Friendly Fraud vs Criminal Fraud — Why Your Defense Needs to Be Different

For most of the last decade, "fraud" in ecommerce meant criminal fraud — a stranger using stolen card data, an organized ring abusing your checkout. The dispute, when it came, was traceable to someone who shouldn't have been on your store.

That quietly changed around 2022. Banking apps made disputes one-click. Payment networks shifted default protections further toward cardholders. Consumer awareness of the dispute process broadened.

The result: friendly fraud — disputes filed by real customers who actually received the product — became the fastest-growing chargeback category. In many verticals, it's now larger than criminal fraud.

This article covers the real difference, why it matters more in 2026, and the controls that work for each.

The clean definitions

Criminal fraud (also called "third-party fraud"): a transaction placed by someone other than the legitimate cardholder, without their consent. Stolen card data, account takeover, synthetic identity — variations of the same pattern: the person paying isn't the person on the card.

Friendly fraud (also called "first-party fraud" or "chargeback fraud"): a transaction placed by the legitimate cardholder, who later disputes the charge with their bank. The cardholder authorized the purchase. The merchant fulfilled correctly. The product was received as ordered. A few weeks later, the chargeback fires anyway.

The "friendly" in friendly fraud is misleading. It refers to the relationship between the cardholder and the merchant (the cardholder was a real customer, not a stranger), not to anyone's intent. Some friendly fraud is fully intentional. Some is accidental. Some falls into a grey area.

The three shapes of friendly fraud

Break it into subtypes because they need different responses:

1. Deliberate friendly fraud

Customer knows what they did. Received the product, liked it, kept it, disputed the charge to get their money back too. This is genuine theft hidden behind a real identity.

Hard to detect during the order — the customer profile looks normal because it is normal. But it tends to repeat: customers who file deliberate disputes do so multiple times across multiple merchants.

2. Accidental friendly fraud

Customer genuinely doesn't remember the purchase. Maybe their spouse ordered. Maybe the billing descriptor doesn't match the brand they remember. Maybe the recurring charge slipped their mind. They see an unfamiliar charge, click "I don't recognize this" in their banking app, and a chargeback fires before anyone investigates.

This is the largest single category — and the most preventable through better merchant communication.

3. Manipulative friendly fraud

Customer remembers the purchase but uses the dispute process strategically — to force a refund the merchant denied, to extract a settlement, to handle a return they found inconvenient. The dispute reason might be "product not as described" when the real grievance is "I didn't like it and you wouldn't refund me."

Often legally defensible by the merchant, but expensive to defend in practice.

Why criminal and friendly fraud need different defenses

The critical insight: the same control can be highly effective against criminal fraud and completely useless against friendly fraud — and vice versa.

Criminal fraud is an identity problem. The defender needs to detect that the person paying isn't the person on the card. AVS, CVV, IP geolocation, device fingerprinting, behavioral biometrics — all standard fraud signals — are aimed at this. When signals indicate identity mismatch, block or hold.

Friendly fraud is an intent problem. The person paying is the person on the card. Every identity signal will pass. AVS will match. CVV will be correct. Device will be familiar. IP will geolocate correctly. The fraud only manifests later — when the customer files the dispute. There's no checkout-time signal to act on.

That asymmetry means the entire playbook diverges:

The defenses that win against friendly fraud are mostly post-fulfillment and customer-experience layers, not fraud-detection layers. This is one of the harder shifts for merchants who built their fraud thinking around criminal patterns.

How to spot friendly fraud in your chargeback data

Friendly fraud has different fingerprints, visible in your data once you know what to look for:

Dispute timing

• Criminal fraud disputes typically land 5-15 days after the charge — the speed at which the legitimate cardholder notices the charge, calls their bank, triggers a chargeback
• Friendly fraud disputes are spread across the full window (30-90+ days), often clustered around statement dates or end-of-month financial reviews

Customer history

• Criminal fraud disputes mostly come from customers with no prior order history
• Friendly fraud disputes often come from customers with one or more legitimate prior orders. A long-term customer suddenly disputing is a much stronger signal of friendly fraud

Dispute reason codes

• Criminal fraud concentrates in "fraudulent transaction" codes (Visa 10.4, Mastercard 4837)
• Friendly fraud spreads across "product not received," "product not as described," "credit not processed," "duplicate transaction"

A merchant whose chargebacks are 80% non-fraud-code disputes is dealing primarily with friendly fraud.

Delivery status

• Criminal fraud disputes are on orders the cardholder never received (because they never placed them)
• Friendly fraud disputes are on orders that were correctly delivered, often with signature confirmation

Pulling the dispute set and cross-referencing against delivery tracking quickly separates the two.

The friendly-fraud defense playbook

Defenses cluster into four areas:

1. Reduce accidental disputes (biggest lever)

The largest, most preventable category. Three practices help:

Clear billing descriptors. The text on the customer's credit card statement should obviously map to your store name. "MERCHANT-SVC-3392" generates disputes. "ACME-SHOP-NYC" does not. Most processors let you customize; this is a quick fix.

Detailed receipts. Email a receipt at order time and again at shipment. Include product image, shipping address, order date, brand. "I don't recognize this charge" disputes drop significantly.

Customer-service availability. Disputes happen because the customer couldn't easily reach the merchant. A visible, responsive support channel diverts disputes that would otherwise escalate to the bank.

2. Improve delivery documentation

For "product not received" disputes:

• Signature confirmation on orders above a value threshold — the strongest single piece of evidence
• Photo confirmation at delivery — increasingly available through major couriers; materially shifts representment outcomes
• Save delivery photos and timestamps for at least 12 months

3. Build dispute representment habits

Three habits separate merchants who win disputes from those who don't:

• Respond within 48 hours of receiving the dispute, not 48 hours before deadline
• Templated evidence package: order confirmation + shipment confirmation + delivery confirmation + customer communication + return-policy text
• Track win rate by reason code — some categories aren't worth fighting; others have 70%+ win rates and should be fought every time

4. Detect repeat offenders

Deliberately-disputed friendly fraud tends to repeat. A customer who disputed three orders across three merchants in 12 months is more than three times as likely to dispute their fourth.

Subscribing to cross-merchant fraud-signal networks — or, for high-volume merchants, building internal repeat-offender lists — turns isolated disputes into pattern data. Shieldy's customer-blocklist supports this.

How Shieldy fits into the friendly-fraud defense

Most fraud apps in the Shopify ecosystem (including Shieldy) are stronger against criminal fraud than friendly fraud. The patterns Shieldy catches well:

• Stolen-card fraud at checkout
• Card testing
• Bot-driven order abuse
• Coordinated fraud rings (device fingerprinting)
• Triangulation (address-pattern checks)

What Shieldy doesn't directly stop is friendly fraud disputes themselves — because the customer is legitimate at order time. What Shieldy does help with:

• Repeat-fraud customer blocking. Tag customers who've previously charged back. Shieldy blocks subsequent orders from the same email, phone, address, or device — preventing the third dispute from the same actor.
• Cross-merchant intelligence. Shieldy's threat-intel feeds include patterns from across the Shopify ecosystem.
• Documentation trail. Every blocked/cancelled order in Shieldy includes the indicator log — useful as representment context.

The bulk of friendly-fraud reduction happens in your operational layer (billing descriptors, receipts, signature confirmation, representment process), not your fraud-app layer.

A practical exercise

Pull the last 90 days of chargebacks and code each along three dimensions:

1. Reason code — "fraudulent transaction" vs. everything else
2. Customer order history — first-order vs. repeat customer
3. Delivery status — delivered vs. not delivered

Build a 2x2x2 cube. Where the volume concentrates tells you the dominant pattern:

• Heavy in fraudulent / first-order / not-delivered → criminal fraud. Invest in identity signals and pre-checkout filtering.
• Heavy in non-fraudulent / repeat customer / delivered → friendly fraud. Invest in delivery docs, billing clarity, representment.
• Mixed → invest proportionally.

This single exercise beats every blog-based fraud advice — including this one — because it tells you what's specifically broken in your store, not what's broken industry-wide.

The takeaway

Criminal fraud and friendly fraud need different defenses. Most stores misallocate because they assume criminal fraud when their actual data shows friendly fraud — or vice versa.

Shieldy handles the criminal-fraud detection layer well. The friendly-fraud defense is mostly operational: clearer billing descriptors, signature confirmation on high-value orders, fast representment with documented evidence.

Run the diagnostic. Then invest where your data actually points.