.webp)
Related Questions
A payment processor I know well spent three months last year investigating what looked like a straightforward fraud case.
Two merchants, both approved after thorough underwriting, had collectively pushed through $1.2 million in stolen card volume.
The fraud controls had flagged them during onboarding (847 applications flagged that quarter, in fact), but these two made it through the manual review process looking perfectly clean.
The fraudsters hadn't bypassed the system.
They'd simply understood it better than the risk team did.
This is the reality facing acquirers, PayFacs, and PSPs in 2026.
Traditional underwriting (the kind built around document verification, static data checks, and historical performance) is quietly losing ground to fraud operations that have evolved past these defenses.
While most risk teams are still asking "do the documents match?" sophisticated fraud rings are building synthetic business identities, running long-game bust-out schemes, and operating networked merchant structures that look legitimate at every individual touchpoint.
The numbers tell part of the story. TransUnion's research found that U.S. lenders faced more than $3.3 billion in exposure from synthetic identity fraud in 2024 alone.
Payment processors aren't separate from this.
They're right in the middle of it.
But the processors who are sleeping better at night haven't just added more controls.
They've fundamentally changed how they think about merchant risk: who gets approved, how relationships are monitored over time, and what fraud looks like when you zoom out to the portfolio level instead of reviewing merchants one at a time.
What follows are eight fraud patterns that keep appearing across portfolios, along with what experienced risk leaders actually do about them. Not the theoretical playbook. The one that works in practice.
How it behaves
Starts as something plausible and low risk: handmade crafts, light subscription boxes, modest retail. Builds three to six months of clean history maybe even earns higher limits. Then quietly pivots into higher-risk or prohibited categories once trust is established.
Why traditional controls miss it
Risk engines treat history like a security blanket. Once a merchant gets classified as "good," thresholds soften, monitoring relaxes, and small changes get ignored. But the pivot is visible it's right there on the website, in product catalogs, in keyword drift, in customer reviews. It's just not connected systematically to your risk view.
What expert teams track
• Web content drift versus the original declared business model
• New product lines that fall into scheme-sensitive or regulated categories
• Early pattern shifts that are small individually but directional over weeks
The goal isn't to panic at every update. It's to treat changes in business model as a separate risk signal not an afterthought. Continuous merchant monitoring helps catch these morphing patterns before they escalate.
How it behaves
It looks like a real business because it is one at least initially. Six to twelve months of clean volume and on-time repayments. Gradual increases in limits and financing. Then: a short, intense period of overuse and abuse, followed by disappearance.
Why this works
Traditional tools operate on the assumption that longer history equals lower risk. Bust-out schemes deliberately invest in that history. They accept lower early profits in exchange for the ability to push through one very large, very fast final extraction when controls are most relaxed.
What to look for
• Aggressive limit increase requests slightly ahead of organic growth
• Sudden expansion into new markets or customer segments that don't fit prior patterns
• Tight clusters of other merchants with similar ownership or infrastructure ramping at the same time
The best teams treat lifecycle patterns as a first-class risk object. It's not just "what volume is this merchant doing now" it's "how does this trajectory compare with healthy peers?"
How it behaves
Documents look real when checked individually. Digital presence is "complete" but strangely flat. No organic engagement, no messy history, no normal noise.
Fraudsters now understand what basic KYC and KYB checks look like and they design identities backwards from those requirements. According to Experian's Global Identity & Fraud Report, false identity cases increased by 60% in 2024, with synthetic fraud experiencing explosive growth.
Synthetic businesses often have:
• Real EINs or registration numbers bound to fabricated narratives
• Websites and LinkedIn pages created in a short burst
• Stock photos and AI-generated staff images
• Customer reviews that look polished but oddly repetitive
Why this passes traditional checks
Each element on its own is defensible:
- Registry matches.
- Documents validate.
- Social profiles exist.
Your team is under time pressure and doesn't have an integrated way to judge "does this identity feel lived in?"
What advanced teams add
• Cross-checking domain age, content history, and update frequency
• Looking at the pattern of connections on LinkedIn or other networks
• Assessing engagement quality, not just presence of accounts
• Correlating address, phone, and email usage across other existing merchants
Synthetic identities are hardest to spot with a single KYC checklist. They become obvious when viewed across data sources and across your portfolio. Strong merchant underwriting goes beyond document checks to assess identity coherence.
How it behaves
Multiple seemingly legitimate merchants with modest volumes. Each account looks normal in isolation. Collectively, they process illicit activity on behalf of hidden third parties.
This is where network-level thinking matters. Fraudsters either acquire existing businesses and repurpose their payment credentials, convince current merchants to "help process" additional traffic for a fee, or run a web of shell entities that share infrastructure, staff, or back office.
Why your system misses it
Most transaction monitoring is tuned merchant by merchant. Thresholds are set per MID, not across connected entities. As long as each node stays under local radar, the network thrives.
Signals that help
• Shared IPs, hosting setups, payment pages, or checkout widgets
• Repetitive website structures and content templates across "different" merchants
• Unusual overlap in cardholder populations between merchants that claim to be unrelated
• Same directors, phones, or addresses reused across a cluster
Graph thinking is no longer optional here. If you treat merchants only as rows in a table, you're playing with partial information.
How it behaves
Starts with compromised credentials, compromised inboxes, or a weak internal process. Very quickly moves from one account to many. Subtly changes settlement details, API keys, user permissions, or onboarding flows.
The goal isn't always direct theft. Sometimes it's to onboard new fraud merchants through compromised partner accounts, use existing merchants as pass-through entities, or turn your platform into a distribution channel for a broader fraud ring.
Why this hurts more than a single ATO
Most organizations treat account takeover as an IT or security issue not as a portfolio-level risk event. By the time risk teams see anomalies in flows, infrastructure and settings have been quietly reconfigured.
What strong programs do
• Replay changes in configuration as part of risk review, not just IT audit
• Alert on unusual patterns of profile edits or credential resets across multiple merchants
• Connect security events to risk events don't handle them in separate silos
The line between cyber risk and merchant risk is razor-thin here. In practice, they're the same incident seen from two angles.
How it behaves
Every data point looks correct. AVS, CVV, device fingerprint, behavioral pattern all pass standard thresholds. Chargebacks arrive later, often in surprising clusters.
Clean fraud is essentially a data quality problem. The fraudster has the same quality of data as the legitimate cardholder.
From a merchant risk standpoint, what matters is:
• Which merchants attract this type of activity
• How quickly you can associate elevated CNP fraud with business model, traffic source, and partner channel
What expert teams focus on
• Combining issuer feedback and dispute codes with merchant-level behavior
• Looking for campaigns, not isolated transactions
• Treating unusual spikes in "otherwise clean" fraud as a signal about the merchant's acquisition channels, not just the cardholder base
Clean fraud will always exist at some level. The difference is whether you simply absorb it as a card risk problem or use it as a lens on merchant practices.
How it behaves
Individual disputes appear plausible. Patterns only become visible in aggregate. Abuse targets your most generous merchants and your most flexible policies.
According to the 2024 Chargeback Field Report, nearly three-quarters of merchants reported an 18% average increase in friendly fraud over three years. Industry estimates suggest friendly fraud cost retailers $103 billion in 2024 alone.
From an acquirer or PSP perspective, this is often framed as "the merchant's problem." In reality, it has direct impact on your chargeback ratios, scheme programs, and reserve decisions.
Mature risk teams:
• Track merchants with unusually high rates of "customer not satisfied" and "goods not received"
• Look at refund and voucher patterns, not just chargebacks
• Use these metrics to shape onboarding and pricing in sensitive verticals
You don't need to solve every corner case. You do need to understand where your policies are quietly being gamed.
How it behaves
A fake storefront collects orders and payment. A legitimate merchant fulfills the goods using stolen card credentials. The end customer is happy, the fraudster is paid, the legitimate merchant gets the chargebacks.
To the cardholder, the merchant in the descriptor is unfamiliar. To the legitimate merchant, everything looked like a normal order. To your risk systems, the only signal is a slow drift in dispute ratios.
What reveals this pattern:
• A strange mix of customer geographies and shipping locations
• No coherent marketing funnel compared with order locations
• Repeated association with known fraud campaigns or BIN clusters
Again, the issue isn't that these patterns can't be seen. It's that they require cross-merchant and cross-signal views that many organizations still don't have.
Across all these archetypes, the same structural blind spots keep showing up.
In 2026, almost any document you ask for can be generated, bought, or lightly edited. Digital behavior is significantly harder to fake at scale:
• How the business talks to customers
• How the website evolved over time, not just how it looks today
• How the merchant interacts with your platform and support channels
• How transaction patterns line up with stated model and digital footprint
Expert teams use documents as one layer not as the foundation.
Most institutions still pour resources into onboarding and then relax.
Real risk lives in:
• Ownership changes that don't pass through your formal channels
• Quiet pivots in business model or geography
• Shifts in partners and suppliers behind the scenes
Continuous assessment isn't about re-onboarding everyone every quarter. It's about having automation that tells you when a merchant is no longer the entity you originally approved. Effective merchant onboarding is just the beginning ongoing vigilance matters more.
Fraudsters share infrastructure, talent, money flows, and know-how. When you only score merchants as individuals, only tune rules at the merchant level, and only investigate after big losses you're playing a local game while the fraud is global.
Portfolio and ecosystem views aren't a luxury anymore. They're required for basic hygiene.
Across processors that are clearly ahead of the curve, four building blocks show up again and again.
They stop asking only "are the documents correct?" and start asking "is this identity coherent in the real world?" Signals include:
• Web history
• Organic presence and engagement
• Past roles and entities tied to the same people
• Mentions in news, registries, and complaints
This turns KYC from a checklist into an intelligence function.
They treat every merchant as a living relationship:
• Monitor for shifts in web presence, signals of new verticals, new channels
• Track meaningful changes in ownership, control, and key staff
• Watch for regulatory actions or negative press across jurisdictions
The result isn't more manual work it's better prioritization. You know which merchants deserve a closer look this month.
They invest in graph analytics and cross-portfolio visibility:
• Shared devices, IPs, infrastructure
• Overlap in cardholder or supplier networks
• Coordinated bursts of onboarding from related entities
This is how you catch The Network, The Time Bomb, and The Chameleon before they become board-level topics. Partner oversight extends this thinking to indirect merchant relationships.
Used properly, machine learning in merchant risk isn't "magic scoring." It's:
• Flagging behaviors that don't match historical baselines for similar merchants
• Connecting signals humans can't practically correlate at scale
• Freeing underwriters and investigators to focus on high-context judgment, not tab-switching
The best teams combine these tools with strong risk judgment not instead of it.
The commercial upside of getting this right is often underestimated:
• You can approve good merchants faster, with less debate and fewer manual escalations
• You can price accurately to true risk profile instead of blanket overpricing whole segments
• You can walk into regulatory reviews with credible, data-backed stories about oversight
• You can withstand one or two serious incidents without losing scheme trust or internal confidence
In other words, strong fraud prevention doesn't just reduce losses it supports growth, pricing power, and your ability to operate in more demanding markets.
At Ballerine, we work with acquirers, PayFacs, and PSPs who are dealing with exactly these patterns in production. The conversations are rarely about "adding another score."
They're about:
• Seeing merchants as evolving identities with real digital footprints
• Connecting ecosystem signals that already exist but sit in different tools
• Giving risk teams the ability to react quickly when a merchant stops looking like the one they originally approved
We obviously chose to build technology around this problem.
Whether you solve it with us, with other vendors, or with your own stack, the direction of travel is the same for everyone serious about merchant risk in 2026:
• Less faith in documents
• More attention to behavior and networks
• Less reliance on one-time underwriting
• More continuous, intelligent oversight
If you're already making this shift inside your organization, I'd genuinely be interested in what you're seeing and which types of fraud are keeping you busiest right now.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.png)
.png)
.png)
