← Back to Library
Wikipedia Deep Dive

Friendly fraud

11 min read

Based on Wikipedia: Friendly fraud

Here's a scam with a disarmingly pleasant name: you buy something online with your credit card, wait for it to arrive, and then call your bank to say the charge was unauthorized. The bank reverses the transaction. You keep the product. The merchant loses everything.

This is called "friendly fraud."

The name is almost darkly comic. There's nothing friendly about it—except perhaps to the person committing it. The term emerged because the fraud comes not from some shadowy criminal syndicate, but from the customer themselves. Your neighbor. Your coworker. Someone who looked at their credit card statement and thought: what if I just said I didn't buy that?

How Chargebacks Became a Weapon

To understand friendly fraud, you first need to understand chargebacks—and chargebacks exist because credit cards were built on a foundation of consumer trust.

When credit cards became widespread in the mid-twentieth century, banks faced a problem. How do you convince ordinary people to use a piece of plastic instead of cash? Cash feels safe. You hand over money, you get goods. Simple. But a credit card? You're signing a piece of paper and trusting that everything will work out.

The solution was to make credit cards safer than cash—at least for consumers. Banks promised that if something went wrong, they would make it right. Unauthorized charge? Reversed. Defective product the merchant won't replace? Reversed. Charge you don't recognize? Reversed. This asymmetry was deliberate. It shifted risk away from consumers and onto merchants and banks, which made people comfortable enough to start swiping.

The chargeback system worked beautifully for decades. If you lost your wallet and someone ran up charges, you weren't liable. If a merchant shipped you a brick instead of a laptop, you got your money back. Consumer protections built trust, and trust built the entire card-based economy.

But somewhere along the way, some consumers realized they could weaponize this system.

The Anatomy of a Friendly Fraud

The mechanics are simple. A consumer makes a legitimate purchase. They receive what they ordered. Then they contact their bank and claim the charge was fraudulent, or that they never received the item, or that the product was nothing like what was advertised.

The bank, following its consumer-protection mandate, issues what's called a chargeback. The transaction is reversed. The consumer gets a refund. The merchant loses both the product and the payment.

But it gets worse. The merchant also pays a chargeback fee—typically somewhere between twenty and a hundred dollars—regardless of whether the chargeback was legitimate. This fee exists to discourage merchants from being sloppy with fraud prevention. In practice, it means that every friendly fraud incident costs the merchant far more than the value of the stolen goods.

A study from LexisNexis found that for every dollar lost to chargeback fraud, merchants actually lose $2.40 when you factor in product loss, banking fines, penalties, and administrative costs. In 2017, card-not-present fraud losses in the United States hit four billion dollars. By 2020, estimates suggested they had ballooned to $6.4 billion.

Why the Internet Made Everything Worse

Friendly fraud existed before the internet, but it was relatively rare. When you bought something in a physical store, you swiped your card, maybe entered a PIN or signed a receipt, and walked out with merchandise. There was a paper trail. There were security cameras. The card was physically present, which meant someone had to actually possess it.

Online shopping obliterated these safeguards.

When you buy something on the internet, you type in a card number. That's it. No signature, no physical card, no face-to-face interaction. Merchants call these "card not present" transactions, and they're extraordinarily difficult to secure. The merchant has no way to verify that the person typing in the card number is actually the cardholder. They can't check your ID. They can't match your signature. They can ask for the three-digit security code on the back of your card, but that only proves someone has seen your card—not that they're authorized to use it.

This creates a perfect environment for friendly fraud. When a consumer calls their bank and says "I didn't make this purchase," how can the merchant prove otherwise? They have a card number, sure. Maybe they have a shipping address. But none of that proves the cardholder actually placed the order.

MasterCard was actually sued over this problem back in 2003. An internet vendor argued that the company's policies and fee structures made online merchants sitting ducks for friendly fraud. The suit highlighted something the card networks have been grappling with ever since: the rules that protect consumers in the physical world don't translate cleanly to digital commerce.

Digital Goods: The Perfect Crime

If selling physical products online is vulnerable to friendly fraud, selling digital products is practically indefensible.

Consider what happens when someone buys a physical item. The merchant ships it. There's a tracking number. Someone signs for the package. If a customer claims they never received it, the merchant can at least wave around a delivery confirmation.

Digital products leave no such trail. When you buy an ebook, or a video game download, or access to a website, the product is delivered instantaneously and invisibly. There's no package. No signature. No tracking number. If a customer later claims they never received the product, or that their card was used without permission, the merchant is left holding nothing but a transaction record.

This is why digital products have become the primary target for friendly fraud. Pornography websites and online gambling platforms are particularly hard-hit, but any business selling downloadable content or digital access faces the same vulnerability. The fraudster gets the product immediately, enjoys it, and then claims it was never authorized. Proving delivery—let alone consumption—is often impossible.

Some clever merchants have found workarounds. If you're selling software or subscription services, you can build in a "phone home" feature that checks with your servers. When a chargeback comes through, you can remotely disable the product. The customer doesn't get to keep using something they've stolen. But this is cold comfort for the merchant, who still has to pay the chargeback fee and has now permanently lost a customer—even if that customer was a thief.

The European Twist

For years, merchants assumed that at least bank transfers were safe. Unlike credit card payments, a bank transfer felt permanent. Once the money moved, it moved.

They were wrong.

In Europe, the Single Euro Payments Area (known as SEPA) created standardized rules for bank transfers across the continent. And buried in those rules was a provision that allows payers to recall credit transfers within ten working days of settlement.

This was designed for legitimate errors—the banking equivalent of "oops, I sent that to the wrong account." But fraudsters quickly figured out they could exploit it. Buy something, pay via bank transfer, receive the goods, then recall the transfer. Same scheme as credit card friendly fraud, different payment rail.

Making matters worse, some receiving banks have been careless about how they handle recall requests. They've reversed payments without even bothering to consult the merchant who received them. The system's consumer-protection instincts, it turns out, can be weaponized just as easily with bank transfers as with credit cards.

The Arms Race

Merchants have tried everything to fight back.

Call centers, for instance, face their own version of the problem. When someone phones in an order and reads their credit card number to an agent, that's still a card-not-present transaction. But some companies have gotten creative. They use technology that lets customers enter their card information directly into the system—including the security code—without the agent ever seeing or hearing it. The agent stays on the line, but all they hear is monotone beeps as the customer punches in digits. It's the closest thing to "swiping" a card you can get over the phone.

Some systems go further. Before the purchase is finalized, the amount and last four digits of the card are played back to the customer. The customer is asked to verbally confirm the purchase. That confirmation is recorded. An email follows with purchase details and an audio file of the verbal authorization.

All of this creates evidence. It doesn't eliminate chargebacks, but it gives merchants ammunition to fight them.

The Machine Learning Frontier

The latest battleground is artificial intelligence.

Fraud patterns are getting more sophisticated. Bots can mimic human behavior. Fraudsters share techniques and tools in online forums. Mobile payment apps have added new attack surfaces. The sheer volume of transactions makes manual review impossible.

So merchants are increasingly turning to machine learning systems that analyze transactions in real-time, looking for subtle patterns that might indicate fraud. Maybe the shipping address doesn't match the billing address. Maybe the purchase time is unusual. Maybe the combination of products ordered is suspicious. Maybe the device fingerprint matches a known fraudster.

These systems make probabilistic judgments in milliseconds. They're not perfect—they sometimes flag legitimate purchases and sometimes miss fraudulent ones—but they're far better than the alternative, which is either checking nothing or checking everything manually.

3D Secure and the Liability Shift

One of the most important developments in fighting friendly fraud has been something called 3D Secure—a protocol that adds an extra authentication step during online checkout. You've probably encountered it if you've ever been redirected to your bank's website to enter a password or approve a purchase via your banking app.

The technical details matter less than the legal consequence. When a merchant uses 3D Secure authentication, something remarkable happens: the liability for fraud shifts from the merchant to the bank.

Think about what this means. Under normal circumstances, if a customer claims a charge was unauthorized, the merchant loses. But if the merchant used 3D Secure, and the customer's bank authenticated the transaction, then the bank is on the hook. The incentive structure flips. Banks suddenly have skin in the game, which means they're more careful about who they approve and more skeptical of questionable chargeback claims.

This hasn't eliminated friendly fraud, but it has given merchants a powerful tool for shifting at least some of the risk back where it arguably belongs—to the institutions that profit from issuing credit cards in the first place.

The Cost of Distrust

Here's what makes friendly fraud so insidious: it poisons the entire ecosystem.

Merchants, burned by chargebacks, become more suspicious. They implement stricter verification requirements. They flag more purchases as potentially fraudulent. They sometimes decline legitimate transactions because the risk feels too high.

Consumers face the consequences. Your purchase gets delayed for "manual review." Your card gets declined for no apparent reason. You're asked to jump through hoops to prove you are who you say you are.

Meanwhile, legitimate fraud victims—people whose cards actually were stolen—find their claims viewed with more skepticism. Every false friendly fraud claim makes banks and merchants slightly more cynical about the next person who says they didn't authorize a charge.

The friendly fraudsters don't bear these costs. They got their free stuff. But everyone else pays a little bit more, waits a little bit longer, and trusts the system a little bit less.

The Uncomfortable Truth

What friendly fraud reveals is uncomfortable: the systems we've built to protect consumers can be turned against the very merchants those consumers need.

The original bargain made sense. Give consumers confidence that they won't be ripped off, and they'll participate in commerce. But that confidence was built on an assumption that most people are honest. The system works when chargebacks are rare and legitimate. It starts to break down when a meaningful percentage of chargebacks are actually fraud—fraud committed not by criminals, but by ordinary people who've decided that getting free stuff is worth a phone call to their bank.

Prevention, everyone agrees, is more cost-effective than fighting disputes after the fact. It protects customer relationships and preserves operational resources. But perfect prevention is impossible. As long as there's an asymmetry between what consumers can claim and what merchants can prove, some people will exploit the gap.

The name, at least, is accurate in one way. Friendly fraud is committed by people who seem friendly. They're not skulking in hoodies or typing in basements. They're shopping alongside everyone else, using their real names and their real addresses, counting on the fact that the system was designed to believe them.

And mostly, it does.

View original Wikipedia article →

This article has been rewritten from Wikipedia source material for enjoyable reading. Content may have been condensed, restructured, or simplified.

Related Articles

This deep dive was written in connection with these articles: