When we think about payment fraud, it’s natural to picture businesses that deal with bigger challenges—industries facing more complex regulations and heightened scrutiny. But while these high-profile businesses are often well-prepared to fight fraud, there’s
an unexpected trend emerging: fraudsters are turning their attention to “low-risk” merchants, which typically don’t have the same level of defenses in place.
Labelling a business as "low-risk" can create a dangerous blind spot. Fraud isn’t something we can ignore or eliminate entirely—it has to be managed. As fraudsters adapt to target these less-protected businesses, it’s time for card schemes, payment processors,
and financial institutions to rethink how they assess and support merchants, especially those that have historically flown under the radar.
Breaking down the labels: What makes a business high or low-risk?
In the financial world, businesses are classified as either high-risk or low-risk based on factors like the type of industry, transaction patterns, business model, and even customer demographics. This classification is key to how financial institutions and
payment processors manage fraud, fees, and compliance. Let’s take a closer look at what defines each category.
High-risk businesses tend to operate in industries with higher rates of chargebacks or fraud, deal with large transaction volumes, or serve customers in high-risk regions. These businesses also face stricter regulatory requirements.
Some common characteristics of high-risk businesses include:
- High transaction volumes or large order sizes
- Industries associated with elevated fraud or chargeback rates, such as travel, adult entertainment, or online gambling
- Businesses with poor credit history or a history of excessive chargebacks
- Operating in regions with higher incidences of fraud or economic instability
- Accepting international payments, which can pose additional risks
- Subscription models, which can lead to higher chargeback rates due to billing misunderstandings or customer dissatisfaction.
For high-risk businesses, payment processors often impose higher fees and stricter compliance checks. Taking a proactive approach from the start can make all the difference. A solid onboarding process, for example, can catch potential issues early on, lowering
the risk of unexpected account closures by addressing vulnerabilities right away.
But onboarding is just the first step. Ongoing monitoring is key, keeping an eye out for new risks as they come up and fine-tuning fraud prevention in real time. Together, these steps help payment providers support
high-risk businesses more effectively while staying ahead of evolving fraud tactics.
Low-risk businesses
On the other hand, low-risk businesses operate in industries where fraud and chargebacks are less common, and their transaction amounts are generally lower. These businesses often enjoy faster approvals from payment processors, lower fees, and fewer compliance
hurdles. Characteristics of low-risk businesses include:
- Smaller, predictable transaction sizes
- Lower volume of transactions
- Stable industries with a history of minimal fraud or chargebacks, such as professional services or traditional retail
- Fewer international transactions and operating within low-risk regions
- Simpler business models that keep transactions simple and reduce the likelihood of disputes.
Despite being labelled as “low-risk,” businesses in this category still face fraud risks. In fact, this perception of safety can sometimes work against them, as they may not have the same fraud detection measures in place as higher-risk industries. Without
these protections, low-risk businesses can become unexpected targets for fraudsters.![]()
It’s easy to see why these labels exist, but they don’t tell the full story. Fraud doesn’t care about industry—it cares about opportunity. As low-risk businesses become bigger targets, it’s worth asking: are these labels even useful anymore? With fraud evolving
to exploit any weak spots, maybe it’s time to rethink these definitions.
The quiet rise of fraud in low-risk businesses
Let’s look at e-commerce for example. The rise of friendly fraud—where customers dispute legitimate charges—has skyrocketed over the last few years. According to a report from
Juniper Research, merchants are expected to lose over $130 billion globally to fraudulent card-not-present (CNP) transactions between 2023 and 2028. It's not just happening in high-risk sectors; many of these losses are coming from businesses that are traditionally
labelled as "low-risk".
In the UK, retail fraud has hit businesses particularly hard, with a
2024 report revealing a staggering 545% increase in fraud cases, amounting to losses of £5.4 million in just the first half of the year. A significant portion of these losses comes from chargebacks due to payment disputes, often filed as “item not received”
or “unauthorised transaction” claims. Small and medium-sized retailers are especially vulnerable as they typically lack the advanced payment fraud detection technologies that larger companies use to combat such issues.
Time to rethink risk: A smarter approach to fraud prevention
This brings us to a key point: the traditional method of classifying businesses by industry risk alone no longer works. Fraud is constantly evolving, shifting, and adapting to weaknesses—regardless of whether a business is labelled high- or low-risk. What’s
needed now is a smarter, data-driven approach that goes beyond classifications and focuses on real-time behavioural patterns.
One of the most effective ways to combat fraud today is by adopting real-time, data-driven strategies. Take PayPal, for example. With billions of transactions processed, they face enormous stakes. By using machine learning to analyse user behaviour and flag
suspicious activity—such as a sudden spike in transactions from unfamiliar locations—PayPal has managed to reduce fraud losses by up to 50%. That’s the kind of forward-thinking approach more institutions need to adopt, rather than simply categorising businesses
as "high" or "low" risk.
Global travel platform Expedia faced a similar challenge. By leveraging AI-driven solutions to detect suspicious patterns, such as rapid bookings or frequent payment method changes, Expedia reduced fraud by 60%. It goes to show that, as fraud tactics evolve,
even high-risk industries can better protect themselves with smarter, data-driven fraud detection.
Key fraud prevention strategies that actually work
What can businesses do to protect themselves? Here are some fraud prevention strategies:
- Partnering with fraud prevention vendors: Many low-risk businesses don’t have the resources to build advanced fraud detection tools in-house. Fortunately, there are external vendors that specialise in providing these services, making it easier for smaller
businesses to access sophisticated fraud prevention without significant resource investment.
- Behavioural biometrics: Analysing user patterns—like typing speed and mouse movement—makes it harder for fraudsters to mimic legitimate users.
HSBC implemented behavioural biometrics to cut fraud significantly and improve customer experience by reducing interruptions.
- Two-factor authentication (2FA): Two-factor authentication adds a second step to verify a user’s identity—like entering a code sent to their phone—which significantly boosts account security. Research shows that adding this extra layer can block up to 99.9%
of automated hacking attempts. For low-risk businesses, 2FA is a simple, effective way to guard against unauthorised access, adding strong protection without disrupting the user experience.
- Real-time monitoring: Real-time monitoring tools, powered by AI and machine learning, flag suspicious activities instantly, helping businesses catch fraud before it escalates. By identifying unusual patterns, such as location changes or transaction spikes,
these tools reduce chargebacks and build customer trust.
- Chargeback management: Analysing chargebacks helps businesses identify their root causes—whether from friendly fraud, billing errors, or other issues. By understanding the reasons behind chargebacks, businesses can take proactive steps
to minimise them, protect their revenue, and maintain better relationships with payment processors.
High-risk businesses: Are they being unfairly penalised?
While low-risk businesses are becoming easier targets for fraud, high-risk industries face their own set of challenges. Many of these businesses are held back simply because of the “high-risk” label, even when they follow all the rules.
Take the cannabis industry, for example. It’s often considered high-risk because of regulatory uncertainties. But plenty of CBD businesses play by the rules—maintaining full compliance, and strong chargeback and fraud rates. Despite this, they still struggle
to secure payment processing services, facing roadblocks that limit their growth just because of their industry’s reputation.
This one-size-fits-all approach to classifying businesses is a problem for both sides: it leaves low-risk businesses exposed to fraud and unfairly restricts high-risk businesses that are operating responsibly. Financial institutions would be wise to adopt
a more flexible, data-driven approach to assessing risk—one that looks at each business individually rather than lumping them into broad categories. This way, compliant high-risk businesses can thrive, and low-risk businesses can stay protected.
Adapting to a new fraud landscape
In a world where fraudsters are getting smarter by the day, the traditional classification system for high- and low-risk businesses is no longer fit for purpose. Fraud is no longer confined to the industries we think of as risky—it’s everywhere.
To stay ahead, financial institutions must move beyond outdated labels and focus on behaviour, patterns, and data. By using tools like real-time monitoring, two-factor authentication, chargeback management, and behavioural analytics; businesses can proactively
protect themselves from fraud—regardless of their risk label.