Trust Your Payment: Framework to Combat Scams and Fraudulent Merchants

In today’s increasingly interconnected world, e-commerce has revolutionized how businesses and consumers engage in buying and selling. With a few clicks or taps, a consumer can purchase products or services from companies all over the world. While this level of innovation created many opportunities for reputable merchants, it has also created an environment exploitable by fraudulent websites set up with the sole intention of committing fraud. 

Fraudulent merchants exploit vulnerabilities in the payment ecosystem—from finding weaknesses in acquirer onboarding or regulatory gaps. They often appear as legitimate businesses with professional websites and appealing offers, but their true aim is to deceive consumers into sharing payment details or making purchases for undelivered goods and services. These scams lead to high chargeback rates and financial losses, undermining consumer trust in digital commerce and damaging the reputation of legitimate businesses.

According to the Global State of Scams Report, shopping scams were the most frequently encountered scam in the world, with 22% surveyed encountering at least one shopping scam. Credit card payments were used approximately 20% of the time to pay the scammers.

Addressing this issue requires a multi-layered approach to combating scams and tackling fraudulent merchants. Mastercard is committed to creating a secure, reliable environment where consumers and business alike can thrive.

Section 1: Fraud attack vectors that exploit the payment ecosystem

Fraudulent merchants use various attack vectors to exploit the payments ecosystem:

• Phishing and social engineering: Using GenAI, email spoofing, and social engineering, scammers impersonate trusted brands to trick victims into revealing sensitive information or downloading malware. In 2023, email was the most common method for targeting consumers in the U.S., with advanced social engineering scams increasing by 56%.

• Skimming and embedded malware: Fraudsters inject malicious scripts into checkout pages of legitimate online stores to steal card details. In 2024, Magecart e-skimmer infections surged, affecting nearly 11,000 e-commerce domains.

• Account takeover (ATO): Scammers hack into existing merchant accounts using stolen credentials, changing bank details and intercepting payments.

• Friendly fraud and synthetic identities: Fraudulent merchants initiate unauthorized refunds or use synthetic identities to challenge legitimate transactions, complicating the dispute process.

• Enumeration attacks: Threat actors systematically test and validate payment credentials for fraudulent transactions.

• Multi-channel tactics: Scammers engage victims across platforms, using social media and legitimate-looking websites to process payments, complicating efforts to trace funds and identify malicious activity.

Section 2: Impact on your business and consumer trust

Fraudulent merchants and the scams they perpetrate have a profound impact on financial institutions. These scams lead to significant financial losses, damaging banks reputation, increasing chargeback costs, and potentially leading to regulatory penalties, ultimately impacting their bottom line and consumer trust. The growing sophistication of fraud attempts is resulting in a higher frequency of attacks and increased financial losses. By 2027, advancements in Generative AI are projected to cost banks approximately $40 billion.

Beyond the financial implications, these scams erode consumer trust. When consumers experience fraud, their confidence in the security of digital transactions diminishes, leading to consumer dissatisfaction and attrition. This reputational damage can deter potential consumers and prompt existing ones to switch to more secure competitors. In fact, 52% of consumers would be extremely likely to not use a company again if they experienced fraudulent activity when making an online purchase.

Section 3: Best practices to help you combat scams and fraudulent merchants

Mastercard continues its ongoing efforts of safeguarding the payments ecosystem, providing stakeholders with a variety of tools, guidelines, and educational resources to keep pace with rapidly evolving scam tactics. In April 2024, Mastercard announced Scam Protect, an initiative designed to transform the fight against scams by delivering an end-to-end framework that protects consumers across a growing spectrum of fraudulent schemes. This program is built on three core pillars: 

• Technology Solutions: Mastercard’s unique and comprehensive suite of AI-power solutions, standards, and governance principles can help identify and prevent scams at all stages of a scam lifecycle from the time a new merchant is onboarded to when a user carries out a transaction. By leveraging the global scale of Mastercard’s network data, these tools offer unparalleled insights into emerging fraud typologies, ensuring that stakeholders can rapidly adapt to new threats. We are continuously investing in product development to consistently improve the efficacy of our data and capabilities to detect and combat scams. 

  
  

• Market Education: Scams have significantly grown in popularity, and we can’t fight scams in a series of one-off battles. In the interconnected digital world, where every organization is focused on delivering a great experience for the consumer, the fight against scams is a collective responsibility. Mastercard is partnering with and through a network of collaborators to share knowledge, training, and tools.

• Industry Collaboration: Mastercard proactively partners with organizations that help build security standards to help protect consumers around the world by collaborating with them to make this world a safer place.

  
  

Section 4: Mastercard standards to combat fraudulent merchants

One of the biggest challenges in fighting fraudulent merchants is the lack of standardized tracking for the various types of scams consumers face. To address this, Mastercard has introduced new subtypes in the Fraud and Loss Database under the broader “Scams” category of Fraud Reason Code 56 – Manipulation of Cardholder (RC56). These subtypes provide more detailed tracking and categorization of specific scam patterns, enabling a data-driven and targeted response.

• Advance Fee Scam (Subtype Code A): Victims are asked to pay an upfront fee for a loan, job, or other promised benefit that never materializes. Labeling these incidents as “Advance Fee” helps issuers and acquirers understand the origins and frequency of these scams.

• Impersonation Scam (Subtype Code I): Fraudsters pose as legitimate entities like government agencies, charities, corporate representatives, or even close family members to trick victims into handing over money or sensitive data. Capturing these as “Impersonation Scams” helps quickly identify large-scale events.

• Investment Scam (Subtype Code V): Scammers promote fake investment opportunities, often promising high returns to entice victims to transfer funds. Marking these disputes as “Investment Scams” helps differentiate them from other commercial disputes and provides clearer data for risk modeling.

• Purchase Scam (Subtype Code H): A common online shopping fraud where consumers pay for goods or services that are never delivered or are significantly different from what was advertised. Classifying these as “Purchase Scams” highlights the need for stricter merchant vetting and transaction monitoring.

• Romance Scam (Subtype Code R): Fraudsters exploit emotional or romantic connections to request money or valuable information from unsuspecting victims. Labeling these disputes as “Romance Scams” helps identify emerging patterns in dating platforms or social media environments.

  
  

Issuers can use RC56 to report fraud specifically related to fraudulent merchant activity. By categorizing fraud under RC56, issuers can promptly alert acquirers and Mastercard to potential fraudulent merchants. This targeted reporting allows Mastercard to track scam-related claims in aggregate, identify patterns of bad actors, and take appropriate actions against noncompliant entities. The clarity provided by RC56 supports faster investigations, better performance of anti-scam products and services, and more effective industry-wide collaboration in shutting down scam operations.

Conclusion

In the interconnected digital world, where every organization is focused on delivering a great experience for the customer, the fight against scams is a collective responsibility. Mastercard collaborates across industries, partners and organizations worldwide to secure the digital ecosystem, ensuring payments are safe for all. Combating the growing threat of scams demands a collective effort.  Some notable efforts include:

• Mastercard is a Foundation member of the Global Anti-Scam Alliance, which protects consumers worldwide against scams. Together with the Global Anti-Scam Alliance, Mastercard continues to share knowledge and will define joint actions to advocate for safe and secure ways to transact, interact, and protect consumers. As part of the Alliance, Mastercard helped establish the Global Anti-Scam Alliance chapter in Singapore, bringing together organizations in the region to collaborate on new solutions to protect consumers.

• Mastercard is also an inaugural member of the Aspen Institute Financial Security Program (Aspen FSP) National Task Force for Fraud & Scam Prevention, an initiative that brings together leading stakeholders from government, law enforcement, private industry, and civil society to develop a nation-wide strategy aimed at helping prevent fraud and scams in the U.S. The Task Force will build on and advance participant organizations’ meaningful work to address fraud and scams by strengthening consumer advocacy and education, improving information-sharing mechanisms, and advancing technology and policy solutions.

• The United Nations Development Programme (UNDP) and Mastercard have signed a Memorandum of Understanding to collaborate towards deepening the understanding of development impact of digital scams, and ways to detect and address them.

To further examine the challenges posed by fraudulent merchants and illustrate their scope and scale through real-world examples, please refer to this white paper. It highlights Mastercard standards that shape fraud prevention efforts and emphasizes tools and best practices designed to combat fraud at every stage of the payment life cycle and provide stakeholders with a strong framework to effectively mitigate fraud and maintain trust in digital transactions.

About Mastercard

Mastercard powers economies and empowers people in 200+ countries and territories worldwide. Together with our consumers, we’re building a sustainable economy where everyone can prosper. We support a wide range of digital payments choices, making transactions secure, simple, smart and accessible. Our technology and innovation, partnerships and networks combine to deliver a unique set of products and services that help people, businesses and governments realize their greatest potential. www.mastercard.com 

About the author

Milena Babayev is a seasoned professional with over 20 years of experience in marketing and product marketing. A significant portion of her career has been dedicated to working in security and fraud prevention, most recently at Mastercard, an area she finds particularly meaningful. Milena takes pride in helping organizations make informed decisions to protect their employees and customers from cybercriminals.