The not-so-friendly fight against ‘friendly fraud’

In November 2023, the U.S. Department of Justice (DOJ) charged a group of cyber criminals with conspiracy to commit wire fraud for orchestrating an international scheme that bilked Target, Amazon, Walmart and Home Depot out of millions of dollars. The cyberfraud gang, known as the Artemis Group, coordinated the scheme with fraudsters around the world to purchase products from the retailers’ websites and then deceive them into processing refunds. Those involved then kept the items that’d been refunded. (See “Ten Members of International Cyber Fraud Ring Indicted for ‘Refund Fraud’ Scheme Targeting Online Retailers,” DOJ, Nov. 9, 2023.)

In another case, owners of a family-owned coffee shop in Quebec, Canada, lost $10,000 to customers who ordered two expensive espresso machines and then claimed they didn’t purchase the machines. The banks sided with the customers, even though the coffee shop owners had copies of their email exchanges. In the end, the owners lost both the money and the machines. (See “Quebec family-run business issues warning after alleged payment dispute scam,” by Dan Spector, Global News, July 21, 2023.)

These schemes are often referred to as “friendly fraud” because customers’ disputed charges appear legitimate, but they’ve become a costly and decidedly unfriendly thorn in the side of merchants and financial institutions. According to the National Retail Federation, retailers lose $25 billion a year to them. (See “Navigating friendly fraud a top priority for retailers,” Consultancy.eu, March 7, 2024.) Also known as chargeback or first-party fraud, they surged during the COVID-19 era and continue to proliferate with few solutions. Here’s a breakdown of these not-so-friendly frauds, the ways consumers exploit them and what it means for businesses to combat them.

A look at chargebacks

Chargebacks are an integral part of existing payment systems. One of the big selling points for using credit or debit cards to complete transactions is the safety net they provide. Besides the rewards, bonuses, points or cash-back promotions, many businesses want consumers to use these payment methods because of their fraud protections. Pay in cash and you run the risk of holding the bag if the transaction’s a scam. Use a credit card and you can report the transaction as fraud and avoid any loss. The card issuer simply refuses payment to the fraudster and the disputed charge disappears from the victim’s account. A win-win.

Legitimate chargebacks, however, are becoming an ever-smaller piece of the chargeback pie. (See “Chargeback Stats: The Most Up-to-Date Dispute Data Points Available,” Chargebacks911, Aug. 24, 2022.) With easy electronic access to their accounts and automated purchase notifications, customers often dispute fraudulent transactions shortly after they appear. Financial institutions do their best to catch fraudulent charges, with significant investments in prevention technology and communication with customers. Credit card users are now familiar with text messages asking them to verify that a purchase is legitimate. Go to another state (or country) and purchase a giant TV from a large chain store with your credit card and you’ll likely trigger notifications from your credit card app.

While a host of chargebacks aren’t always fraudulent, they aren’t exactly appropriate. The ease with which customers can make online purchases might lead them to correct unwanted or “accidental” payments. Imagine a parent gives a child a credit card to purchase a video game app on their phone. The child subsequently makes $2,600 worth of in-app purchases using the card. The parent didn’t intend for all those purchases and wants to avoid a hefty bill. Some might blame the company for allowing the child to make those transactions. (See “Apple Inc. Will Provide Full Consumer Refunds of At Least $32.5 Million to Settle FTC Complaint It Charged for Kids’ In-App Purchases Without Parental Consent,” FTC, Jan. 15, 2014.) Still, others might open their credit card app and dispute the charge with their financial institution. This raises a concern regarding the extent of a parent’s authorization and creates a legal gray area for these kinds of chargebacks.

Finally, we have friendly fraud chargebacks. This category includes payment disputes outside of legitimate chargebacks for fraudulent charges and factual disputes over nonauthorized payments. Some friendly fraudsters lie and claim they never received an item they purchased online, disputing the transaction despite having the item, such as in the case that opened this column. Similarly, they might falsely claim that the item was damaged and they refused delivery. Others might lie and say their credit card or payment information was stolen.

The cost of friendly fraud

For the financial institution receiving a disputed transaction, a fraudulent chargeback looks the same as a legitimate chargeback. While legitimate chargebacks can raise easily identifiable red flags (such as physical store locations outside the normal bounds or foreign IP addresses for online purchases), friendly fraud chargebacks might not. For example, someone who innocently makes frequent purchases on an auction website could fall prey to a scam auction or illegitimate seller. Or a different frequent buyer with ill intent could spot a pricey new product they want without having to pay for it. Both customers buy from the website, from computers with known IP addresses, without any sort of account compromise. Later, they both dispute the transaction after the delivery date, reporting that the seller must’ve been a scammer, and they never received their purchase.

In such scenarios, the financial institution turns to the merchant and notifies them of the chargeback. Merchants can then dispute it and provide evidence that the transaction was legitimate. This generally involves several third parties, including the bank behind the card issuer, payment system operators such as Mastercard or Visa, transaction-handling intermediaries, and others. Regardless of who’s involved, the cost generally ends up on the merchant’s doorstep. While large corporations have the resources to track and collate transaction data and fight all their fraudulent chargebacks, many merchants don’t have those resources. They can blacklist the fraudster, but the money and the assets are still gone.

Merchants can also be charged a fee by the financial institution handling the chargebacks. Too many chargebacks, fraudulent or otherwise, and the merchant faces significant financial loss plus the possibility of being excluded from participation in popular payment systems. Mastercard and Visa, for instance, carefully monitor chargebacks and penalize merchants that exceed monthly chargeback limits. (See “Visa Dispute and Fraud Monitoring,” Chargeback Gurus.)

Post-pandemic surge

The rise in losses due to friendly fraud began during the COVID-19 pandemic. As many people were staying at home, e-commerce saw a significant boost. More than ever before, transactions were made online using digital wallets full of credit and debit card accounts. Retailers streamlined their phone app stores and websites, allowing for one-button purchases. (See “Chargeback Stats: The Most Up-to-Date Dispute Data Points Available” and “Global fraud trends, COVID-19, and the importance of collaboration,” by Tracy Kobeda Brown, The Paypers, Jan. 10, 2022.)

People’s purchasing habits stuck after the pandemic. Worldwide e-commerce saw yearly growth, with an estimated $5.8 trillion in global retail e-commerce sales in 2023. (See “Retail e-commerce sales worldwide from 2014 to 2027,” Statista, Feb. 6, 2024.)

Merchants weren’t the only ones improving their apps. Financial institutions and credit card issuers also improved their apps and websites, pushing customers to use them. Bank statements and online portals begged users to transfer to electronic statements and use phone apps for deposits. They also developed features for customers to easily dispute charges on their computers and phones.

More online purchases and more deliveries (and pandemic-era delivery delays) made it easy for purchases to be “free.” According to a study conducted by Mastercard’s Ethoca, friendly fraud now accounts for up to 75% of all chargebacks, with an estimated 238 million chargebacks globally in 2023. (See “‘There’s No End In Sight’: Mail Delivery Delays Continue Across The Country,” by Quinn Klinefelter, NPR, Jan. 22, 2021 and “Chargeback trends and outlook: 2023 Report,” Ethoca.)

Combating friendly fraud

In the U.S., Regulation Z, from the Truth in Lending Act of 1968 and part of the Consumer Credit Protection Act, was designed to protect consumers from unfair credit card practices. Regulation E, similarly, protects consumers from unfair debit card and electronic fund transfer practices. [See “12 CFR Part 1026 - Truth in Lending (Regulation Z),” Consumer Financial Protection Bureau, amended Jan. 1, 2024 and “12 CFR Part 1005 - Electronic Fund Transfers (Regulation E),” amended April 19, 2023.] Enforced by the Federal Trade Commission, these regulations provide strict rules for financial institutions on billing errors and disputed charges. By design, these rules favor the customer and impose deadlines on financial institutions for completing an investigation and making a final determination. The regulations for financial institutions are “actually pretty clear,” Stephanie Macrafic, CFE, tells Fraud Magazine. Macrafic, who previously investigated chargeback fraud, says they “hold the financials pretty tight.”

Merchants are doing what they can with limited options. Many have systems to collect and maintain transaction data for financial institutions should a dispute arise. Payment system providers like Mastercard are improving their systems for communication between merchants and card issuers. Such improvements are supposed to relieve the burden of manually combating every disputed charge and accelerate notifying merchants of disputes. (See “Mastercard Acquires Ethoca to Reduce Digital Commerce Fraud,” by Julia Monti, Mastercard Newsroom, March 12, 2019 and “How Mastercard Can Help Businesses Tackle the Tricky Issue of Payment Disputes,” Wired.)

But these improved systems could complicate the fight. According to Macrafic, sharing customer data when friendly fraud is identified could run afoul of data privacy rules in certain jurisdictions. Financial institutions can (with sufficient evidence) cancel repeat offenders’ accounts and refer the case to law enforcement. Merchants can also blacklist fraudsters, but sharing that information between financial institutions or merchant groups could be difficult. “It’s frustrating for everyone,” says Macrafic.

For now, answers to friendly fraud seem elusive. Regulations, designed to protect the consumer, also safeguard fraudsters. Financial institutions often initially take the fraudster at their word, while merchants must argue their case for each disputed purchase. Payment systems’ anti-fraud algorithms must distinguish between a real dispute and a fraud where the usual red flags don’t apply. And while merchants can alert law enforcement, outside of large-scale or organized crime involvement, it’s unlikely resources will be available to prosecute every illicit chargeback on an espresso machine.

Samuel May, J.D., CFE, is a research specialist for the ACFE. Contact him at SMay@ACFE.com.