E-commerce merchants know the time costs, revenue and inventory of illegal chargebacks.
However, for many sellers, the damage starts with new accounts. Organized fraudsters can sign up hundreds of times using valid but fake email addresses.
“These fake accounts are created for purposes such as testing cards with small value transactions to see if the number is valid before attempting a larger transaction,” said Diarmuid Thoma, head of fraud and data strategy at email authentication and verification company AtData.
Chargebacks
The primary risk for e-commerce is chargebacks.
When a cardholder disputes a fraudulent transaction, the store loses sales, product, shipping costs, and often incurs additional processing fees.
Repeated disputes can even jeopardize a business’s relationship with its payment processor.
The merchant may feel helpless because the processor authorized the transaction first, but the stores are responsible for accepting stolen card numbers.
Thoma and other email fraud experts believe that fake email addresses are often where the problem starts.
Misuse of coupon
A second form of email-based fraud often appears in e-commerce marketing data.
Scammers use fake but valid email addresses to create bulk accounts to gain promotional value.
Automated scripts send thousands of signups, collect welcome discounts, and exit accounts after the incentive is redeemed.
“The coupon has a monetary value, and when you do it in bulk, it becomes a highly profitable business that can be used and resold,” Thoma said.
Losses from coupon abuse are huge, up to $89 billion a year, depending on the source, and likely impact most e-commerce businesses that offer promotional discounts.
Fake accounts
Fake e-mail addresses thus make it easier to test stolen payment cards and obtain promotions.
This kind of behavior can be quite difficult to detect because “about 98% (of email addresses used), even fraudulent ones, will be valid,” Thoma said, “because the scammer needs to verify them” in order to get the coupon and complete the purchase.
In other words, the earliest stages of this type of e-commerce fraud often look the same to well-intentioned shoppers. By the time the first chargeback appears, the damage has been going on for weeks.
On the contrary, it provides businesses with a relatively simple defense: email authentication.
Sample accounts
Large-scale fake account creation starts with email addresses that follow recognizable patterns, allowing fraudsters to create thousands of variations while bypassing basic authentication checks.
For example, here are three common patterns.
tumbling, where the fraudster overwrites a single base address many times.
- example@example.com
- example.example@example.com
- example@example.com
- ex.example+new@example.com
Small changes, such as added characters or formatting differences, allow each registration to appear unique and still route messages to the same inbox.
Tumbling is particularly effective at avoiding duplicate account checks because each address goes through standard verification.
Gobbledygook emails are machine-generated addresses that appear random but follow consistent automated structures.
Bad actors create these accounts in large batches within seconds or minutes of each other. Thoma described seeing many nonsense emails arriving at the same time, day and time.
Enumeration refers to the generation of a large number of similar addresses, often based on a shared root. “They’re like user 1, user 2, user 3, not necessarily always in a row,” Thoma said. “It could jump to 10, 15, whatever.
Such addresses are easily auto-generated and difficult to label individually, especially if they are spread over time, domains or merchants.
Identification
Each of these techniques creates valid, deliverable email addresses, which is why basic verification often fails to stop them.
Even monitoring these patterns can lead to false positives. Legitimate consumer behavior may appear automated during sales events, product launches, or mass onboarding.
Thus, pattern detection works best in combination with other signals such as account age, name consistency, geographic alignment, device behavior, and transaction history.
The goal is not to block accounts based on a single indicator, but to isolate organized fraud before losses turn into chargebacks.
Prevention
Fraud is often a matter of scale, which is good for very small e-commerce operations. Criminals are unaware or see little potential in theft.
However, large online retailers may want to invest in advanced email verification at the time of sending. Verification at this stage usually costs pennies and combined with sound business rules should reduce fraud.