Fraud in Digital Payments: Attack Vectors, Prevention, and the Chargeback Problem

Payment fraud cost the global economy over $33 billion in 2024, according to the Nilson Report. That number alone understates the problem. When you add chargeback processing fees, fraud prevention tooling, false declines on legitimate orders, and the operational overhead of managing disputes, the true cost to merchants is several multiples higher. For every dollar lost to fraud, U.S. merchants spend $4.61 in total costs according to LexisNexis.

This article breaks down the major fraud vectors in digital payments, explains why the chargeback system is structurally broken for merchants, and examines how irreversible payment rails like stablecoins change the fraud equation entirely.

How Large Is the Payment Fraud Problem?

Global payment card fraud losses reached $33.41 billion in 2024, with the United States accounting for a disproportionate share: 26% of global card volume but nearly 42% of fraud losses. The Nilson Report projects cumulative losses of $403 billion over the next decade, reaching $41 billion annually by 2030.

These figures cover only direct fraud losses on card networks. Broader online payment fraud, including non-card channels, pushes the numbers higher. Juniper Research estimates that merchant losses from online payment fraud will exceed $362 billion cumulatively from 2023 to 2028.

Card-Not-Present Fraud: The Dominant Attack Vector

Card-not-present (CNP) fraud accounts for approximately 70% of all card fraud losses globally. In the United States, CNP fraud reached $10 billion in 2024, growing 11% year over year. This category covers any transaction where the physical card is not presented to the merchant: e-commerce checkouts, phone orders, and in-app purchases.

The shift to CNP dominance accelerated after EMV chip adoption made card-present counterfeiting significantly harder. Fraudsters migrated online, where stolen card credentials can be used without physical access to the card itself.

Primary CNP attack methods

• Data breaches exposing card numbers, CVVs, and billing addresses at scale
• Digital skimming via malicious JavaScript injected into e-commerce checkout pages (Magecart-style attacks)
• Credential stuffing using leaked username/password combinations to access accounts with saved payment methods
• Social engineering through phishing emails and fake merchant sites that harvest card details directly from consumers
• BIN attacks using automated tools that systematically test card numbers against merchant checkout flows to identify valid credentials

Why CNP fraud persists: Unlike card-present transactions where the EMV chip creates a unique cryptogram for each transaction, CNP transactions rely on static credentials (card number, expiry, CVV). Once these are stolen, they can be reused until the card is cancelled. The 3D Secure protocol adds a dynamic authentication layer, but adoption remains uneven outside Europe.

Friendly Fraud and Chargeback Abuse

Friendly fraud occurs when a legitimate cardholder makes a purchase and then disputes it with their issuing bank, claiming the transaction was unauthorized or the goods were never received. The 2024 Chargeback Field Report found that first-party fraud represented 36% of all reported fraud, up from 15% in 2023. Nearly half of surveyed merchants estimated friendly fraud was responsible for over 50% of their chargebacks.

The motivations range from buyer's remorse to deliberate abuse. “Cyber shoplifting” describes consumers who receive goods or services but file disputes to get refunds while keeping the product. Some operate this as a systematic scheme, knowing that card network rules heavily favor the cardholder in dispute resolution.

Why friendly fraud is hard to fight

The core problem is informational asymmetry. When a cardholder tells their bank “I didn't authorize this,” the bank has limited ability to verify whether the claim is legitimate. Card network rules require issuers to provide provisional credit to the cardholder immediately, placing the burden of proof on the merchant. Merchants must then assemble evidence packages including delivery confirmation, IP addresses, device fingerprints, and prior transaction history to challenge the dispute.

Even with strong evidence, the average merchant wins only about 45% of chargebacks they actively challenge. The net recovery rate across all chargebacks is far lower: roughly 12.5%, because many merchants lack the resources to fight every dispute.

Account Takeover: The Fastest-Growing Threat

Account takeover (ATO) fraud generated $16 billion in losses in 2024, according to Javelin Strategy & Research. ATO volume grew 21% in the first half of 2025 compared to the same period in 2024, with 141% growth since 2021 according to Sift's Digital Trust Index.

The attack chain typically begins with credential stuffing: automated tools that test leaked username/password combinations against login endpoints. Akamai has recorded over 193 billion credential-stuffing attempts in a single year. Once inside an account, attackers can make purchases using saved payment methods, change shipping addresses, or drain stored value.

Synthetic identity fraud

The U.S. Federal Reserve has identified synthetic identity fraud as the fastest-growing type of financial crime in the United States. Attackers combine real and fabricated information (such as a legitimate Social Security number with a fake name and date of birth) to create entirely new identities that pass KYC/AML checks. These synthetic identities are used to open accounts, build credit history over months or years, and then “bust out” with maximum credit draws.

The Federal Reserve Bank of Boston warned in April 2025 that generative AI is significantly expanding synthetic identity fraud capabilities, making fabricated documents and identity histories more convincing and harder to detect.

How the Chargeback Process Works

The chargeback mechanism was designed in the 1970s as a consumer protection tool for the nascent credit card industry. It was built for a world of paper receipts and in-person transactions. The basic flow has remained largely unchanged, even as the payments landscape has transformed.

The dispute lifecycle

1. The cardholder contacts their issuing bank to dispute a transaction, citing fraud, non-delivery, or product issues
2. The issuer evaluates the claim and, if it meets network rules, files a chargeback with the acquiring bank
3. The acquirer debits the transaction amount from the merchant's account, plus a chargeback fee of $15 to $100
4. The merchant can accept the chargeback or fight it through “representment,” submitting evidence that the transaction was legitimate
5. If the issuer rejects the representment, the merchant can escalate to network arbitration (Visa charges $500 to $600 per arbitration case)

The clock is ticking: Cardholders have 90 to 120 days to file a dispute. As of July 2025, Visa gives U.S. and Canadian merchants just 9 days to respond with evidence. Chargeback fees are non-refundable even if the merchant wins the dispute. The system imposes costs on merchants at every step, regardless of outcome.

Monitoring programs and threshold penalties

Both Visa and Mastercard require merchants to maintain chargeback ratios below 1% of total transactions. Merchants who exceed this threshold enter monitoring programs with escalating penalties. Visa's Dispute Monitoring Program and Mastercard's Excessive Chargeback Merchant program impose monthly fines ranging from $25,000 to $100,000 for merchants who remain in violation. Persistent offenders risk losing their ability to accept card payments entirely.

The True Cost of Fraud to Merchants

Direct fraud losses are only one component of what merchants actually pay. The total cost includes fraud prevention tooling, chargeback fees, manual review teams, and the often-overlooked cost of false declines: legitimate orders that are incorrectly rejected by fraud filters.

False declines: the hidden cost

False declines represent one of the largest and least-discussed costs in payment fraud prevention. These are legitimate orders that fraud detection systems incorrectly flag and reject. Industry estimates suggest that false declines cost merchants significantly more than actual fraud losses. According to a Riskified analysis, merchants reject approximately 6% of all e-commerce orders, and a meaningful portion of those are legitimate.

The damage extends beyond the immediate lost sale. Research indicates that 39% of falsely declined customers never return to that merchant. Among loyal customers with three or more prior purchases, a false decline leads to a 65% reduction in future orders. Aggressive fraud prevention, in other words, can destroy customer lifetime value.

Fraud Prevention Tools and the Arms Race

The payments industry has developed increasingly sophisticated fraud prevention tools. Global spending on fraud detection platforms exceeded $11.8 billion in 2025. These tools operate at multiple layers of the transaction flow, from authentication to post-transaction monitoring.

3D Secure 2 (3DS2)

3D Secure 2 is the card network protocol for authenticating CNP transactions. Unlike its predecessor (which redirected customers to clunky bank pages), 3DS2 enables “frictionless authentication” where low-risk transactions pass without requiring a customer challenge. The protocol shares richer data between merchants, acquirers, and issuers: device fingerprints, shipping history, and behavioral signals that help issuers make better risk decisions.

3DS2 is mandatory in the European Union under Strong Customer Authentication (SCA) rules. In the U.S., adoption is voluntary but growing because of the liability shift: when 3DS2 authentication succeeds, fraud liability moves from the merchant to the issuing bank.

Machine learning fraud scoring

Modern fraud detection platforms use ML models trained on billions of transactions to score each payment in real time. These systems analyze hundreds of signals including transaction velocity, amount patterns, geographic anomalies, device characteristics, and behavioral biometrics like typing speed and mouse movement.

Major providers include Stripe Radar (integrated across Stripe's network), Signifyd and Riskified (which offer chargeback guarantee models where the vendor absorbs fraud losses), and Sift (covering payment fraud, ATO, and content abuse). These platforms benefit from network effects: more transaction data produces better models, which attracts more merchants, generating more data.

Additional prevention layers

• Address Verification Service (AVS) compares billing addresses against issuer records, primarily effective in the U.S., Canada, and UK
• Device fingerprinting creates unique identifiers from browser, OS, screen resolution, and hardware characteristics to detect suspicious devices
• Velocity checks flag accounts or cards generating unusually high transaction volumes in short time windows
• Transaction monitoring systems analyze patterns across accounts to detect coordinated fraud rings
• Behavioral biometrics track how users interact with a page (scroll patterns, keystroke dynamics) to distinguish humans from bots

The Liability Shift Model

The liability shift is the mechanism by which Visa and Mastercard allocate fraud costs between issuers and merchants. The core principle: the party using less secure technology at the time of the transaction bears the liability.

Card-present transactions

Since October 2015 in the U.S. (earlier in Europe), the EMV liability shift has applied to in-person transactions. If a merchant does not support EMV chip reading and fraud occurs on a chip card, the merchant bears liability instead of the issuer. If the merchant has an EMV terminal but the issuer has not issued a chip card, the issuer bears liability. This incentive structure drove rapid EMV adoption: merchants who did not upgrade their terminals absorbed the fraud costs.

Card-not-present transactions

For online transactions, the liability shift operates through 3D Secure. When a merchant requests 3DS authentication and the cardholder successfully authenticates, liability shifts to the issuer. This applies only to fraud disputes, not to product quality or delivery issues. The shift does not apply to “data only” 3DS submissions where the merchant shares data but no authentication challenge occurs.

In October 2025, Visa and Mastercard agreed to a $199.5 million settlement in a merchant class-action lawsuit challenging certain aspects of the liability shift framework. The settlement reflects ongoing tension between merchants who feel the system is structurally biased against them and card networks defending the consumer protection rationale.

Pull Payments vs Push Payments: A Structural Problem

Most card fraud exploits a fundamental architectural choice: pull payments. In a pull payment system, the merchant (or anyone with your card credentials) initiates the movement of funds from your account. The consumer shares their credentials, and the merchant “pulls” the payment. This means that anyone who obtains those credentials can pull funds, which is why stolen card numbers are valuable.

Push payments invert the model. The payer initiates and authorizes the transfer of a specific amount to a specific recipient. The recipient never gains access to the payer's credentials or the ability to withdraw additional funds. Wire transfers, ACH credits, FedNow, and cryptocurrency transactions all follow the push model.

Push payment systems eliminate credential theft as an attack vector entirely. There are no card numbers to steal, no CVVs to harvest, and no way for a data breach to enable future unauthorized transactions. The tradeoff is that push payments also eliminate the chargeback safety net for consumers, which is why push payment fraud (known as authorized push payment or APP fraud) requires different prevention strategies focused on pre-authorization verification rather than post-transaction dispute resolution.

How Stablecoins Change the Fraud Equation

Stablecoin payments operate on a fundamentally different model than card payments. Transactions on networks like Spark are push-based and final: once a payment is sent, it cannot be reversed by the sender, the recipient, or any intermediary. There is no chargeback mechanism because there is no centralized dispute resolution authority.

This has profound implications for the fraud economics described above. Consider how each major fraud type maps to a stablecoin payment environment:

Eliminated fraud vectors

• Friendly fraud and chargeback abuse are impossible. There is no chargeback mechanism to exploit. Once a customer sends USDB or another stablecoin for a purchase, the merchant has payment finality
• CNP credential theft is irrelevant. Push payment systems do not require consumers to share reusable payment credentials with merchants. There are no card numbers to steal
• BIN attacks and automated card testing have no equivalent. There is no credential to brute-force

Remaining fraud vectors

• Account takeover remains a risk. If an attacker gains access to a user's wallet, they can send funds. Wallet security (seed phrase management, device authentication) replaces card security
• Social engineering and scams persist. Attackers can trick victims into voluntarily sending stablecoin payments, just as they trick victims into making wire transfers today
• Merchant fraud (accepting payment and not delivering goods) shifts from a card network problem to a marketplace trust problem

The Merchant Perspective: Lower Total Fraud Cost

For merchants, the economics of accepting stablecoin payments on a network like Spark are compelling when viewed through the fraud lens. The largest cost centers in traditional payment fraud simply do not exist:

• No chargeback fees ($15 to $100 per dispute eliminated)
• No chargeback ratio monitoring or program penalties
• No friendly fraud losses (the single largest merchant fraud category)
• Reduced need for expensive fraud prevention tooling on the payment acceptance side
• No false decline problem, because there is no automated fraud scoring rejecting legitimate orders
• No interchange fees or scheme fees layered on top of fraud costs

The stablecoin payment rails model shifts the risk profile entirely. Instead of managing post-transaction fraud through disputes and chargebacks, merchants deal with a simpler question: did the payment arrive? If it did, it is final. The fraud prevention focus moves upstream to identity verification and order validation rather than payment authentication.

Consumer Protection Without Chargebacks

The obvious question: if there are no chargebacks, how are consumers protected? This is a legitimate concern and the primary tradeoff of irreversible payment systems. Several approaches are emerging:

Escrow and marketplace protections

Platforms can hold stablecoin payments in smart contract escrow until delivery is confirmed. This replicates the consumer protection of chargebacks without the dispute resolution overhead. The funds are released to the merchant only after conditions are met (delivery confirmation, time window expiration, or buyer approval).

Reputation systems

On-chain transaction history creates transparent merchant track records. Unlike card payment systems where merchant dispute rates are visible only to acquirers and card networks, stablecoin-based reputation data can be made available to consumers before they transact.

Insurance products

Third-party purchase protection insurance can be offered at checkout, similar to how extended warranties work today. Consumers who want chargeback-like protection can opt in and pay a small premium, while those comfortable with transaction finality can avoid the cost. This unbundles the consumer protection from the payment rail itself, allowing it to be priced independently.

Stablecoin Payments on Spark

Spark is a Bitcoin Layer 2 that supports stablecoin transfers with instant settlement and no chargebacks by design. Stablecoins like USDB on Spark enable dollar-denominated payments that settle in seconds with sub-cent fees, while maintaining self-custody for both sender and receiver.

For merchants evaluating stablecoin acceptance, the fraud cost reduction is significant. No interchange, no chargeback fees, no friendly fraud, and no false declines means the total cost of accepting a payment drops dramatically compared to traditional card networks. The stablecoin payment rails model does not eliminate all fraud, but it eliminates the fraud categories that are most expensive and most difficult for merchants to fight.

Wallets like General Bread already enable users to hold and spend stablecoins on Spark, making push-based, chargeback-free payments accessible to everyday consumers. Developers looking to integrate stablecoin payments can explore the Spark SDK documentation for APIs covering wallet creation, token transfers, and payment processing.

What Comes Next for Payment Fraud Prevention

The fraud landscape is evolving rapidly. Generative AI is making social engineering attacks more convincing, synthetic identities harder to detect, and deepfake-powered ATO attempts more sophisticated. At the same time, the tools available to defenders are improving: ML models with larger training datasets, biometric authentication, and network-level fraud detection.

But the structural weaknesses of pull-based payment systems remain. As long as payments depend on reusable static credentials, credential theft will be profitable. As long as chargebacks exist, friendly fraud will be exploitable. The most effective fraud prevention may not be better detection algorithms layered on top of a vulnerable architecture. It may be a different architecture entirely: one where payments are push-based, final, and do not require sharing reusable credentials.

The shift will not happen overnight. Card networks process trillions of dollars annually and are deeply embedded in global commerce. But for merchants drowning in chargeback costs, false declines, and fraud prevention tooling expenses, the appeal of payment finality on stablecoin rails is increasingly hard to ignore.

This article is for educational purposes only. It does not constitute financial or investment advice. Bitcoin and Layer 2 protocols involve technical and financial risk. Always do your own research and understand the tradeoffs before using any protocol.