentially all automated bot attacks. It is less effective against highly targeted attacks, but for merchant-side accounts, vendor portals, and admin tooling it is one of the highest-ROI controls a merchant can deploy.
What is triangulation fraud?
Triangulation fraud is a scheme where a fraudster clones a merchant’s branding (a copycat site or marketplace listing), takes orders from real shoppers at discounted prices, then uses stolen card data to fulfill those orders through the legitimate merchant. The genuine merchant takes the chargeback hit later when the cardholder reports the fraud, the shopper often loses the money they paid the fraudster, and the fraudster keeps the price difference.
How are money-mule schemes evolving?
Older demographics are increasingly being recruited. Lloyds Bank reported a 73% rise in mule accounts held by people over 40, and UK regulators closed more than 225,000 mule-linked accounts in 2024 alone. Recruitment now happens through Instagram, Snapchat, and encrypted messaging apps, often framed as “money transfer agent” or “payment processor” roles. The shift to older account holders is significant because their larger, more established transaction histories help criminal funds blend into legitimate spending patterns.
How do merchants spot fraud without blocking real customers?
The short answer is connected, journey-level intelligence. Transaction-level rules tend to either let abuse through or block real customers. A risk intelligence approach connects signals across checkout, returns, account behavior, support interactions, and post-purchase outcomes, then applies merchant-specific context so trusted shoppers move faster and high-risk patterns get the right level of scrutiny. The goal is precision over paranoia.
Bringing It Together
Ecommerce fraud is becoming more coordinated, more polished, and more expensive. The patterns above will keep evolving, but the underlying playbook holds steady: build documentation discipline, look for clusters and connections rather than isolated transactions, train your team to recognize social engineering, and pair AI-driven decisioning with human expertise on the orders that matter most.
Curious how a CX-first risk intelligence approach helps you spot these patterns earlier? Explore the Wyllo platform or learn more about Wyllo Payment Fraud Protection, the AI-plus-human-experts approach to ecommerce fraud screening.
