E-commerce fraud losses are projected to grow at a compound annual growth rate of 40% from 2023 to 2028⁽¹⁾. This dramatic increase reveals a dangerous truth: Despite companies’ best attempts to protect themselves against fraud, they remain vulnerable to it. This is because many rely too heavily on fraud protection that uses traditional fraud scoring systems.

In this guide, we will explore what a fraud score is, how it is calculated, and why it is an ineffective way to protect your company against e-commerce fraud. Then we will explore how you can protect yourself against sophisticated fraud and why this needn’t be a difficult, time-consuming, or expensive thing to do.

Key takeaways

• Traditional fraud scoring is reactive, not proactive. Every fraudulent request gets at least one opportunity to succeed before the system can identify and block it, creating a critical vulnerability window.
• Modern fraudsters evolve faster than scoring systems can adapt. While fraud patterns change daily, traditional systems depend on historical data and require manual rule updates that always lag behind current threats.
• False positives damage businesses more than companies realize. High fraud scores frequently block legitimate customers, causing immediate revenue loss, customer frustration, and permanent damage to customer relationships.
• Coordinated attacks bypass individual transaction analysis. Sophisticated fraudsters launch multi-vector attacks across login pages, payment systems, and APIs simultaneously, but traditional scoring systems evaluate each transaction in isolation.
• AI has made basic attacks sophisticated while fraud scoring remains static. Even simple bots now use advanced techniques like residential proxies and human-like behavior simulation, yet most fraud prevention systems haven’t evolved to match this sophistication.

What is a fraud score?

A fraud score is a numerical value indicating the likelihood that a specific transaction, account creation, or online activity is fraudulent. Traditional scoring systems keep track with a score, typically from 0 to 100. The higher the number, the greater the fraud risk.

Think of a fraud score like a credit score for potentially malicious activity. Just like a credit score helps lenders assess financial risk, a fraud score helps businesses evaluate whether an interaction might be fraudulent.

A fraud score works similar to a credit score

But this simple analogy reveals the first major limitation: credit scores work because financial behavior tends to be consistent over time. In the early days of e-commerce, fraud patterns were relatively simple and predictable too. A fraudster might use a stolen credit card or attempt to ship to a suspicious address, and that was it. Basic patterns that made it possible to create straightforward scoring systems based on clear risk factors.

Today’s fraud landscape is radically different. Modern attacks use sophisticated automation, artificial intelligence, and distributed networks to evade detection. In 2024, cybercriminals attacked the average business roughly 3,000 times a day⁽²⁾. Even just one of those attacks could involve thousands of devices, multiple IP addresses, and behavior patterns specifically designed to look legitimate. No wonder fraud scores struggle to keep up.

How a traditional fraud score is calculated

Traditional fraud scoring isn’t a simple yes/no system. It’s a complex calculation that draws from multiple data points. While every fraud scoring solution will use slightly different data points and assign slightly different weights to each data point, they generally combine the following primary elements:

Identity indicators

• Email address age and reputation
• Phone number verification
• Social media presence
• Device fingerprint

Transaction patterns

• Purchase amount versus user history
• Time of transaction
• Shipping/billing address match
• Product type risk level
• Payment method

User behavior

• Account age
• Previous purchase history
• Navigation patterns
• Cart assembly speed
• Checkout completion time

The calculation process

Here’s a simple example: A customer places a $500 electronics order using a new email account, from a different country than their billing address, with express shipping. The system assigns risk points to each factor:

• New email: 80 points
• Location mismatch: 70 points
• Express shipping: 60 points

The system combines these scores using weighted calculations to produce a final fraud score. In this case, around 65 out of 100. Different platforms use various scoring ranges (0-100, 0-1000, or 0-10), but the basic approach of combining multiple risk factors remains the same.

Fraud score thresholds

Once calculated, fraud scores trigger specific actions based on predetermined thresholds. Although industry-standard thresholds vary depending on the industry, most fraud scoring systems use the following ranges and associated actions:

• 0-30: Low risk. The user will be approved automatically for nearly all actions, won’t be asked to go through any additional verification, but will still see their transactions monitored.
• 31-60: Medium risk. The user may be asked for additional verification for important actions like high-value transactions.
• 61-80: High risk. Important actions will require manual review. The user will be asked for additional verification. Their transactions could be put on hold in the meantime.
• 81-100: Extreme risk. The user is automatically rejected. Their account is flagged and they are added to a blacklist or, at the very least, a “to-watch” list.

At a fraud score of 65, the user from our example falls into the high risk category and would require additional verification before their $500 electronics order would be processed.

Perhaps this order did indeed come from a fraudster. But perhaps the order came from a genuine customer who had moved countries or simply used a VPN. A fraud score is just a single number and does not help you understand the context behind its calculations.

Whitebox vs blackbox fraud scoring models

Within traditional fraud scoring, there are two different approaches that businesses should understand:

• Whitebox models provide complete visibility into how fraud scores are calculated. You can see exactly which factors influenced each decision, understand the logic behind rules, and adjust scoring criteria based on your business needs. This transparency helps with regulatory compliance and allows teams to explain decisions when customers question them.
• Blackbox models use machine learning algorithms to analyze patterns and predict fraud risk without revealing the underlying decision logic. These systems can identify complex patterns in large datasets and often require less manual rule creation, but operate as “black boxes” where the reasoning behind scores remains hidden.

Blackbox models don’t explain why they produce a certain output

Why both approaches struggle with modern fraud

Both whitebox and blackbox models face significant challenges against modern fraud. Whitebox systems require constant manual maintenance as fraudsters evolve their tactics, creating a reactive cycle where security teams are always playing catch-up.

Blackbox systems, while better at pattern recognition, create accountability problems. When legitimate customers are falsely flagged, businesses cannot explain why the decision was made.

The reality of the hybrid approach

Some vendors promote “hybrid” approaches that combine both methods. While this sounds compelling, these systems still face the core problems of traditional fraud scoring: They’re reactive rather than proactive, depend on historical patterns that fraudsters quickly evolve past, and cause false positives that damage customer relationships.

Why use a scoring model?

Before we dive into the limitations of traditional fraud scores, it’s important to understand why businesses implement fraud scoring in the first place. Fraud scoring models offer several theoretical advantages that make them attractive solutions for simple fraud environments.

• Automation at scale: Instead of manually reviewing every transaction, businesses can let automated systems assign risk values and make decisions based on predetermined rules. This allows companies to process thousands of transactions per hour without human intervention.
• Resource allocation: Fraud scoring helps businesses focus their limited security resources on the highest-risk activities. Rather than investigating every transaction equally, teams can prioritize their attention based on risk scores.
• Consistent decision making: Human reviewers might evaluate the same transaction differently depending on their experience, mood, or workload. Automated scoring provides consistent evaluation criteria across all transactions.
• Cost efficiency: Manual fraud review is expensive and time-consuming. Automated scoring reduces operational costs by handling routine decisions automatically and only escalating truly uncertain cases.
• Speed of processing: Customers expect fast transaction processing. Fraud scores can be calculated in seconds, allowing businesses to approve low-risk transactions immediately while flagging only suspicious activity for review.

But these benefits only work when the underlying scoring logic remains effective against current threats. Fraud methods evolve faster than scoring systems can adapt, turning these advantages into liabilities.

Fraud scoring across industries

Different industries face unique fraud challenges that require tailored approaches to fraud scoring. Understanding how various sectors implement and adapt fraud prevention helps illustrate the limitations of traditional scoring systems.

E-commerce and retail

Online retailers face the highest volume of fraudulent transactions, with payment fraud, account takeovers, and promotion abuse representing major threats. E-commerce companies typically use lower fraud score thresholds to avoid cart abandonment, but this leaves them vulnerable to sophisticated attacks. Traditional scoring struggles with legitimate behaviors like gift purchases (different shipping addresses) and seasonal shopping patterns.

Banking and financial services

Financial institutions implement the strictest fraud scoring thresholds due to regulatory requirements and high-value transactions. Banks use complex scoring models that incorporate account history, transaction velocity, and geographic patterns. However, false positives in banking create severe customer satisfaction issues, as legitimate account holders face frozen accounts and delayed payments.

Incredibly frustrating for legitimate customers

Gaming and entertainment

Gaming platforms battle with bonus abuse, account farming, and virtual currency fraud. Traditional fraud scores often fail to distinguish between legitimate competitive players and sophisticated bot networks. The real-time nature of gaming transactions requires instant decisions that traditional scoring systems cannot provide.

Travel and hospitality

Travel companies face unique challenges with legitimate cross-border transactions and last-minute bookings that naturally trigger high fraud scores. Traditional systems struggle with the seasonal nature of travel spending and the legitimate use of VPNs by travelers, leading to high false positive rates.

Healthcare and pharmaceuticals

Healthcare fraud prevention requires balancing patient privacy with security needs. Traditional fraud scoring in healthcare often creates barriers to legitimate care when patients urgently need medical services. The sector’s complex billing patterns and insurance processes create numerous false positives.

Critical limitations of traditional fraud scores

Traditional fraud scoring systems made sense at a time when fraud was manual and followed predictable patterns. But these systems now face significant limitations that leave your company vulnerable to modern threats. Let’s examine why traditional fraud scores fall short.

Reactive instead of proactive

Traditional fraud scoring’s fundamental weakness lies in its reactive nature. These systems wait to assign a score before taking action, creating a crucial delay between detecting suspicious activity and responding to it. By the time a transaction receives a high-risk score and triggers a response, the damage may already be done.

This scoring-first approach means every threat gets at least one opportunity to succeed before the system can identify and block it. Now that automated attacks can launch thousands of attempts a second, even a small delay in response time creates a security vulnerability.

Depends on historical data

Fraud scores rely heavily on patterns found in historical fraud data. While this worked when fraud methods evolved slowly, today’s attackers constantly develop new techniques that haven’t appeared in historical data sets. DataDome’s Global Bot Security Report clearly demonstrates this problem: Advanced bots using new techniques were detected less than 5% of the time.

Fraudsters actively exploit this weakness by continuously adapting their methods. As soon as a pattern becomes known and gets added to scoring systems, attackers simply change their approach. This creates an endless cycle where fraud detection always lags behind current threats.

High false positive rates

If we return to our example of the $500 electronics order, we could conclude that the user was indeed a fraudster. But perhaps not. We cannot know for sure. It’s not uncommon for a user to have a high fraud score simply because they have moved, are connected to a VPN, or used a new device to place an order. Additionally, new users are scored worse even though they are usually legitimate users.

Traditional fraud scores generally have a tendency to flag legitimate transactions as fraudulent. Put another way, they score genuine users as high or extreme risk when they are not. These high false positive rates can lead to:

• Revenue loss: Every blocked legitimate transaction represents immediate lost revenue. Worse, these customers often abandon their purchase entirely instead of dealing with the verification processes, especially if there are competitors that offer a similar product for a similar price.
• Customer frustration: When genuine customers face transaction denials, additional verification steps, or payment delays, they become frustrated. This negative experience damages brand reputation and customer loyalty.
• Lost future business: A large percentage of customers who experience a false decline never return to that merchant. The lifetime revenue of a customer is often exponentially higher than the revenue of their first transaction, making lost revenue much higher too.

Constantly requires resources

Traditional fraud scoring systems demand constant attention and resources to maintain their effectiveness. First, your company will need dedicated staff to review flagged transactions, which can quickly lead to expensive operational bottlenecks.

Second, you will need to update and refine your fraud system’s rules constantly as new fraud patterns emerge. This perpetual maintenance cycle is not only ineffective, because fraudsters will always move faster than you can update your rules, but it also consumes significant IT resources.

Third, you will need to find a balance between effective fraud prevention and false positives. The industry-standard risk thresholds we explained above are default settings to start from, but most likely will not suit your company or industry. You may need stricter thresholds or looser thresholds. Make them too strict and you’ll lose business. Make them too loose and fraud will slip through. It’s a difficult tightrope to walk.

Doesn’t fully protect against today’s threats

Traditional fraud scores simply weren’t designed for today’s sophisticated attack methods. Fraudsters use sophisticated multi-vector attacks that traditional scoring systems can’t comprehend. For example, a single attack might combine credential stuffing on your login page, distributed card testing on your payment endpoints, and data scraping across your product pages. While each individual action would receive a separate fraud score, the system fails to connect these events and recognize them as part of a coordinated attack.

DataDome’s Bot Report reveals just how serious this blind spot has become: 65.2% of businesses remain completely unprotected against even basic bot attacks. Against more sophisticated attacks using residential proxies and advanced fingerprinting evasion, traditional protection drops even further. Nowadays, bots can:

• Manipulate their digital fingerprints between requests
• Distribute attacks across thousands of IP addresses
• Precisely mimic human behavior patterns like mouse movements and typing cadence
• Adapt their patterns in real-time based on detection attempts

That’s not even talking about mobile. Mobile commerce is yet another new attack surface that traditional fraud scores weren’t built to evaluate. Mobile-specific vulnerabilities include device spoofing where fraudsters fake device identifiers, API abuse where fraudsters directly attack mobile app endpoints, and mass-scale emulator-based attacks.

Stands no chance against tomorrow’s threats

New and more sophisticated attack methods are already emerging. The fraudsters of tomorrow are developing techniques that make today’s attacks look primitive.

AI-powered fraud tools now help attackers generate human-like behaviors that easily bypass traditional scoring systems. These tools can analyze security patterns, adapt in real-time, and even learn from failed attempts. What’s more concerning is that these AI tools are becoming commercially available through fraud-as-a-service platforms, putting sophisticated attack capabilities in the hands of amateur criminals.

Hybrid attacks combine automated bots with human intervention at crucial moments. When a traditional scoring system flags a suspicious activity, the attack switches to human control to pass manual review processes. Once approved, the operation switches back to automated mode to maximize impact. These attacks are particularly effective because they exploit the fundamental assumption of fraud scoring: that human and bot activities can be clearly distinguished.

Social engineering has also evolved beyond simple phishing. Modern fraudsters research their targets using scraped data, then launch highly personalized attacks that appear legitimate to both users and security systems. By combining social engineering with automated attacks, fraudsters can gather the contextual data needed to make their fraud attempts appear legitimate to traditional scoring systems.

Perhaps most concerning is the rise of collaborative fraud networks. Instead of individual fraudsters working alone, organized groups now share tools, techniques, and even stolen data through underground marketplaces. This collaboration helps them identify weaknesses in common fraud prevention systems and develop new attack methods faster than security teams can update their scoring models.

Today’s limitations of fraud scoring plus the threat of the above emerging trends make it clear: Your business needs protection that can evolve as quickly as the threats themselves.

The true cost of inadequate fraud protection

When businesses rely on traditional fraud scoring, they expose themselves to costs that extend far beyond direct fraud losses. The impact is particularly severe for e-commerce companies operating exclusively online, where every transaction represents potential risk.

The financial impact of inadequate fraud protection hits hard at the bottom line. Large enterprises invest heavily in security teams and sophisticated tools, yet still lose significant revenue to fraudulent activities. These losses compound over time as fraudsters identify and exploit weaknesses in traditional scoring systems, leading to escalating costs that could have been prevented with better protection.

Brand reputation suffers too. When legitimate customers face transaction delays or denials due to rigid fraud scoring, they often abandon their purchases entirely. In today’s connected world, a single poor customer experience can rapidly spread through social media and review sites, damaging brand trust that took years to build.

Operational costs pile up as well. Manual review teams must grow larger as fraud attempts increase, creating expensive bottlenecks in the transaction process. With the average business facing 3,000 automated attacks daily, traditional fraud scoring systems simply cannot scale to meet modern threats. Each flagged transaction requires human review, creating delays that frustrate customers and burden security teams.

These combined costs create a clear business imperative: Companies can no longer afford to rely on traditional fraud scoring systems that generate high false positives while missing sophisticated attacks. The true cost piles up with lost transactions, lost customers, wasted resources, and missed opportunities for growth.

The DataDome difference

While traditional fraud scores struggle to keep up with modern threats, DataDome takes a fundamentally different approach to fraud prevention. Instead of relying on historical patterns and reactive scoring, DataDome provides real-time protection that adapts to emerging threats as they appear.

Advanced detection methods

At the heart of DataDome’s approach is real-time analysis. Instead of waiting to assign a score and then taking action, DataDome analyzes traffic immediately, making a decision for every request in less than 2 milliseconds. This eliminates the crucial delay that fraudsters exploit in traditional systems.

The platform’s machine learning capabilities continuously evolve to recognize new attack patterns. Unlike static fraud scores, DataDome’s systems learn from over a trillion requests they analyze every month. This massive dataset, combined with advanced pattern recognition, allows the platform to identify sophisticated attacks that a traditional fraud score would miss entirely.

DataDome’s behavioral pattern recognition goes far beyond simple scoring factors. The system analyzes hundreds of signals in real-time, including:

• Mouse movements and typing patterns
• Network traffic characteristics
• Browser and device fingerprints
• Session behavior patterns
• API request patterns

Comprehensive protection

DataDome has 99.99% accuracy in bot detection with a false positive rate below 0.1%. This combination solves one of the fundamental challenges that plague traditional fraud scores: the trade-off between security and legitimate user experience. With DataDome, bots are blocked while real users won’t even know it’s there protecting them.

With its continuous analyses of over a trillion monthly requests, DataDome has developed fraud protection against more than 50 different types of threats. This comprehensive coverage includes sophisticated attack methods that traditional scores can’t detect, such as:

• Advanced browser automation
• Distributed bot networks
• API abuse attempts
• Sophisticated scraping operations
• Account takeover attacks

Streamlined implementation

Unlike traditional fraud scoring systems that require constant maintenance and tuning, DataDome offers a more streamlined approach with its default rules, custom rules, machine learning rules, and industry presets.

Default rules provide immediate protection against common threats without any configuration needed. These pre-configured defenses draw from DataDome’s extensive experience protecting major global brands.

Custom rules allow companies to address industry- or company-specific threats. Unlike traditional scoring systems that require extensive coding and testing, DataDome’s custom rules can be implemented and adjusted quickly through an intuitive interface.

An intuitive dashboard to help you understand all the threats DataDome blocks

Machine learning rules continuously adapt to new threats without manual updates. This automated learning process ensures that your protection evolves as new attack methods emerge. It eliminates the constant maintenance burden of traditional systems.

Industry presets offer optimized protection for specific business types. An e-commerce company faces different threats than a financial services provider, and DataDome’s industry-specific configurations reflect these differences.

This combination of features delivers what traditional fraud scores cannot: comprehensive protection that adapts to new threats while maintaining a seamless experience for legitimate users. The platform’s 2ms response time ensures protection doesn’t come at the cost of performance, while its extensive threat coverage protects your business against both current and emerging attack methods.

How Datadome stop sophisticated fraud

Gift cards are a popular target for fraud attacks because they’re not as protected as regular financial transactions are. Once the money on a gift card is gone, it’s almost impossible to get it back. Wolfe, a leading e-commerce company that specializes in gift cards, was under constant bot attacks targeting their card validation systems. These bots constantly disrupted Wolfe’s operations and created serious security challenges.

The company implemented DataDome right before their peak holiday season, providing an immediate stress test under heavy traffic conditions. The system proved its worth quickly and dramatically reduced malicious bot traffic while providing comprehensive visibility into other automated threats like vulnerability scanning and scraping attempts.

DataDome’s detection mode allowed Wolfe to monitor threats before activating full blocking capabilities, which helped ensure a smooth transition that didn’t disrupt legitimate customer transactions. This real-time, automated protection now allows Wolfe’s security team to focus on strategic growth rather than having to constantly react to threats.

To conclude

Traditional fraud scores, while once effective, are no longer sufficient to protect businesses against modern fraud attempts. Today’s fraudsters use sophisticated multi-vector attacks combining credential stuffing, card testing, and data scraping at the same time. A scoring system that evaluates individual transactions in isolation simply cannot detect these coordinated attacks.

Any advanced fraud protection strategy must be holistic. Rather than relying on individual scores and thresholds, businesses need comprehensive solutions that can analyze and protect all endpoints simultaneously. This includes web traffic, mobile applications, and API endpoints.

Real-time protection is not optional. It’s critical. Traditional fraud scoring’s reactive approach gives every threat at least one opportunity to succeed. In an age where automated attacks can launch thousands of attempts per second, even a small delay in response time creates significant vulnerability.

DataDome offers the superior protection modern businesses need, combining real-time analysis, machine learning capabilities, and comprehensive coverage across all endpoints. With 99.99% accuracy in detection and a response time of just 2ms, it provides the proactive defense required to stay ahead of evolving threats.

The choice is clear: continue relying on outdated fraud scores and remain vulnerable, or upgrade to modern protection that can actually keep pace with today’s sophisticated attacks. As fraud methods continue to evolve, this gap between traditional scoring and state-of-the-art protection will only grow wider. Book a free DataDome demo to see what real protection looks like.

Sources

1. https://www.fintechfutures.com/press-releases/fraud-and-security-in-global-online-payments-market-2024-global-b2c-e-commerce-fraud-losses-to-grow-by-40-cagr-from-2023-to-2028
2. https://cybermagazine.com/cyber-security/bt-reveals-46-million-signals-of-cyberattacks-every-day
3. https://www.unit21.ai/fraud-aml-dictionary/false-positives