Published by Bastion Prime | WooCommerce Migration Specialists
The email arrived on a Monday morning. Subject line: “Stripe — Dispute opened on payment.”
It was one chargeback. $340 transaction. A customer claiming they never received their order. Standard stuff, right? Except this seller had been running a carding attack for six weeks without knowing it. By the time their payment processor flagged the account, they had 127 disputed transactions, a 2.3% chargeback rate, and Stripe had placed their account under review.
Recovery fees. Chargeback penalties. Temporary payment processing suspension. Lost merchandise. By the time the dust settled: $47,000 in total damage from an attack they could have stopped with $29/month in fraud tooling and 90 minutes of configuration.
That’s not a horror story. That’s Tuesday in e-commerce 2026.
The Numbers You Need to Understand Before You Touch Your Settings
Before we get into the how-to, let’s establish the scale of what you’re actually dealing with — because most store owners dramatically underestimate this threat until it’s personal.
In 2025, every dollar lost to fraud costs US merchants $4.61 in total impact — once you factor in chargeback fees, dispute labor, lost merchandise, and processing penalties. That’s not the fraud amount. That’s the multiplier on it.
Global e-commerce fraud losses reached $48 billion in 2025, projected to hit $107 billion by 2029. Chargeback volume is projected to hit 337 million transactions by 2026 — a 41% increase from 2023.
The number that should genuinely alarm you: false declines — blocking legitimate customers due to overly aggressive fraud rules — cost retailers $443 billion per year globally, nine times more than actual fraud losses.
Read that again. Blocking real customers is nine times more expensive than fraud. This is the tension at the center of every fraud prevention conversation: tighten your rules too much and you kill your conversion rate. Leave them too loose and fraudsters bleed you dry.
Getting this balance right is not optional. It’s one of the most important operational decisions you’ll make as a store owner.
The Three Fraud Types That Are Actually Destroying Margins in 2026
Type 1: Carding Attacks
Carding is what happened to the seller in our opening story. Fraudsters obtain lists of stolen credit card numbers — purchased on dark web marketplaces for as little as $5–20 per card — and use automated scripts to test which cards are still active by running small transactions through your store.
A typical carding attack looks like this in your order data: dozens of transactions in a short window, often for small amounts (under $10), from multiple IP addresses, with billing addresses that don’t match the shipping addresses, using email addresses that look randomly generated (zxk28@gmail.com, qwerty9921@yahoo.com).
If your store doesn’t catch these tests, the fraudsters then use the validated cards for much larger purchases — your merchandise ships, the card owner files a dispute, and you absorb the loss.
The detection window is everything. Most carding attacks run their test transactions in bursts of 50–200 attempts over 2–4 hours. If your fraud system doesn’t flag velocity patterns in real time, you won’t know until your chargeback rate starts climbing.
Type 2: Card-Not-Present (CNP) Fraud
Around 70% of all card fraud losses come from card-not-present transactions — which is every single transaction in your WooCommerce store. CNP fraud uses stolen card data for purchases where there’s no physical card verification. The card owner didn’t authorize the transaction. You shipped the product. They dispute it. You lose.
CNP fraud is particularly brutal for high-AOV stores (items $150+), stores selling easily resellable goods (electronics, supplements, gift cards), and stores with international shipping enabled. International merchants face chargeback rates as high as 2% — double the threshold that triggers high-risk classification with payment processors.
Type 3: Friendly Fraud
This is the one that’s growing fastest — and the one most merchants refuse to accept is happening to them.
61% of chargeback disputes come from friendly fraud — real customers with real accounts disputing legitimate transactions. They received the order. They’re keeping the product. They filed a chargeback anyway.
The motivations vary: buyer’s remorse, forgetting the purchase, exploiting the process because it’s easier than a return, or — increasingly — deliberate abuse. Online content promoting chargeback fraud as a “hack” reaches 27% of consumers. 42% of Gen Z shoppers admit to committing first-party fraud.
Friendly fraud is the hardest to fight because you can’t stop it at the transaction level. You can only fight it after the fact — with evidence documentation, clear policies, and a representment process that actually wins disputes.
The Real Cost of a Single Chargeback: The Math Nobody Shows You
Most sellers think of a chargeback as losing the sale amount. The actual cost structure is significantly worse.
| Cost Component | Typical Amount |
|---|---|
| Transaction amount (lost revenue) | $200 |
| Chargeback fee (Stripe / processor) | $15 |
| Lost merchandise (if physical) | $60 (COGS) |
| Fulfillment / shipping cost | $12 |
| Labor: dispute response preparation | $35 (1.5 hrs × $23/hr) |
| Total cost of one $200 chargeback | $322 |
| Loss multiplier | 1.61× |
Now apply the LexisNexis multiplier of $4.61 per fraud dollar when you include downstream costs (processor penalties, higher processing fees, monitoring program enrollment):
A $200 fraudulent transaction costs you $922 in total business impact.
Here’s what that means at scale for a store experiencing a moderate fraud rate:
| Monthly Revenue | Fraud Rate | Monthly Fraud Transactions | Monthly Total Impact |
|---|---|---|---|
| $50,000 | 0.5% | 25 transactions | ~$11,525 |
| $100,000 | 0.8% | 80 transactions | ~$36,880 |
| $150,000 | 1.2% | 180 transactions | ~$83,340 |
| $150,000 | 0.2% (after prevention) | 30 transactions | ~$13,830 |
The difference between the last two rows — same revenue, same store, different fraud rate — is $69,510 per month. That is what functional fraud prevention is worth. Not “nice to have.” Not a back-office detail. A $69,510/month operational decision.
The Fraud Prevention Stack: Tools, Configurations, and What They Actually Cost
Layer 1: Stripe Radar (Your First Defense Line)
Stripe Radar is built into every Stripe account. Most store owners leave it on default settings and wonder why fraud still gets through. Radar’s power is in its custom rules — and default settings are not optimized for your specific business.
The critical Stripe Radar rules to implement:
Velocity rules — Block or review when the same card is used more than X times in Y hours. For most stores: block after 3 failed attempts in 24 hours, review after 2.
CVV mismatch — Auto-decline any transaction where the CVV doesn’t match. No exceptions. Legitimate customers with real cards have valid CVVs.
Address mismatch — Flag for review (not auto-decline) when billing and shipping addresses don’t match. This is common for gift purchases, so blanket blocking costs you real customers.
Email domain velocity — Flag when multiple orders in a short window share the same email domain pattern. Fraud scripts often use sequentially generated emails from free providers.
IP country mismatch — Flag when the IP address country doesn’t match the billing address country. Not automatic decline — but always review.
High-risk card country — Consider auto-declining cards issued in countries with extremely high fraud rates for your specific product category. This requires careful analysis of your legitimate customer geography.
Radar for Fraud Teams ($0.07 per screened transaction) gives you machine learning-enhanced rules and manual review queues. For stores doing $50K+/month, this is worth every penny.
Layer 2: MaxMind minFraud
MaxMind’s minFraud service cross-references transaction data against a global database of known fraud patterns — IP addresses, email addresses, device fingerprints, and billing data — and returns a risk score from 0 to 99.
Pricing: Starting at $0.005 per transaction (Standard queries). For 2,000 monthly transactions, that’s $10/month.
What it catches that Stripe misses: MaxMind has visibility into fraud patterns across millions of merchants, not just your transaction history. A card being tested at your store may have been flagged as fraudulent at 200 other stores last week. MaxMind knows that. Stripe Radar doesn’t.
Integration: WooCommerce has MaxMind integration built into the core fraud detection settings. Navigate to WooCommerce → Settings → Advanced → WooCommerce.com → Geolocation → MaxMind integration. The setup takes about 15 minutes.
The risk score thresholds to use:
- Score 0–25: Approve automatically
- Score 25–50: Approve with additional verification (email verification required before fulfillment)
- Score 50–75: Manual review queue
- Score 75+: Auto-decline
Layer 3: Email and Phone Verification
For high-value orders (set your own threshold — commonly $150+ or $500+ depending on your AOV), require email verification before digital delivery or order processing. This alone reduces friendly fraud significantly, because it creates documented proof of customer intent.
For your highest-risk order tier, consider phone verification via Twilio or a similar service. A customer who provides a working phone number they can verify is dramatically less likely to file a false dispute. The friction is real but acceptable at high-order values.
Critical implementation note: Email verification gates should apply to digital goods and high-value physical orders. Applying them to all orders will tank your conversion rate. Be surgical.
Layer 4: Chargeback Alerts (Verifi / Ethoca)
Visa’s Verifi and Mastercard’s Ethoca provide pre-chargeback alerts — notifications that a customer has initiated a dispute before it officially becomes a chargeback. You have 24–72 hours to issue a refund directly and stop the chargeback from hitting your ratio.
Why this matters: A chargeback that you stop before it’s filed doesn’t count against your chargeback rate. Your rate with processors is calculated on filed chargebacks, not on disputes you resolved proactively.
Services like Chargebacks911 or Signifyd bundle these alerts with dispute management. For stores with persistent chargeback issues, this layer is often the fastest ROI in the fraud prevention stack.
The Fraud Prevention Stack: Cost vs. Capability Comparison
| Tool | Monthly Cost | What It Stops | Best For |
|---|---|---|---|
| Stripe Radar (default) | Free | Basic CVV/address matching | Starter stores, low AOV |
| Stripe Radar for Teams | ~$140/mo (2K txns) | ML-enhanced + manual review | Mid-volume stores |
| MaxMind minFraud | $10–50/mo | Known fraud networks, IP risk | High AOV, international |
| WooCommerce + MaxMind | Built-in | Geolocation fraud patterns | WooCommerce stores |
| Signifyd | $1,500+/mo | Full guarantee on approved orders | High-volume, 7-figure stores |
| Chargebacks911 | Custom | Pre-chargeback alerts + representment | Stores with 0.5%+ CB rate |
| Email verification | $20–50/mo | Friendly fraud, unverified accounts | Digital goods, subscriptions |
The Conversion Rate Trap: How Aggressive Anti-Fraud Kills Real Revenue
This is where most fraud prevention guides stop being useful. They tell you what to block. They don’t tell you what blocking costs you.
Strict fraud rules can block 5–10% of legitimate orders. On a $100,000/month store, blocking 7% of legitimate orders means $7,000/month in rejected real customers — customers who will buy from a competitor instead.
The principle is this: your fraud prevention rules should be calibrated to your actual fraud profile, not to a generic “safe” setting.
A store selling $20 candles has a very different risk profile than a store selling $800 software licenses. A store with 95% domestic customers has a very different risk profile than one with 40% international orders. A subscription business has different fraud patterns than a one-time purchase store.
The correct approach:
Step 1: Run one month of transactions through MaxMind without blocking anything — just collecting risk scores. This gives you a baseline distribution.
Step 2: Analyze your actual chargebacks from the past 6 months. What were their MaxMind scores? What IP patterns appeared? What email domain patterns? What were the order values?
Step 3: Set your thresholds based on your data — not on what sounds cautious. If 95% of your chargebacks come from orders with MaxMind scores above 60, set your review threshold at 55. Don’t set it at 25 and lose real customers.
Step 4: Review your false decline rate monthly. If it’s above 2%, your rules are too aggressive and you’re paying more in lost legitimate revenue than you’re saving in fraud prevention.
The Friendly Fraud Problem: What You Can Actually Do
Friendly fraud can’t be stopped at the transaction level. It can be fought at the documentation level.
Before the transaction: Make your billing descriptor crystal clear. The most common trigger for friendly fraud is a customer not recognizing a charge on their statement. Your descriptor should say your brand name, not your payment processor’s name. Set this in Stripe → Settings → Account Details → Statement descriptor.
At the transaction: Capture and store everything. IP address, device fingerprint, email, shipping address, session duration, order history. This is your evidence package if you need to fight a dispute.
After the transaction: Send a clear order confirmation immediately. Include what was purchased, the exact amount, and your customer service contact. This eliminates the “I didn’t recognize the charge” category of friendly fraud.
At the dispute stage: Respond to every chargeback with your evidence package. Include the order confirmation, IP/device data, proof of delivery, and any customer service communication. The industry average merchant win rate on chargebacks is 8.1% — but merchants who respond with complete evidence packages win at significantly higher rates.
The Chargeback Rate Line You Cannot Cross
Visa’s threshold for high-risk classification: 0.9% chargeback rate. Mastercard’s threshold: 1.0%.
If you cross these thresholds, your payment processor faces pressure from the card networks, and that pressure flows directly to you: higher processing fees, mandatory enrollment in monitoring programs, and — in serious cases — termination of your merchant account.
The seller in our opening story hit 2.3%. Their account went under review. Recovery took 11 weeks and required demonstrating a complete fraud prevention system before Stripe reinstated normal processing.
Treat 0.5% as your personal red line — the threshold at which you investigate your fraud patterns seriously. Treat anything above 0.7% as an emergency.
The 90-Minute Setup That Would Have Saved $47,000
For a WooCommerce store doing up to $100,000/month, here is the minimum viable fraud prevention configuration:
- Enable MaxMind minFraud in WooCommerce core settings ($10/month)
- Set Stripe Radar custom rules: CVV mismatch = block, velocity (3+ failed attempts/24hrs) = block, IP country mismatch = flag for review
- Set your billing statement descriptor to your brand name
- Implement email verification for orders above your AOV threshold
- Set up an order review queue for MaxMind scores 50–75
- Configure Klaviyo post-purchase confirmation email with clear billing description and CS contact
Total cost: approximately $30–60/month. Total setup time: 90 minutes.
Against $47,000 in fraud damage, the ROI calculation is not worth completing.
Building a WooCommerce store without fraud prevention configured is like leaving the cash register unlocked. If you need help configuring the full fraud prevention stack — Stripe Radar, MaxMind integration, verification flows, and the monitoring systems that catch attacks before they become expensive — this is exactly the kind of technical layer we build into every store at Bastion Prime.
For stores already experiencing elevated chargeback rates, our Store Audit & Strategy Session includes an operational review of your current fraud setup.
Related reading:
- The Amazon Death Sentence: Your 48-Hour Recovery Plan When They Pull the Plug
- From Launch to First Sale: A Roadmap for Your New WooCommerce Store
- Don’t Start an E-commerce Store Until You Read This Margins Report
Bastion Prime is a UK-registered e-commerce agency specializing in WooCommerce store development and technical configuration for US-based sellers. Fraud prevention systems are included in every store we build.