Ecommerce merchants know the costs in time, revenue, and inventory of illicit chargebacks.
For many sellers, however, the damage starts with new accounts. Organized fraudsters may sign up hundreds of times, employing valid but fake email addresses.
“Those fake accounts are being created for purposes like card testing with small-value transactions to see if the number is valid before attempting a bigger transaction,” said Diarmuid Thoma, the head of fraud and data strategy at AtData, an email verification and validation service.
Chargebacks
The primary risk to ecommerce shops comes from chargebacks.
When a cardholder disputes a fraudulent transaction, the store loses the sale, the product, shipping costs, and often incurs additional fees from processors.
Repeated disputes may even jeopardize the business’s relationship with its payment processor.
A seller can feel helpless, since the processor authorized the transaction in the first place, but holds shops responsible for accepting stolen card numbers.
Thoma and other email fraud experts believe fake email addresses are often where the problem begins.
Coupon Abuse
A second form of email-based fraud often shows up in ecommerce marketing data.
Fraudsters use fake but valid email addresses to create accounts at scale to extract promotional value.
Automated scripts submit thousands of signups, collect welcome discounts, and then abandon the accounts once the incentive is redeemed.
“A coupon has a monetary value, and when you do it at scale, it becomes a highly profitable business to use and resell,” said Thoma.
The losses from coupon abuse are massive, as much as $89 billion per year, depending on the source, and likely impacting most ecommerce businesses that offer promotional discounts.
Fake Accounts
Thus fake email addresses facilitate stolen payment card testing and promotion harvesting.
This sort of behavior can be relatively difficult to detect, because “about 98% [of the email addresses used], even the fraudulent ones, will be valid,” Thoma said, “because the fraudster needs them to be valid” to receive a coupon and complete a purchase.
In other words, the earliest phase of this kind of ecommerce fraud often looks identical to that of well-meaning shoppers. By the time the first chargeback appears, the damage has existed for weeks.
Conversely, it gives businesses a relatively simple defense: email validation.
Account Patterns
Creating fake accounts at scale starts with email addresses that follow recognizable patterns, allowing fraudsters to generate thousands of variations while bypassing basic validation checks.
For example, here are three common patterns.
Tumbling, where a fraudster rewrites a single underlying address many times.
- example@example.com
- ex.ample@example.com
- e.x.ample@example.com
- ex.ample+new@example.com
Small changes, such as added characters or formatting differences, allow each signup to appear unique while still routing messages to the same inbox.
Tumbling is particularly effective at evading duplicate-account controls because every address passes standard validation.
Gibberish emails are machine-generated addresses that appear random but follow consistent, automated structures.
Bad actors create these accounts in large batches within seconds or minutes of each other. Thoma described seeing many gibberish emails arriving simultaneously, on the same day and time.
Enumeration relies on generating large numbers of similar addresses, often based on a shared root. “They’re like user1, user2, user3, not necessarily always in sequence,” Thoma said. “It could skip to 10, 15, whatever.”
Such addresses are easy to create automatically and difficult to flag individually, especially when spread across time, domains, or merchants.
Identification
Each of these techniques produces valid, deliverable email addresses, which is why basic validation often fails to stop them.
Even monitoring for these patterns can produce false positives. The behavior of legitimate consumers may appear automated during sales events, product launches, or bulk onboarding.
Hence pattern detection works best when combined with additional signals, such as account age, name consistency, geographic alignment, device behavior, and transaction history.
The goal is not to block accounts based on a single indicator, but to isolate organized fraud before losses escalate into chargebacks.
Prevention
Fraud is often a matter of scale, which is good for very small ecommerce operations. Criminals aren’t aware or see little potential in the theft.
Large online retailers, however, may want to invest in advanced email validation at the time of submission. Validation at this phase typically costs pennies, and when combined with reasonable business rules, should reduce fraud.
