First-Party Fraud: The Fraud Your Fraud Stack Cannot See
The setup
First-party disputes span both fraud and service reason codes: a genuine cardholder disputing a transaction they themselves authorised. The routes are familiar to anyone who has read a dispute queue — "goods not delivered", "goods don't match description", or a straight "unauthorised transaction". Sometimes it's honest confusion: an unrecognisable billing descriptor, a family member's purchase, a forgotten subscription. Increasingly, it's deliberate: order the product, receive the product, file the dispute, keep both.
The asymmetry does the rest. Representment demands evidence, documentation, and deadlines — so smaller merchants often don't contest at all and simply refund. The customer keeps the product and the money, and learns that the dispute button is a free-refund button.
The numbers
Nobody can measure first-party fraud accurately — and that is the finding. Mastercard and Javelin's research pegs it at roughly one in five disputes; firms sitting on merchant-side data estimate 60–80% of e-commerce disputes. The spread exists because first-party fraud is, by definition, indistinguishable from legitimate behaviour at transaction time. Sift's index shows the trajectory: from 15% of all reported fraud in 2023 to 36% in 2024, the largest category globally.
The loss math is simpler. Global chargeback losses crossed $34 billion in 2025, and LexisNexis puts the fully-loaded cost at $4.61 for every $1 disputed. The structural problem: there is no detection for this at the gateway or the bank when the transaction happens — everything looks clean, the money moves, and the loss lands on the merchant weeks later.
Why now
Four forces converged:
– The dispute button ships inside every banking app. Calling the bank is now easier than emailing the merchant — most disputers never contact the merchant at all.
– One-tap checkouts, shared devices, and subscription stacking manufacture honest confusion at scale.
– "Refund hack" tutorials circulate openly on social platforms, converting confusion into strategy — concentrated in younger cohorts, with high repeat rates.
– The networks are tightening dispute-ratio thresholds on merchants (Visa's dropped to 0.9% in January 2026) — exactly while the hardest-to-prevent dispute type grows fastest.
The inversion
Conventional fraud management is adversarial and pre-transaction: assume an attacker, score the transaction, and let identity confirmation decide. First-party fraud is post-transaction, and the "attacker" passes every identity check — they are the identity. The only signals that work come from the relationship itself: the customer's own dispute history, and the merchant's evidence about what actually happened.
The card networks have already conceded this. Visa's Compelling Evidence 3.0 lets merchants defeat a fraud dispute by showing the same customer, device, and address transacted before without complaint. Mastercard's First-Party Trust programme shares merchant-side evidence with issuers before a dispute becomes a chargeback. Different branding, same admission: the network is now rating customers, using merchant feedback as the signal.
That's the inversion. In third-party fraud, the customer is who you protect. In first-party fraud, the customer is what you underwrite.
The solve
Mitigation follows directly from the inversion — four layers, each feeding the next:
Track disputers across merchants and timelines. A customer's dispute history is portable risk. One dispute at one merchant is noise; the same customer disputing across five merchants in six months is a signature — but only visible at the network, gateway, or aggregator level.
Build the customer graph. Link identifiers — device ID, card ID, UPI ID — so the same person resolves to one node across accounts and merchants. When a known serial disputer transacts, alert the merchant post-transaction: hold fulfilment, verify delivery, keep evidence.
Collect merchant feedback at representment. When a dispute lands, ask the merchant to rate how likely this customer is fraudulent — delivery confirmed, product used, prior purchases clean. That label, fed back into the graph, is training data no pre-transaction model can generate on its own.
Then move upstream. With enough labelled history, dispute-rate scoring becomes a pre-transaction signal like any other: add friction for borderline customers, and block the ones whose dispute rates cross threshold — before the next perfect-looking transaction is approved.
The feedback loop is the product. Fraud management spent two decades scoring transactions against strangers; first-party fraud is solved by scoring relationships — and the side that starts collecting those labels first wins.