Return fraud is not one thing. It is twelve rehearsed plays, most of which have been running since mail-order catalogs existed and which the internet has only made cheaper to execute. If your team is losing refunds you cannot explain, the fix is almost never a new tool — it is a vocabulary.
This guide gives you that vocabulary. For each pattern we describe the signature (what you see), the incentive (why someone does it), the defence (what actually works), and a benchmark (how common it is). We will cross-link to the deeper guides in the cluster as we go. At the end you will have a one-page triage map you can paste into a runbook.
How We Group the Twelve
| Family | Where it lives | Examples covered below |
|---|---|---|
| Abuse of refund policy | The buyer's intent — the goods really do come back, but the return should not have been allowed. | Wardrobing · Serial returners · Receipt fraud |
| Fabrication of evidence | The buyer's evidence — photos, claims, descriptions — is manufactured. | Photoshopped damage · AI-generated claims · Empty-box returns |
| Identity and payment | The buyer, the card, or the delivery chain — fraud happens outside the goods themselves. | Friendly fraud · Chargeback fraud · Bricking · Price arbitrage · Item-swap · Cross-retailer returns |
The grouping matters because the three families require different defences. Refund-abuse needs policy changes. Evidence-fabrication needs forensic capability. Payment-identity needs risk signals from your payment provider and data enrichment.
Family 1 — Abuse of Refund Policy
1. Wardrobing
Signature. Clothes with a single wear — perfume, deodorant traces, a creased lining from one evening — returned as "not as expected". Typically within 72 h of receipt, timed just before the return window closes.
Incentive. The cost of renting the equivalent dress or suit. A €180 cocktail dress for an event on Saturday, returned Monday with a €0 rental cost.
Defence.
- Tag at the hem with a brightly-coloured tag the buyer must not remove. If the tag is removed, policy voids the return.
- Intake-photograph every garment on the warehouse return bench. Sweat stains, perfume, make-up at the collar — all visible on close-up.
- Scent-detection at intake (surprisingly cheap — a second warehouse worker with a habit of smelling the underarm lining catches 30 % of wardrobed returns).
Benchmark. NRF 2024: wardrobing runs 1.3–2.8 % of apparel returns industry-wide. DTC fashion brands in our dataset see 3–5 %. Deep-dive: the wardrobing detection guide covers the tell-tale EXIF markers when photos are involved.
2. Serial Returners
Signature. One customer account, >35 % return rate over a rolling 90-day window, across multiple SKUs and categories. Frequently orders 3–5 items, keeps one, returns the rest — buy-to-try behaviour paid for by you.
Incentive. Free try-on-at-home, underwritten by your shipping subsidies and labour.
Defence. Tier your returns. After 90 days, a customer above a threshold (we recommend 40 % return rate with at least 5 orders) moves from free to paid returns. Communicate this in the confirmation email so it is not a surprise. Shopify, Woo and Shopware all support per-customer-segment return-reason configuration.
Benchmark. Appriss Retail 2023: ~6 % of customers account for 43 % of total returns in apparel. The top 1 % account for 18 % on average.
3. Receipt Fraud
Signature. A customer submits a return for an item they never bought from you. Fake receipt, screenshot of an altered order email, or a receipt stolen from a discarded bag. More common in-store than online, but the online version exists: faked PDF invoices.
Incentive. Direct theft of store credit or refund.
Defence. Never accept a return without the internal order-ID in your system. A customer-provided receipt should be a secondary check, not the primary. On any return portal, enter the order number first; the portal looks up the order; only then does the return go through.
Benchmark. NRF 2024 Retail Security Survey: receipt fraud accounts for roughly 2.8 % of return fraud dollars. Low for online stores, high for brick-and-mortar.
Family 2 — Fabrication of Evidence
4. Photoshopped Damage
Signature. A customer sends a photo of damage that either (a) was not there when the box was shipped, or (b) does not exist at all. The damage is painted in with Photoshop, Apple Clean Up, Samsung Object Eraser or a similar consumer tool.
Incentive. Claim the refund, keep the product. For products under €100, most merchants simply refund without demanding the return.
Defence. Three-layer forensics. Metadata check (EXIF Software, DateTimeOriginal, MakerNote), pixel-level forensics (ELA, noise distribution), and AI-content detection for recent inpainting. Deep-dive in the photoshop-detection checklist.
Benchmark. Our dataset: 2.8 % of damage-claim photos show explicit Photoshop or AI-editor markers. Another 4–6 % show compelling secondary signals (shadow inconsistency, missing MakerNote).
5. AI-Generated Damage Claims
Signature. A photo of damage that never happened. Not painted on top of a real product image but entirely generated — Midjourney, Firefly, Stable Diffusion. Subtle: shadow physics are correct, texture is correct, but the scene does not exist.
Incentive. Same as photoshopped damage, but the evidence is harder to disprove visually because the physical laws check out.
Defence. Specialised AI-content detection APIs. Sub-second per image, 10–20× cheaper than running a vision LLM on every claim. The defender's advantage here is that AI-generated images strip MakerNote completely — the metadata signature is often the decisive tell.
Benchmark. In Claimscan's pipeline we saw AI-generated damage claims go from under 0.5 % in early 2024 to ~3 % in Q1 2026. The slope is steep. This category is moving fast.
6. Empty-Box Returns
Signature. The parcel arrives back at your warehouse with the original packaging but missing the product — or with a same-weight substitute (sandbag, old electronics, rocks). The customer claimed "it arrived empty" or "you shipped the wrong thing".
Incentive. Keep the product, get a refund, let the warehouse be blamed for the discrepancy.
Defence. Weigh outbound + weigh inbound, film every return open on a fixed-camera bench, require photos of all six box sides on any "arrived empty" claim. See the empty-box playbook for the workflow.
Benchmark. Appriss 2023: 3–5 % of total returns for items >€100. Peaks on Black Friday weekend when warehouse throughput hides the gap.
Family 3 — Identity and Payment Vectors
7. Friendly Fraud
Signature. The cardholder denies making a purchase they actually made. Often called "first-party fraud" in payment-industry language. The refund is requested from the issuing bank (chargeback) rather than from you directly.
Incentive. Customer regret, forgotten purchase, or deliberate deception banking on the merchant absorbing the dispute.
Defence. Strong KYB/KYC at checkout (3DS2 for EU, device fingerprinting globally), shipping-confirmation emails with delivery photos where the carrier supports it (DHL, UPS), and prompt, evidence-heavy responses to chargebacks. Mollie, Stripe and PayPal all allow uploading evidence into the dispute flow.
Benchmark. Visa's 2024 data: friendly fraud is now 60 %+ of all chargebacks in DTC e-commerce, up from 35 % in 2020. Our guide on friendly fraud breaks it down further.
8. Chargeback Fraud
Signature. A variation of friendly fraud where the customer deliberately files a chargeback instead of a return — often after the return window has closed, or to escape a non-refundable fee. The goods are kept.
Incentive. Bypass the merchant's refund policy by leveraging the card network's buyer-protection rules.
Defence. Document the sale end-to-end: IP address at checkout, device fingerprint, shipping confirmation, delivery scan, any email correspondence. On PayPal and Mollie, uploading this bundle overturns roughly 30–40 % of chargebacks. Also see our cross-reference: return fraud vs. chargeback fraud for when each applies.
Benchmark. Chargeback Gurus 2024: merchants lose on average 0.6–1.2 % of revenue to chargeback fraud. Electronics and luxury goods run double.
9. Bricking
Signature. A customer buys an electronic device, swaps in a broken or older unit of the same model, and returns the broken one as "defective on arrival".
Incentive. Free replacement of their own broken unit, or a refund that covers the difference between old-stock value and new purchase.
Defence. Serial-number capture at shipping. Every device leaves with a serial logged against the order; no return is accepted unless the serial matches. Takes a barcode scanner and 5 seconds per outbound pack.
Benchmark. NRF 2024: bricking accounts for 11 % of consumer-electronics return fraud by dollars. Extremely common on refurbs and marketplace sellers where serials are rarely logged.
10. Price Arbitrage
Signature. Customer buys the same SKU at two retailers (or two price points) and returns the more expensive one to the cheaper retailer, pocketing the difference. Scales with dynamic pricing.
Incentive. Exploit price volatility. The more promotional your pricing, the more of this you will see.
Defence. Enforce "return to origin" — items purchased through your direct channel can only be returned through that channel. Reject in-store returns of online orders where the online price was a time-limited promo. Requires coordination between the online store and any retail/marketplace footprint.
Benchmark. Retail Dive 2024: price arbitrage grew 180 % year-over-year in Q4 2023 for fashion, driven by automated price-tracking tools consumers use to find discrepancies.
11. Item-Swap Substitution
Signature. Customer returns "the item" in the original packaging, but what is inside is a counterfeit, a broken version, or a different SKU entirely. The cousin of empty-box fraud — the box is not empty, it just contains the wrong thing.
Incentive. Keep the real item, return a worthless substitute for a full refund.
Defence. The warehouse-bench camera catches this one. Second defence: SKU-barcode re-scan at intake. Every returning SKU gets scanned, and the scan result is compared with the order — mismatch blocks the refund pending investigation.
Benchmark. Appriss 2023: 8 % of high-value returns (>€500) show SKU mismatch.
12. Cross-Retailer Returns
Signature. Customer buys at Store A, returns to Store B because Store B has a more lenient policy. Most common with marketplace sellers: the "same" SKU listed by multiple sellers gets bought from one and returned to another, with buyers gaming the difference in policies.
Incentive. Easier refund path.
Defence. Marketplace-level serial-number and transaction-ID checks. On Amazon and eBay, every return request should be matched against the original order ID in the same seller account before being accepted. Amazon enforces this automatically; third-party sellers outside the marketplace umbrella do not.
Benchmark. Roughly 4–7 % of marketplace returns fail the order-match test when it is enabled. The test is usually turned off.
A One-Page Triage Map
| First signal you see | Most likely pattern | Next step |
|---|---|---|
| Customer return rate > 40 % over 90 days | Serial returner (#2) | Move customer to paid returns |
| Photo of damage with `Software: Adobe Photoshop` in EXIF | Photoshopped damage (#4) | Run full forensic pipeline; reject if confirmed |
| Photo has no MakerNote + generic shadows | AI-generated (#5) | Run a specialised AI-image detector; 80 %+ detection rate |
| Parcel arrives back 150 g below outbound weight | Empty-box (#6) or item-swap (#11) | Open on camera; match against intake scan |
| Chargeback filed with 'did not authorize' reason | Friendly fraud (#7) | Upload evidence bundle to issuer via Mollie/Stripe/PayPal |
| Return requested at 89 days on a 30-day-old order | Chargeback avoidance (#8) | Tighten window; require receipt match |
| Electronics DOA with scratched serial label | Bricking (#9) | Match returned serial to shipping log |
| In-store return of online-promo SKU | Price arbitrage (#10) | Verify channel + promo eligibility |
| Dress returned with deodorant + no tag | Wardrobing (#1) | Policy block; photograph evidence |
Building a Defence That Scales
There is a common failure mode where a store fixes one pattern and assumes the rest will follow. They will not. Wardrobing is a policy problem. Chargeback fraud is a payment-data problem. Photoshopped damage is a forensics problem. The three solutions do not share tooling.
What they do share is a process:
Stand up a return-fraud programme in 30 days
The minimum viable defence that covers all three families.
- Week 1 — Data baselinePull 6 months of returns. Segment by reason code. Count how many fall into each of the 12 patterns. You will usually find 80 % of your fraud concentrates on 3–4 patterns.
- Week 2 — Policy tighteningFor the top pattern in family 1 (abuse): write the policy change, communicate it in the confirmation email, deploy to the checkout and return portal. Cost: hours, not money.
- Week 3 — Forensic capabilityFor the top pattern in family 2 (evidence): plug in a metadata + AI-detection pipeline. Three options: build with exiftool + a vision API, use Claimscan, or outsource to a Trust-and-Safety provider.
- Week 4 — Payment signalsFor the top pattern in family 3 (payment/identity): enable 3DS2 on EU traffic, turn on your payment provider's risk rules, and start uploading evidence bundles to every chargeback within 24 h.