Payment fraud is the single largest operational risk for ecommerce merchants. In a card-not-present environment, which includes every WooCommerce transaction, there’s no physical card to verify, no signature to compare, no face to see. Fraudsters exploit this gap constantly. A comprehensive fraud prevention strategy isn’t optional; it’s a core requirement for running a sustainable online business.
ConvesioPay includes enterprise-grade fraud prevention tools built in — fraud rules, 3D Secure 2.0, and Adyen’s global fraud intelligence network, at no extra cost for WooCommerce merchants. Get started →
1. Types of Payment Fraud in Ecommerce
Card-Not-Present (CNP) Fraud
The most common type. A fraudster uses stolen card details to make purchases online. The legitimate cardholder disputes the transaction, generating a chargeback. CNP fraud accounts for the majority of payment fraud losses for online merchants.
Account Takeover (ATO)
A fraudster compromises a customer’s account, usually through credential stuffing (using leaked username/password combinations) or phishing and uses saved payment methods to make purchases. The legitimate account holder didn’t authorize the transactions.
Card Testing / Enumeration
Automated bots test stolen card numbers against your checkout to determine which are valid. Typically involves many small or zero-dollar authorization attempts. The cards that pass are then used for larger fraudulent purchases elsewhere. Card testing attacks can also push your authorization decline rates up and trigger Visa VAMP monitoring.
Triangulation Fraud
A three-party scheme: a fraudster sets up a fake online store offering goods at below-market prices. A legitimate customer buys from the fake store, paying with their real card. The fraudster then buys the same goods from a legitimate merchant using stolen card details, shipping to the customer’s address. The legitimate merchant gets a chargeback from the stolen card owner; the fake store customer may never know.
Refund Fraud
A customer makes a legitimate purchase, receives the goods, and then files for a refund, while keeping the product. Variations include returning a different item, claiming non-receipt when delivery is confirmed, or exploiting overly lenient return policies.
Friendly Fraud
A cardholder disputes a legitimate transaction they made, claiming non-receipt, defective goods, or unauthorized use. Estimated to account for 60–80% of all chargebacks. See Friendly Fraud: How to Identify and Fight Illegitimate Chargebacks.
2. Detection Signals and Risk Scoring
Fraud prevention begins with identifying high-risk signals at the transaction level. Key indicators:
| Signal | Risk implication |
|---|---|
| Billing/shipping address mismatch | Cardholder not shipping to their own address; gift fraud risk |
| AVS failure or partial match | Billing address doesn’t match card issuer records |
| CVV failure | Purchaser doesn’t have physical possession of the card |
| BIN country mismatch | Card issued in a different country from the IP or shipping address |
| High-risk IP geolocation | IP associated with known fraud regions, proxies, or TOR exit nodes |
| Email address anomalies | Disposable email domains; recently created addresses |
| Order velocity | Multiple orders in a short window from same IP, device, or card |
| Unusually high order value | First-time customer placing a very large order |
| Digital goods only orders | Instantly deliverable; no physical recourse; preferred by fraudsters |
No single signal proves fraud, risk scoring combines multiple signals to produce a risk level for each transaction.
3. Rule-Based Fraud Screening
Rule-based systems apply defined logic to each transaction. Examples:
- Block transactions where CVV fails
- Flag orders over $500 from new customers for manual review
- Block transactions from IP addresses in high-risk countries
- Decline orders with more than 2 failed payment attempts on the same device in 24 hours
Rule-based screening is predictable and transparent, you know exactly why a transaction was blocked. The limitation: rules require ongoing maintenance and don’t adapt to evolving fraud patterns automatically.
ConvesioPay allows merchants to configure custom fraud rules directly in the payment settings, applying them to all WooCommerce transactions.
4. Machine Learning Fraud Detection
ML-based fraud detection identifies patterns across millions of transactions that no human-defined rule could capture. Adyen’s RevenueProtect, which powers ConvesioPay’s fraud intelligence layer, uses transaction data from across the Adyen global network to identify fraud patterns and score individual transactions in real time.
Key advantage: ML models adapt. As fraud patterns evolve, the model updates, no manual rule changes required.
5. 3D Secure 2.0: The Authentication Layer
3D Secure 2 (3DS2) adds an authentication step to card-not-present transactions. When a transaction is successfully authenticated via 3DS2, fraud chargeback liability shifts from the merchant to the issuing bank. This is the most powerful single tool available for eliminating fraud chargebacks.
3DS2’s frictionless flow authenticates most low-risk transactions without requiring the cardholder to take any additional action. A challenge (OTP, biometric) is only requested for transactions the issuer flags as higher risk.
For WooCommerce merchants, 3DS2 is available natively through ConvesioPay. See 3D Secure Payments: What Merchants Need to Know About 3DS2.
6. Account Takeover Prevention
Protecting customer accounts is as important as protecting payment fields. ATO prevention measures:
- Enforce strong password requirements
- Implement multi-factor authentication (MFA) for account access
- Monitor for credential stuffing attacks (many failed login attempts across many accounts)
- Alert customers on login from a new device or location
- Require re-authentication for payment method changes or high-value orders
7. Card Testing Attack Prevention
Card testing attacks typically target your checkout or payment form with automated requests. Defense measures:
- CAPTCHA or invisible bot detection on payment forms
- Rate limiting on authorization attempts
- Velocity rules: block cards or IPs with multiple failed authorization attempts
- Monitor for unusual authorization patterns, many small-amount attempts in a short window
- Alert your processor if you detect a card testing attack so they can coordinate with card networks
8. Fraud Response Procedures
When fraud is detected or suspected:
- Hold the order — don’t fulfill until the review is complete
- Investigate signals — check all fraud indicators; contact the customer if warranted (verify via a phone number on file, not one the customer just provided)
- Cancel or refund if confirmed — issuing a proactive refund is cheaper than a chargeback
- Document and blacklist — record the email, IP, device fingerprint, and billing/shipping addresses associated with confirmed fraud
- Report if significant — large or coordinated fraud should be reported to your processor and, in some cases, law enforcement
ConvesioPay’s fraud prevention is built in, not bolted on. Rules engine, 3DS2, Adyen RevenueProtect, and AVS/CVV — all available to WooCommerce merchants from day one. Get started →