12 June 2025
by Payments Intelligence
What is this article about?
How digital commerce platforms manage escalating fraud risks while scaling operations.
Why is it important?
Rising fraud, complex regulations, and evolving threats are straining platforms’ ability to grow securely.
What’s next?
A shift toward AI-driven, integrated fraud management systems aligned with tightening UK regulations.
Digital commerce has revolutionised global retail. This unprecedented growth has created vast opportunities for businesses while simultaneously generating complex fraud ecosystems that threaten sectors across the digital economy. Platform operators find themselves at the centre of this challenge, managing dual imperatives: enabling frictionless merchant onboarding to capture market share whilst maintaining rigorous risk controls to prevent significant fraud losses.
Consumer fraud losses reached $12.5 billion in the United States in 2024, whilst e-commerce fraud losses are projected to climb from $48 billion in 2024 to $107 billion by 2029. The emergence of AI-powered fraud techniques, sophisticated supply chain attacks, and regulatory fragmentation across jurisdictions has produced a risk environment that outpaces the capabilities of conventional fraud controls.
Modern platforms operate in an environment where 269 million card records were posted on dark web platforms in 2024, and friendly fraud accounts for 75% of all chargeback losses. Consequently, the cost of fraud prevention now reaches $4.61 for every $1 of actual fraud incurred, intensifying the trade-off between safeguarding the platform and maintaining scale.
Understanding and addressing the complex fraud ecosystem is now essential for UK platforms operating in an increasingly hostile digital environment. Navigating evolving regulatory requirements, leveraging advanced detection technologies, and implementing scalable strategies for managing merchant risk have become critical capabilities. As threats continue to grow in both volume and sophistication, platform operators must find new ways to balance commercial agility with robust risk oversight.
North America accounts for 42% of global e-commerce fraud by value, followed by Europe at 26%. At these scales, traditional manual merchant vetting becomes nearly impossible. Early-stage platforms can personally vet each merchant through direct relationships, but this approach collapses beyond a certain scale, exposing consistent weaknesses that are exploited by increasingly professionalised fraud networks
This scaling challenge has opened the door to increasingly sophisticated attacks. The volume of Magecart e-skimmer infections reached nearly 11,000 unique e-commerce domains in 2024, representing a threefold increase from 2023. These attacks inject malicious code into checkout processes to harvest credit card data, with threat actors earning $1,950-$2,400 per month per infected site. This level of technical maturity demonstrates how fraudsters are actively exploiting platform trust models as attack vectors.
Beyond technical attacks, platforms face behavioural fraud that’s equally challenging to detect. Refund and policy abuse affect 49% of online merchants, while first-party misuse impacts a further 45%. These post-purchase fraud types cannot be stopped in real-time, creating operational detection gaps that fraudsters exploit once they’ve gained platform access.
UK regulatory requirements create a regulatory burden that intensifies as platforms grow, with multiple overlapping frameworks creating operational burdens. The Online Safety Act alone imposes fines up to £18 million or 10% of annual turnover for breaches, with obligations tiered by operational scope and corporate structure. The Act requires platforms to prevent fraudulent advertisements and implement proportionate systems to minimise content exposure.
Adding to this regulatory burden, the UK’s new “failure to prevent fraud” offence comes into force on 1 September 2025, making large organisations criminally liable for fraud committed by associated persons. With fraud representing the most common crime type in the UK, accounting for around 40% of all crime in England and Wales, this legislation marks a fundamental shift in corporate liability, significantly raising the stakes for platform operators.
Simultaneously, the UK’s Platform to Business (P2B) Regulation requires online service providers to ensure sellers are identifiable and maintain transparency, including providing 15 days’ written notice for term changes. This regulatory framework demands that platforms meet multiple compliance requirements simultaneously, each introducing distinct operational dependencies that complicate implementation at scale.
The cumulative effect creates overlapping obligations that vary by jurisdiction and service combination. Compliance costs scale with platform reach, requiring legal and operational sophistication that often exceeds the capacity of growth-stage UK platforms, particularly when attempting to balance regulatory adherence with competitive market positioning.
Card-not-present (CNP) fraud, predominantly from e-commerce, dominates the UK threat landscape, accounting for 81% of all UK card fraud, with 2.21 million cases reported in 2022 and resulting in losses of £396 million. This sustained volume of fraud is eroding confidence among UK businesses, with 57% of businesses reporting increased fraud losses, as trust in existing customer verification methods falls from 83% to 68%.
The infrastructure supporting fraud operations underscores the UK’s dual role in the global fraud economy—as both target and enabler. Nearly 1,200 scam domains were linked to fraudulent merchant accounts in 2024, with most registered in the UK and Hong Kong. This highlights the UK’s position as both victim and vector in global fraud operations, creating additional compliance and reputational challenges for legitimate platforms.
Consumer behaviour adds another layer of complexity to the fraud landscape. 45% of shoppers in the UK have admitted to return fraud or policy abuse, representing an estimated £22.8 billion in return-based fraud in 2022. This scale of first-party fraud highlights how traditional fraud detection methods struggle to distinguish between legitimate customer accounts and those engaging in fraudulent behaviour.
Technology has intensified these challenges as both fraudsters and defenders deploy increasingly sophisticated tools. AI-driven scams leverage sophisticated attacks from phishing emails to deepfake videos and voice impersonations. However, payments leaders are fighting back with AI-powered defences. Criminals use tools like ‘FraudGPT’ costing £200 per month, fuelling an escalating AI arms race that is redefining fraud prevention.
Traditional attack vectors continue to evolve alongside these new threats. Account takeover attacks exploit credential stuffing and social engineering techniques, with UK finance recording 34,114 cases of card identity theft in the first half of 2022 alone, leading to gross losses of £21.4 million. The attack surface expands as payment methods diversify and mobile commerce grows across UK markets, forcing platforms to defend against a broader, faster-moving, and more fragmented threat landscape.
AI fraud detection systems increasingly focus on intent rather than identity, processing behavioural signals at scale to uncover patterns that static identity checks miss. The global fraud detection market was valued at £33.13 billion in 2024 and is projected to grow at 18.7% CAGR from 2025 to 2030.
Effective fraud detection combines supervised learning for identifying known patterns, unsupervised learning for detecting anomalies, and deep learning for recognising complex patterns. High-performance systems now support real-time detection at enterprise scale, processing over 15,000 queries per second with under 100ms detection latency.
Platform operators face a balancing act in fraud prevention, with mobile transactions, peer-to-peer payments, and QR codes now accounting for 33% of fraud expenses. Operators are caught between enforcing effective controls and maintaining a seamless merchant experience—too much friction deters growth, too little invites abuse.
The friction challenge is immediate and measurable. Adding just five minutes to onboarding processes increases drop-off rates by up to 200% when account creation requirements are introduced. This demonstrates how even minor security measures create significant commercial impact, forcing platforms to treat onboarding friction as both a risk vector and a revenue lever.
Regional variations add another layer of complexity to resource allocation decisions. European platforms spend 10% of annual ecommerce revenue managing payment fraud, compared to 15% in Asia Pacific and 19% in Latin America. These regional differences signal how fraud exposure, enforcement pressure, and market infrastructure shape the cost of operating globally.
However, sophisticated technology offers pathways to reduce this friction-security trade-off. False positive management has emerged as a critical capability, with behavioural analytics able to reduce specific friction points by 20% whilst cutting cart abandonment rates by 40%. This highlights the opportunity for smarter systems to deliver both trust and throughput, without compromising either.
Advanced platforms uniquely combine device intelligence and behaviour biometrics in one Software Development Kit (SDK), proving consistently effective in high-volume, high-risk platform environments. Integration with multiple data providers enhances fraud analysis across UK market conditions, creating comprehensive risk assessment capabilities that scale with platform growth.
Rather than defaulting to binary approve/reject decisions, financial institutions now utilise AI to refine responses and selectively approve customers, allowing platforms to maintain customer flow and minimise false declines, even under elevated risk conditions.
The evolution towards intelligent automation represents the next frontier in fraud management. Generative AI now automates rule refinement, suggests new rules for reducing false positives, and assists with scripting complex detection algorithms. This automation substantially reduces manual review costs whilst improving accuracy and consistency, making it increasingly essential for compliance teams under UK regulation, where traceability and auditability are non-negotiable.
However, technology alone cannot solve the platform risk paradox. Platform success requires recognising that fraud management extends beyond simple detection systems. Effective fraud prevention involves organisation-wide awareness, robust internal controls, continuous monitoring of potential indicators, and performing timely investigations within the UK regulatory frameworks. Fraud prevention must evolve into a cross-functional discipline—embedded in product, operations, and governance—not siloed in security.
Although traditionally reactive, AI is now shifting from enabling interactions to taking autonomous actions, predicting what steps to take and completing them automatically. As AI advances, the fraud landscape becomes a live contest between autonomous threat actors and intelligent defences.
The regulatory environment adds another layer of complexity. The UK Government is developing a new expanded Fraud Strategy expected by end of 2025, emphasising prevention and data-sharing as core solutions, whilst financial services firms face heightened scrutiny under the Economic Crime and Corporate Transparency Act from September 2025.
Within this evolving landscape, successful leaders will be those who recognise risk management as a competitive differentiator rather than an operational burden. Those who treat fraud prevention as strategic infrastructure—not just insurance—will be best positioned to scale safely and competitively.
A new Payments Association consumer behaviour survey reveals UK consumers’ payment habits in 2025, highlighting growing digital use, persistent cash reliance, and a strong focus on security.
As fraud grows more sophisticated, platforms must balance growth and security—turning risk management into a competitive edge through smart tech and strategy.
RT2 modernises UK payments with ISO 20022, enhanced access, APIs & real-time resilience—enabling innovation, new entrants & a dynamic ecosystem.
The Payments Association
St Clement’s House
27 Clements Lane
London EC4N 7AE
© Copyright 2024 The Payments Association. All Rights Reserved. The Payments Association is the trading name of Emerging Payments Ventures Limited.
Emerging Ventures Limited t/a The Payments Association; Registered in England and Wales, Company Number 06672728; VAT no. 938829859; Registered office address St. Clement’s House, 27 Clements Lane, London, England, EC4N 7AE.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
