What recent fraud data tells us. And what it doesn’t

There’s been an interesting shift in some recent payments reports. Some of them suggest that fraud figures could be improving. For example, reported fraud incidents are declining in certain categories, and overall volumes appear to be stabilising after years of steady growth.

On the surface, that points to progress. But when you look more closely at the data, a different picture starts to emerge.

• The rate of fraud per order is increasing.

• False positives are rising.

• And almost every merchant is still dealing with it.

To me this indicates that this the issue of fraud is not being solved. More, it’s an issue that’s just being managed.

The signals are conflicting, but they are pointing to the same problem

98% of merchants still experience fraud. That alone should reframe the conversation. Fraud is not an edge case or a residual issue. It’s embedded in how digital commerce operates.

At the same time, the average fraud rate per order has increased, even as overall incident volumes have fallen.  This also tells us something important – fraud is not being reduced, just redistributed.

Anti-fraud systems are filtering out more low-level noise, while higher quality fraud continues to get through. The attacks that remain are more deliberate, more targeted, and more difficult to identify.

So, while the headline numbers improve, it would seem that the impact per transaction continues to get worse.

Fraud is not a single problem (and it never was)

One of the reasons this is happening is that fraud is fragmented. It goes way beyond stolen card details or account takeover, and is happening across multiple layers at the same time:

• Refund and policy abuse

• First party misuse

• Phishing and social engineering

• Card testing

• Identity fraud

In the recent Fraud in Europe report by payabl., refund abuse alone is experienced by 44% of merchants, making it the most common form of fraud. At the same time, first party misuse is rising, with 64% of merchants reporting an increase.

This is a structural shift.

Fraud is increasingly coming from legitimate customers, using legitimate credentials, making legitimate looking transactions, which makes it much harder to detect, and much harder to challenge.

Detection is improving. Certainty is not

The industry response to fraud has been consistent for a number of years now:

More data.

More signals.

More AI.

And that has worked, to a point. Merchants are investing heavily in fraud tools, with the majority planning further investment in the next 12 months.  But there is a limit to what detection can do, because detection is, by definition, probabilistic. It looks at patterns, behaviours, and signals, and makes a judgement about likelihood.

Now, we know it gets better at these activities as time goes on, and it can get faster, and more accurate. But at the end of the day, AI is still making a judgement. And it still cannot answer the most important question: Was this transaction actually authorised by the cardholder?

The hidden cost: good customers being treated like fraudsters

This is where the impact becomes more visible. As fraud becomes harder to detect, systems become more cautious. They challenge and decline more transactions. The result is that false positives remain high and, in many cases, are increasing.

That has a direct commercial impact.

• Revenue is lost.

• Customers are blocked.

• Trust erodes.

At the same time, fraud that does get through becomes more expensive to deal with, taking time, resources, and operational effort.

In the payabl. report, business leaders are spending the equivalent of a full working month each year dealing with fraud.  So, the system creates two simultaneous outcomes:

• Fraud still happens.

• Legitimate customers are still declined.

Both are symptoms of the same issue.

We are optimising around uncertainty

The entire fraud ecosystem is built around managing uncertainty, not removing it. This is the crux of the problem. Risk scoring models decide whether to approve or decline, rules engines decide when to challenge, and AI models decide what looks suspicious.

But none of them change the underlying condition, which is that transactions still happen without confirmed cardholder presence.

What changes when you remove the uncertainty?

This is the conversation we are having because there is an alternative, and it’s not more data or better prediction. It’s removing the need to predict in the first place.

When the cardholder is actively involved in the transaction, using the same level of authentication as a physical card payment, the nature of the decision changes.

It is no longer: Does this look like fraud?

It becomes: Was this approved by the cardholder?

That is a fundamentally different question with a fundamentally different level of confidence.

This is the space where approaches like Card Present over Internet ® (CPoI®) sit. Not as another layer of fraud detection, but as a different way of structuring the transaction itself. A way to move from assessing risk to confirming intent.

Where this leaves the industry

Fraud is not stabilising, it’s evolving. The data reflects that clearly. Fewer incidents, higher impact, better tools, persistent uncertainty. However, there is also more investment, and the same underlying problem.

The next phase of progress is unlikely to come from refining the same approach. It will come from changing the focus:

• From prediction to confirmation.

• From signals to certainty.

• From managing fraud to preventing it at the point of transaction.

Until then, the industry will continue to get better at detecting fraud.

And fraud will continue to get better at looking legitimate.