Friendly Fraud on WooCommerce: When Real Customers Use Chargebacks to Steal

A merchant we read about recently sold cigar glue, of all things, for around $20. The customer placed the order. DHL delivered it with tracking proof. The customer did not complain, did not request a refund, did not contact support. Then they filed a chargeback claiming the charge was unauthorized, told the seller it was probably the bank’s mistake, and offered to reimburse via PayPal. None of that was true. They had received the product, they intended to keep it, and the second order they placed a few days later was followed by another dispute. After the first dispute was granted, the customer emailed the seller to gloat about how clever the scheme was.

This is what the payment industry calls friendly fraud, which is a strange name for it. Nothing about the situation is friendly. The cardholder is the attacker. The payment gateway sided with them. The merchant lost the product, the shipping cost, the $30 in dispute fees, hours of evidence work, and any realistic chance of recovery.

The case appeared in a recent blog post by Yoav Aner, who runs a small Stripe-based store, and it is not unusual. It is one of the most common forms of fraud on WooCommerce and other ecommerce platforms today, and it has gotten worse fast.

What is friendly fraud, really

Friendly fraud, also called first-party misuse or first-party fraud, happens when the legitimate cardholder authorizes a purchase, receives the goods or services, and then disputes the charge anyway. The card was real. The order was real. The shipping address matched. The customer kept the product. Then they told their bank the charge was unauthorized.

Visa refers to it as first-party misuse. Mastercard sometimes calls it friendly fraud, sometimes chargeback fraud, sometimes first-party fraud. The behavior is the same, and it covers a spectrum.

At one end is genuine confusion. The customer forgets a recurring subscription, does not recognize the billing descriptor on their statement, or assumes a family member used the card without permission. These are honest disputes, and good store operations can prevent most of them.

In the middle is opportunism. The customer received the item, decided they did not want it, missed the return window or did not feel like dealing with returns, and reached for the chargeback as a refund shortcut. They know the bank will probably side with them.

At the other end is outright theft, where the customer planned to keep the goods from the start and never intended to pay. This is what happened in the Ciglue case. The dispute is the plan.

None of this looks like fraud at the moment of checkout. The card passed AVS and CVC checks. The IP matched the country. The shipping address was correct. Stripe Radar and PayPal risk tools approved the transaction because, by every signal those systems can see, it was legitimate. And it was. The fraud happens later, through the dispute process.

Why this is suddenly a much bigger problem

This kind of dispute abuse has been around for a long time, but the numbers in the last two years have moved sharply.

The Merchant Risk Council’s 2026 Global eCommerce Payments and Fraud Report, released in March and based on responses from 1,278 merchant professionals across 37 countries, found that 64% of merchants report rising rates of first-party misuse, with a quarter of those merchants reporting increases of 25% or more. The most recent LexisNexis Cybercrime Report, which analyzed 104 billion global transactions, observed first-party fraud climbing from 15% of all reported fraud one year to 36% the next, making it the leading attack type globally and surpassing both account takeover and scams.

The cost side has gotten worse alongside the volume. The average disputed transaction in the US ran around $110 in 2025. Stripe changed its fee structure in June 2025 so that every chargeback now triggers an automatic $15 dispute fee, and if you fight the dispute, a second $15 counter fee is added. Win and the counter fee is refunded. Lose and you are out $30 in fees on top of the lost product and the lost transaction. For small merchants, defending a $20 product against a dispute can mean losing money even on a winning fight.

Visa’s VAMP framework, updated in 2025, also stopped treating friendly fraud as a separate category for monitoring. Whether a dispute is fraudulent or genuine, it still counts toward your fraud and dispute ratios. Cross the thresholds repeatedly and acquirers raise reserves, slow payouts, or close the merchant account. The cardholder’s claim alone affects your standing, regardless of whether you won the dispute later.

Why Stripe Radar and PayPal risk tools cannot stop this

Gateway fraud tools are excellent at what they do, which is evaluating whether a transaction looks suspicious at the moment of authorization. They look at the card, the IP, the device, the AVS match, the CVC match, the velocity, the merchant’s risk profile, and a long list of cross-merchant signals. For preventing third-party fraud, where someone is using stolen cards, this catches a lot.

Friendly fraud bypasses all of it because the transaction itself is genuinely fine. The cardholder is using their own card, on their own device, from their normal IP, shipping to their real address. There is no signal at the authorization moment that says they will dispute the charge six weeks later. The attack does not happen at checkout. It happens through the customer’s bank, in the dispute portal.

Yoav Aner, the cigar glue merchant, reported the case to Stripe with screenshots of the customer gloating. Stripe’s response was that they do not feed evidence of chargeback abuse from one merchant into cross-merchant signals. They also do not take action against the customer’s card across the wider Stripe network. The recommended fix was to add a Radar rule blocking that customer from buying from him specifically, which requires a paid Radar tier. The next merchant on the customer’s list still starts from zero, and the cycle continues.

This is not a Stripe-specific failing. PayPal, Adyen, and other processors handle it similarly. The economics of cross-merchant blocklisting are real. One annoyed seller should not be able to get a customer banned across the entire payment network. But the gap between “automatic global block” and “thanks for the evidence, please consider Radar” is wide, and merchants live in that gap.

The implication is the one most ecommerce merchants take a while to fully accept: the defense has to come from your own operations, not from the gateway.

What WooCommerce actually gives you to fight back

This is where WooCommerce stores have a quiet advantage they often do not use. The platform captures a lot of evidence by default, and more if you ask it to. The trouble is that almost nobody assembles that evidence until they are already losing a dispute.

Out of the box, a WooCommerce order record includes the IP address used at checkout, the user agent, the email, billing and shipping addresses, items purchased, timestamps for every status change, payment method details, customer notes, and any communication that went through the WooCommerce email system. If the customer has an account, you also have their full order history, login activity, and previous undisputed purchases.

For shipped products, your fulfillment system adds the shipping carrier, tracking number, scan history, delivery confirmation, and any signature capture. For digital products, you have download logs, license activations, and access timestamps. For services, you have login records and usage data.

None of this is exotic. Most stores have it. Few stores have it in the form a chargeback case requires.

Visa Compelling Evidence 3.0 is the framework that matters now

For Visa card disputes filed under reason code 10.4, the card-absent fraud code that covers most friendly fraud cases, Visa introduced Compelling Evidence 3.0 in April 2023 and it has become the standard playbook for dispute responses. It is worth understanding because winning a CE 3.0 case is one of the few situations where liability shifts back to the issuer cleanly.

CE 3.0 asks for a specific shape of evidence. You need to show two prior undisputed transactions from the same customer, settled between 120 and 365 days before the disputed transaction. Across those three transactions (the two prior plus the disputed one), at least two of four core data elements must match: customer login ID, IP address, shipping address, or device ID or fingerprint. At least one of those two matching elements must be the IP address or the device fingerprint.

If you can show this, the dispute is presumed valid. The chargeback is reversed and stops counting against your fraud ratio, though it still counts against your dispute ratio. For repeat customers especially, this is a strong defense, because the data is already sitting in your WooCommerce database. It just needs to be findable when you are responding to the dispute.

The challenge for most stores is that the evidence is scattered. The order has the IP. The shipping carrier has the delivery proof. The email system has the receipts and notifications. The customer account has the login history. By the time a dispute comes in with a 7-to-21 day deadline, assembling all of this manually is painful, and a meaningful number of disputes are lost simply because the response was incomplete or late.

The dispute evidence checklist for WooCommerce stores

When a dispute lands, the response window is short and the bar is high. The following is the evidence shape we would assemble for a typical WooCommerce dispute defense, whether or not the case qualifies for CE 3.0 specifically.

Transaction context: the order ID, order date and timestamp, customer email, billing and shipping addresses, IP address at checkout, user agent, and payment method details. Pull this directly from the order record. With HPOS enabled, all of it lives in the orders table; without HPOS, it is in the post meta.

Customer relationship history: any prior orders from the same customer that completed and were not disputed, with their IP addresses, shipping addresses, and account login IDs. This is where CE 3.0 cases are won.

Fulfillment proof: for physical products, the carrier, tracking number, full scan history, and delivery confirmation, ideally with a screenshot of the carrier’s tracking page. For digital products, the download log entries with timestamps and IPs, plus any license activation records. For services, login or usage records that show the customer received what they paid for.

Communication record: all emails sent to the customer through WooCommerce, all support tickets, any customer messages in the order notes, and any external communication that touches the dispute. The cigar glue merchant’s strongest evidence was an email from the customer gloating about the scheme. Even without something that explicit, you usually have order confirmation emails, shipping notifications, and the silence of a customer who never asked for help before disputing.

Store policies the customer agreed to: terms of service, return policy, shipping policy, and the timestamp at which they were displayed or accepted. If your checkout requires a checkbox for terms acceptance, capture that.

Billing descriptor screenshot: what the customer’s card statement actually shows. Stripe and PayPal both let you customize this, and a clear, recognizable descriptor reduces honest-confusion disputes. It also helps with deliberate-fraud disputes by demonstrating that the descriptor was unambiguous.

None of this requires expensive tooling. It requires the discipline to capture it at the time of order, and the system to retrieve it when the dispute notification arrives.

Prevention is much cheaper than defense

Disputes are expensive even when you win. The dispute fee is non-refundable. The counter fee may be returned, but the staff hours are not. A significant share of friendly fraud disputes are honest confusion rather than malice, and a meaningful percentage of those can be stopped before the customer ever picks up the phone.

Make the billing descriptor obvious. If your store name and the descriptor on the card statement do not match, you are inviting “I don’t recognize this charge” disputes. Configure your gateway to show a descriptor that includes a recognizable version of your store name, ideally with a contact identifier or domain. This is a five-minute fix in Stripe and PayPal that prevents a real percentage of disputes.

Send post-purchase emails that look like the store. Order confirmation, shipping confirmation, delivery confirmation, and any usage emails should all clearly identify the store, the order, and the reason the customer is hearing from you. Generic emails branded only with tracking codes increase disputes. Tools like Verifi’s Order Insight and Ethoca Alerts can also intervene at the issuing bank level when a customer is about to dispute, but the on-brand emails do most of the work.

Be findable when a customer is confused. A customer who cannot reach support quickly disputes the charge instead. A clearly published support email or chat, displayed in the post-purchase emails and on the order details page, costs nothing and prevents the path of least resistance from being the chargeback.

Use 3D Secure where it makes sense. 3DS shifts liability to the issuing bank for fraud-related disputes, including some friendly fraud claims. It adds a friction point at checkout and is not free of conversion impact, but for high-value orders, subscription products, or stores in high-friendly-fraud verticals, it earns its place.

Flag and block repeat offenders inside your own store. WooCommerce will not do this for you out of the box, but any customer who has filed a chargeback against you, whether they won or lost, can be flagged. Their email, shipping address, and payment fingerprint can all be stored. A future order from the same person becomes a candidate for manual review or outright refusal. Stripe Radar rules can do part of this. Custom code or a blocklist plugin handles the rest from inside WooCommerce.

When the customer gloats: what to actually do with it

The Ciglue case is a clean version of something many merchants will see at some point: explicit evidence of bad faith. The customer’s own email saying they planned the dispute, or that they received the product and intended to keep it, or that they have done it before and got away with it.

That evidence is powerful in three places, and it is worth knowing where each one fits.

In the dispute response itself, include the email exchange as part of the evidence package. Issuers do read the documentation when it is concise and clear. The combination of delivery proof, prior undisputed transactions, and a customer admission of the scheme is the strongest case a merchant can present.

In your own store blocklist, add the customer’s email, billing address, shipping address, and any device or IP fingerprints you have. A future order attempt is worth catching.

For high-value or repeated cases, small claims court is sometimes a realistic option in the merchant’s jurisdiction. Friendly fraud is, legally, theft. Banks and card networks treat it as a consumer-protection matter, but small claims courts treat it as a contract and property dispute, and they operate on very different rules of evidence. We are not lawyers, and whether this is worth pursuing depends entirely on the amount, the jurisdiction, and the merchant’s appetite for the process. For a $20 cigar glue order, probably not. For a $1,200 custom product, possibly. The point is that the gateway’s “we cannot help cross-merchant” is not actually the end of every avenue.

What this approach does not solve

The limits are worth being honest about.

None of this prevents the first chargeback from a determined customer. They will file, the bank will provisionally side with them, and your money and product are gone until the dispute resolves. The defense work happens during and after. A good evidence package wins more disputes than a bad one, but win rates of 100% are not realistic. Even strong evidence loses sometimes, especially when the issuing bank has a default-customer-wins policy.

It also does not address card testing, account takeover, or true third-party fraud. Those are different problem spaces with different defenses. Card testing happens at checkout; friendly fraud happens through the dispute system. The tools that stop one usually have no effect on the other.

And for very small merchants, the math sometimes tips toward simply absorbing the loss. A $30 dispute fee plus a $20 product plus an hour of evidence work is, on a single case, not always worth the time. Patterns matter more than individual disputes. If you are seeing one friendly fraud case a quarter, the evidence discipline still pays off, because the practice catches the genuine confusion disputes too. If you are seeing one a week, the discipline becomes essential, and the policy changes around descriptors, post-purchase communication, and customer blocking start to matter much more.

Where to go from here

Two practical things to do this week, no plugin purchase required.

First, check your billing descriptor. Open your Stripe or PayPal dashboard, find the descriptor as it appears on customer statements, and ask yourself whether you would recognize a charge with that text on your own card statement two months from now. If not, change it.

Second, run a quick audit of your most recent disputed orders, if any. For each one, write down what evidence you could have presented and how long it took to find it. Build that into a simple evidence template. The next dispute will arrive on a 7-to-21 day clock, and having the template ready is the difference between a confident response and a rushed one.

Friendly fraud is not going away. The numbers say it is the largest single category of card-not-present chargebacks, the fastest-growing fraud type for many merchants, and the one gateway fraud tools are structurally worst at preventing. The merchants who handle it best are the ones who treat dispute evidence as a normal part of operations rather than a fire drill.

Further reading

Yoav Aner’s original post on Stripe and friendly fraud is a clear short read on the merchant-side experience. The MRC’s 2026 Global eCommerce Payments and Fraud Report has the underlying industry data on first-party misuse. Visa’s Compelling Evidence 3.0 Merchant Readiness document spells out the exact qualification rules for reason code 10.4 disputes. Stripe’s documentation on handling disputes covers their evidence submission process and the current fee structure.