Retail account fraud: Make it stop with device intelligence

Online shopping site interface displays clothing item and a cart icon. A pop-up shows visitor ID, browser, IP address, location, incognito, VPN, and bot status.

Summarize this article with

Introduction: We’re not trying to scare you, but…

For decades, fraud prevention for retailers online was essentially a login problem. Secure the account, verify the credential, and the transaction that followed was presumed legitimate.

That model no longer holds.

Despite a decade of structural transformation, many industry-standard fraud controls — passwords, one-time codes, CAPTCHAs — are becoming outdated and increasingly ineffective against emerging threats, especially AI-driven ones.

Fraud teams in retail need to embrace a new mindset and evolve past those conventional fraud controls. Because today’s omnichannel shopping environment has a larger attack surface than ever before.

Loyalty programs concentrate stored payment methods, reward balances, and purchase patterns into a single, high-value account target.
Buy online, pick up in store (BOPIS) introduces a blended risk area, where fraudsters can exploit the online experience and make off with physical goods.
Account security — along with account takeovers, payment fraud, and chargebacks — can no longer be treated as a single-point-of-defense problem.

It’s no longer just about securing at a single interaction, or using a single risk indicator.

Bar chart shows global e-commerce fraud losses projected to rise from $138 billion in 2025 to $226 billion in 2029, a 63.8% increase.

Global ecommerce fraud losses exceeded $138 billion in 2025. And it’s projected to nearly double by 2029. Online payment fraud on its own cost merchants $53 billion in 2025.

These stats demonstrate how much fraudsters have already adapted to traditional fraud defense methods. And how they are continuing to impact the bottom line for retailers.

$53 billion projected merchant losses from online payment fraud in 2025. Large orange dollar sign, smaller gray dollar sign. Source: Capital One Shopping, 2025.

Consumer behavior in the digital-first, always-on market means there’s a vast and complex area of exposure. Precise, accurate detection is vital across the entire environment — from initial visit to account login to guest checkout to order fulfillment.

Simply adding new challenges and authentication layers puts fraud teams in a bind: You may take away any meaningful security gains by negatively impacting UX. Any added friction points can harm retention and revenue. Loyal customers get frustrated. New customers don’t convert.

The reality for fraud defense in online retail is this: Teams need to have broad and deep visibility for threat detection at scale, delivered in a way that won’t impact the core user experience.

In this report, we’ll examine how account fraud in retail has evolved, take a closer look at the risk elements across different attack surfaces, and cover how device-level intelligence is an essential layer that can strengthen controls and reduce risk for retailers.

Infographic showing '55% of retailers experienced organized retail crime in 2025' with orange and gray store icons. Source: The Impact of Retail Theft & Violence, 2025.

BOPIS: The bridge between digital fraud and physical product loss

Buy online, pick up in store (BOPIS) has become a primary channel for organized retail crime (ORC). One study by the National Retail Federation found that more than half of all retailers had fraud incidents conducted by ORC groups in 2025.

The BOPIS model removes the friction that once slowed fraud: A fraudster who obtains valid account credentials can place an order for high-value merchandise and collect it in person, often before the legitimate account holder is even aware of the breach.

This happened in March 2026 at the home improvement retailer Lowe's. Legitimate customer account credentials were stolen and used to place online orders, and a number of high-value construction materials were then picked up at locations across several counties in Pennsylvania. The scheme resulted in nearly $50,000 in losses before the criminals were apprehended.

Infographic stating $112 billion in collective annual losses due to retail crime. Includes dollar symbols and source: Retail Theft & Violence, 2025.

What makes the Lowe's case instructive is its structure: Because the credential layer was seen as authentic, the transactions and fulfillments that followed both assumed a completed digital order meant a legitimate customer.

This is just one example of many. The National Retail Federation calculated that retail crime collectively costs retailers over $112 billion annually.

Chargebacks and disputes: The hidden cost of operational strain

Another exposure area for retailers is user account security and account takeovers (ATO).

When you add chargebacks and dispute workflows, the true financial weight of retail ATO can be an invisible cost center that compounds the direct fraud loss by a factor of two to four times before the case is closed.

Flowchart showing stages of account fraud: a purchase by a fraudster, shipment, dispute by the cardholder, bank chargeback, retailer notified.

The mechanics of ATO are straightforward. A fraudster places an order using a compromised account's stored payment method. The order ships or is picked up. The legitimate cardholder notices the charge, contacts their bank, and files a dispute. The bank initiates a chargeback.

When the retailer receives the chargeback notice, they faces a choice: Contest the dispute with evidence, or absorb the loss.

Either path is expensive.

Contesting a chargeback requires labor. A human has to analyze transaction records, account activity, and authentication logs, then assemble and report on the event within a tight response window.

For retailers without clean and accurate device-level data, the dispute process can have little return on the effort expended. The customer's bank will often rule in favor of the cardholder, and the retailer eats the loss plus the chargeback fee, which typically runs $20 to $100 per transaction on top of the disputed amount.

And the expense doesn't stop at this chargeback fee, either.

High chargeback rates can trigger escalating consequences from payment processors. For omnichannel retailers who may process thousands or millions of transactions monthly, a fraud spike that pushes the chargeback ratio above a certain threshold can negatively impact the relationship with their payment platforms, and result in even more fees.

Dispute work can also take time and attention from fraud teams that could otherwise be spent on proactive detection. Analysts pulled into chargeback responses are not building detection models, reviewing suspicious activity, or improving the accuracy of risk scoring.

The overall operational strain is a compounding tax on the fraud team's effectiveness.

Bar chart showing the increasing cost to retailers per dollar lost to fraud from $3.13 in 2019 to a projected $6.03 in 2029. Source: Statista.

Research from the payments industry estimates that for every $1 in direct fraud loss, retailers incur over $4 in associated costs: chargeback fees, processing penalties, dispute labor, and customer service contacts. And this expense is only growing.

The most effective place to break this chain is upstream of the transaction. A risky session that is flagged early — or even blocked before order placement — generates no chargeback, no dispute labor, no processing fee, and no customer remediation cost.

Device-level signals can give this level of insight and eliminate the entire fraudulent cascade.

Trad-auth isn’t enough

The default playbook for retail account security — passwords, multi-factor authentication (MFA), and CAPTCHA challenges — was implemented for a simpler attack environment. It assumed that verifying what someone knows (a password) or owns (a phone for MFA) would reliably distinguish customers from fraudsters.

That playbook is now outdated.

Stolen credentials are cheap, widely available, and industrially harvested. Data breaches, phishing campaigns, and AI-powered social engineering methods produce billions of fresh username/password combinations. These flow into criminal marketplaces and become the raw material for credential stuffing attacks against retail login endpoints.

AI has only accelerated this dynamic.

Fraudsters now use AI to craft convincing phishing pages and emails that capture consumer credentials at scale. The same technology is used to write scripts that can defeat CAPTCHA challenges. Deepfakes are increasingly able to pass verification checks. MFA can also be bypassed via SIM-swapping, real-time phishing relays, and social engineering that tricks consumers into approving fraudulent authentication requests.

The result: The credentials that once safely cleared a retailer's standard authentication stack are no longer a reliable signal of a legitimate customer.

Those credentials can confirm that someone possesses correct login information. They say nothing about the device, the behavioral context, or the legitimacy of the session behind it.

Friction vs conversion: Abandonment happens

Adding more authentication steps is an often-intuitive way to try and strengthen credential flows and account security. But this carries real, measurable tradeoffs.

Namely, the impact on conversion rates.

A statistic reads, "58% of shoppers abandon their transaction when encountering difficulties at login or verification." Two shopping bag icons are displayed.

A statistic reads, "1 in 4 consumers abandon a $100 cart when required to reset their password at checkout."

A statistic reads, "1 in 5 consumers abandon checkout when asked to verify or reset their password at checkout"

Every added friction point can cause shoppers to not follow through on their purchase.

58% of shoppers abandon their transaction when they encounter difficulties at the login or verification step. 1 in 4 consumers abandon a $100 cart when required to reset their password. 1 in 5 consumers abandon checkout when asked to verify or reset their password.

For omnichannel retailers whose most valuable customers are loyalty members, adding friction can frustrate those customers. Every unnecessary challenge step is an invitation to abandon the cart, seek an alternative, or disengage from the loyalty program entirely.

It is a tax on retention, reputation, and lifetime value.

False positives and the grey space of outdated risk indicators

Static and rule-based fraud detection systems that evaluate traffic against fixed risk thresholds can generate high false positive rates. Every false positive represents a declined transaction, an unnecessary step-up challenge, or a blocked account that incurs customer service costs and retention damage. And every one is a challenge to analyze, and an added strain on fraud teams.

Traditional visitor recognition methods compound this problem. Cookie-based identification fails when users switch browsers, clear their cache, reset settings, or use incognito mode.

The widespread use of VPNs, which may have been seen as an indicator of risk before, no longer holds the same weight — as privacy-conscious legitimate users now may trigger the same VPN usage signal.

Bar graph showing the growth of VPN usage between 2024 and 2025 with three line items for desktop browser, other browser, and mobile (browser or app)

In our 2026 Device Intelligence Report, data from across 23 billion device identification events in 2025 showed roughly 1 in 5 involved VPN usage. For Chromium-based desktop browsers, that climbs to 1 in 3. Even on mobile, 13% of identification events involve VPN routing. All of these are up from the prior year, demonstrating how VPNs are becoming a routine part of internet traffic.

Using VPN routing as a static risk indicator could spike false positive rates unnecessarily.

Said another way: A fraud detection layer that is focused on any one indicator in isolation may throw off positive risk alerts for legitimate customers. Any detection system that is simultaneously too permissive for real threats and too aggressive toward real customers is a grey space that fraud teams don’t want to occupy.

Dynamic risk scoring that can be weighted and tuned to specific traffic patterns and business needs can be a huge difference maker for companies trying to strengthen account security — without impacting conversion rates.

Loyalty accounts as targets, part 1: Fraudsters behind a tree, rubbing their hands together

Retail loyalty programs are designed around a simple premise: Concentrate relationship value into a single account, and the customer who holds that account will spend more, return more often, and cost less to serve.

For large-format retailers like Lowe's who serve both everyday consumers and professionals, their loyalty accounts are a key commercial relationship, as well.

This concentration of value is precisely what makes loyalty accounts the primary target layer for retail account fraud, and it’s why loyalty program fraud has emerged as one of the fastest-growing fraud categories in retail.

The economic logic is straightforward.

Loyalty accounts hold stored payment methods, redeemable points balances, gift card credits, and purchase history that can be monetized — either through direct redemption or by reselling access to this valuable account information.

Loyalty accounts as targets, part 2: It’s like the opposite of a flywheel

When a loyalty account is compromised, the financial damage compounds quickly. Beyond what may be a single fraudulent transaction, the impact can include:

Direct fraud loss on orders placed with stored payment methods
Chargeback processing fees and dispute costs
Customer service volume for account recovery
Potential regulatory exposure for the data breach
Customer relationship damage from the experience itself

Customers who experience fraud on a platform are significantly more likely to churn, reduce purchase frequency, and disengage from loyalty programs regardless of how well the retailer handles the recovery. The true cost of a compromised loyalty account is not a single transaction — it is the customer lifetime value (CLV) of the person who is walking away.

This is the core reason account fraud in retail is not a fraud team problem in isolation.

It is a growth problem.

Loyalty accounts as targets, part 3: Okay, spill the loyal-tea

Loyalty programs are some of the highest value accounts in retail. Members may outspend non-members by a factor of two to five times, depending on the program tier, with greater frequency, higher average order values, and lower acquisition cost per purchase.

It's why CLV is a crucial metric for many retailers. It's also what makes these accounts attractive as fraud targets, and it is exactly where the friction-fraud tension becomes a strategic problem, not just an operational one.

The conventional response to account takeover risk is to add more authentication requirements: password resets, OTP verification before reward redemption, step-up challenges. Each of these controls is individually defensible. Collectively, they create a user experience that repeatedly asks the most valued customers to prove they are who they say they are.

Which, in turn, frustrates those highest-value members.

If they are a member with a high balance and stored payment methods, numerous forced authentication steps during redemption is not a minor inconvenience — it starts to send them a message that their member relationship is more adversarial than built on trust. Those frequent visits, habitual purchases, and positive brand impressions may start to erode.

Instead of becoming the highest contributors to the CLV metric, frustrated loyalty members may abandon transactions, even abandon the loyalty program entirely.

Yet the flip side can be equally acute: Fraud events that impact loyalty members can be highly damaging to that relationship, too.

Illustration of four user icons, one in orange with an 'x', highlighting "1 in 4" loyalty members cancel after a single account compromise.

Members affected by fraud will experience a breach of trust with the brand that stored and presumably protected their data, payment methods, and rewards history.

Even when done well, remediation processes take time and require multiple customer service engagements — and still generate frustration. A quarter of loyalty members will cancel their memberships following a single account compromise after experiencing fraud, regardless of how effectively the brand responds.

This puts fraud defense for loyalty programs in a bind. Aggressive fraud controls erode CLV through friction and abandonment. Meanwhile, insufficient controls damage CLV from the other side, through fraud events and the trust collapse that follows.

The path out of this bind is not more frequent password resets or CAPTCHAs. It is a device-level intelligence layer that is accurate enough to identify risky activity without triggering friction for legitimate and loyal customers.

The member is invisibly recognized and served a seamless site experience. The fraudster is flagged as high risk and can be dealt with in a separate path.

What device intelligence does: Persistent, accurate risk signals for stopping retail account fraud

The best solution for fraud detection across retail accounts is improving the quality of the risk signal at the device level.

Device intelligence processes 100+ browser, network, and device attributes — things like hardware configuration, installed fonts, browser behavior, network characteristics, and timing patterns — to generate a persistent, highly accurate identifier for every visitor.

Unlike cookie-based tracking, this visitor ID (also known as device fingerprint) cannot be cleared or blocked. It persists over time and across sessions, even survives cookie deletion, browser resets, and incognito mode.

This persistent ID empowers a new approach to fraud defense, one that can't be evaded in a single point in time. Initial visits, logins, transactions, and fulfillment can be tied to known devices and give retail more security across the entire chain.

If a new device accesses a trusted loyalty account, the action can flagged and analyzed for risk. A known fraudster with stolen credentials can be spotted earlier, even if it's their first visit, by correlating device activity to known risk patterns.

When fraud teams add a more advanced set of Smart Signals — such as browser tampering, bot activity, timezone mismatches, and behavioral anomalies — they get even more detailed risk assessment insights for their fraud engines. Device-level data can give greater depth and clarity for dispute defense.

Smart Signal data can also be dynamically calibrated and weighted, rather than applied as a uniform rule. High-risk sessions trigger step-up challenges or blocking. Normal sessions pass through without friction.

Apply device intelligence liberally in these four places

Account login. Flag first-time device access to high-value accounts — those with stored payment methods, high loyalty balances, or Pro tier status — for step-up authentication, while allowing recognized devices to log in without interruption. This approach concentrates friction where the risk is highest, not across the entire customer population.
BOPIS order placement. Perform device-level verification at the point of digital order confirmation, not at store pickup. This closes the execution gap that ORC rings exploit, where a confirmed digital order has already allocated inventory and charged a payment method before any in-store check occurs. Fraud stopped at order placement stops the entire downstream impact.
Guest checkout. Persistent device identification links checkout sessions across attempts from the same device, enabling the detection of repeat fraud attempts. A guest checkout that appears on a device with a history of chargebacks or suspicious activity can be flagged for review. First-time buyers with no historical activity can be served seamless checkouts.
As an accurate signal input to ML models. Device data improves the accuracy of machine learning fraud models by providing highly accurate session-level context. The combination of device history, behavioral signals, and Smart Signals enables models to reduce false-positive rates while learning, adapting, and improving detection of novel attack patterns. More accurate models mean less friction for legitimate customers and fewer fraudulent sessions that slip through.

Retailers ready to reduce risk ♥️ device intelligence

As loyalty programs scale and omnichannel fulfillment expands, the account fraud problem in retail will only become more acute. Traditional auth controls will continue to be defeated by novel and sophisticated attacks. Rule-based systems will continue to produce the false positives that damage conversion and retention. And BOPIS and loyalty programs will continue to be susceptible avenues of attack.

The retailers who strengthen their defenses won’t do so by adding more friction for all customers. They will do it by getting the device signal right, so they can recognize and distinguish legitimate customers from the fraudulent actors trying to stay hidden.

The Fingerprint device intelligence platform is purpose-built to solve the accuracy and friction challenge at the core of retail fraud prevention.

It is not a replacement for existing fraud tools and authentication flows. It is an added layer of signal data that makes every other layer in your fraud engine more accurate.

We give fraud teams unparalleled breadth and depth of signals in a single API response, in milliseconds. By analyzing 100+ device and browser signals, Fingerprint generates a unique visitor identifier that persists across sessions, and lasts for months, not days.

For retail fraud and product teams, Fingerprint device intelligence can reduce risk for the business, reduce friction for loyal customers, and reduce the losses and operational strain that come from fraud.

All article tags

Share this post

June 9, 2026