Behind a growing share of e-commerce fraud lies a deceptively simple tool: the email address. Valid, deliverable and often indistinguishable from those of genuine shoppers, such addresses have become the starting point for organized schemes that quietly accumulate losses long before a single chargeback appears.
A Pattern That Begins With Email
Fraud tied to online retail rarely announces itself at the outset. Instead, it often starts with account creation — thousands of new signups that look legitimate in isolation but reveal coordination when viewed at scale. Fraud specialists say these accounts are typically built on email addresses that pass standard validation checks, allowing them to slip through defenses designed to filter out obvious fakes.
Diarmuid Thoma, head of fraud and data strategy at AtData, an email verification and validation service, said most fraudulent email addresses used in e-commerce are technically valid. In his experience, as many as 98 percent of the addresses used in these schemes, including those tied to fraud, can receive messages. That validity is essential for criminals, who rely on emails to access coupons, complete purchases and manage accounts.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Basic checks — such as verifying syntax or confirming that a domain exists — are therefore insufficient. What emerges instead is a reliance on patterns: clusters of accounts created within seconds or minutes, often on the same day, exhibiting similarities that only become visible when data is viewed in aggregate.
How Fake Accounts Are Generated at Scale
The creation of fake accounts follows repeatable structures. One common method involves “gibberish” email addresses — machine-generated strings that appear random but adhere to consistent automated rules. These addresses often arrive in bursts, with many created at nearly the same time.
Another technique, known as enumeration, relies on generating large numbers of similar addresses from a shared root. Usernames may increment, skip numbers or vary slightly, such as “user1,” “user2,” or “user15.” Individually, each address appears ordinary; collectively, they form a recognizable pattern.
A third method, sometimes called tumbling, rewrites a single underlying address many times. By adding dots, extra characters or tags, fraudsters can create multiple unique-looking addresses that all route to the same inbox. Because each version passes standard validation, these addresses can evade duplicate-account controls while enabling repeated signups.
Such techniques are easy to automate and difficult to flag individually, particularly when they are spread across time, domains or merchants.
Coupon Abuse and Card Testing
Once accounts are established, they are often used briefly and then abandoned. Automated scripts can submit thousands of signups, collect welcome discounts or promotional credits, and discard the accounts after the incentive is redeemed. Coupons, Thoma noted, carry clear monetary value and can be resold when collected at scale.
These same accounts are also used for payment card testing. Fraudsters may attempt small-value transactions to confirm whether a stolen card number is valid before moving on to larger purchases. At this stage, activity may appear indistinguishable from that of legitimate customers, especially during sales events, product launches or periods of bulk onboarding.
Because the earliest transactions are often low-value and authorized by payment processors, merchants may not detect a problem until much later.
When Losses Surface as Chargebacks
The financial impact of these schemes often becomes visible only after weeks. Chargebacks — disputes initiated by cardholders — represent the primary risk for e-commerce businesses. When a transaction is reversed, the merchant loses not only the sale but also the product, shipping costs and, in many cases, additional processing fees. Repeated disputes can threaten a retailer’s relationship with its payment processor.
For many sellers, the damage traces back to the initial wave of new accounts. Organized fraud rings may register hundreds of times using valid but fake email addresses, laying the groundwork for losses that accumulate quietly.
When Losses Surface as Chargebacks
The financial impact of these schemes often becomes visible only after weeks. Chargebacks — disputes initiated by cardholders — represent the primary risk for e-commerce businesses. When a transaction is reversed, the merchant loses not only the sale but also the product, shipping costs and, in many cases, additional processing fees. Repeated disputes can threaten a retailer’s relationship with its payment processor.
For many sellers, the damage traces back to the initial wave of new accounts. Organized fraud rings may register hundreds of times using valid but fake email addresses, laying the groundwork for losses that accumulate quietly.
