← InsightsFraud

Fraud Scoring Explained: How Risk Engines Decide in Milliseconds

Fraud scoring produces a risk probability for every transaction in under 200ms. Here's what goes into the score, how thresholds work, and why the same score can mean different things for different merchants.

25 May 2026

Every major card transaction processed online runs through a fraud scoring model — sometimes multiple models stacked on top of each other. The score produced in those milliseconds determines whether a transaction is approved, declined, or flagged for review. Understanding how that score is constructed, what it actually represents, and how to configure thresholds for your context is essential for running a payment operation intelligently.

What a Fraud Score Is

A fraud score is a probability estimate: the model's assessment of the likelihood that a transaction is fraudulent. A score of 0.85 means the model estimates an 85% probability the transaction is fraud. A score of 0.12 means 12% probability.

The score is not a binary judgment. It's a continuous value that you translate into an action — approve, decline, or review — using thresholds you configure based on your risk tolerance.

Different scoring systems use different scales (0–1, 0–100, 0–1000), but the underlying concept is the same: a number that reflects estimated fraud probability, calibrated so that higher numbers mean higher risk.

The Features That Go Into a Score

Modern fraud scoring models evaluate dozens to hundreds of features simultaneously. The major categories:

Device and environment signals:

  • Device fingerprint: browser type, screen resolution, timezone, installed fonts, canvas rendering characteristics
  • IP address: geolocation, VPN/proxy detection, hosting provider (residential vs. datacenter IP)
  • Operating system and browser version
  • Whether JavaScript runs as expected (headless browsers behave differently)
  • Time of day and day of week relative to cardholder's typical behavior

Transaction signals:

  • Amount — unusually high or low for the merchant category
  • Product type — some products have higher fraud rates
  • Billing and shipping address match or mismatch
  • Whether the shipping address has been associated with fraud previously (network data)
  • Card BIN data — issuing country, card type (prepaid cards have higher fraud rates)
  • CVV and AVS match results

Velocity signals:

  • How many transactions from this card in the last hour, day, week
  • How many transactions from this device
  • How many transactions from this IP address
  • How many transactions to this shipping address

Behavioral signals (session-level):

  • How the user navigated to checkout (organic vs. direct link)
  • Time spent on checkout page
  • Whether form fields were filled manually or programmatically
  • Mouse movement patterns (bots vs. humans move differently)
  • Typing cadence

Network intelligence:

  • Has this card been associated with fraud at other merchants in the network?
  • Has this device seen fraud at other merchants?
  • Has this email address been associated with disputes previously?

No single signal determines the score. The model combines all features, weighted by their predictive power in the training data, into the final probability estimate.

How Threshold Configuration Works

The score threshold you set determines how many transactions get declined. This is a business decision, not a technical one:

Low threshold (decline at 0.3): Declines 30%+ of risky-looking transactions. Catches more fraud but also declines more legitimate transactions. Right for high-value products with high fraud rates where false positive cost is tolerable.

Medium threshold (decline at 0.7): Declines only clearly high-risk transactions. Balances fraud loss against false positive revenue loss. Appropriate for most merchants as a starting point.

High threshold (decline at 0.9): Declines only the highest-confidence fraud. Minimizes false positives but allows more fraud through. Appropriate for categories where false positives are very costly (luxury goods with high average order value, services with difficult refunds).

The third option — a review queue — handles the middle band. Transactions scoring between 0.4 and 0.7 go to manual review, where a human evaluates context before approving or declining. This captures the cases where the score is uncertain and human judgment adds value.

Why the Same Score Means Different Things

A fraud score is calibrated to a training dataset. That dataset reflects a specific distribution of merchants, geographies, products, and customer behaviors. A score of 0.7 from a model trained on general e-commerce transactions doesn't mean the same thing as a score of 0.7 from a model trained on iGaming deposits.

This is why:

Merchant category matters. A 0.6 score on a gaming transaction has different false positive implications than a 0.6 score on a software subscription transaction. Gaming has higher baseline fraud rates; the same score reflects lower probability of legitimate transaction.

Geography matters. Fraud rates vary significantly by issuing country and shipping destination. A model trained heavily on US data may systematically misscale risk for European transactions.

Calibration drift. Models calibrated 18 months ago on pre-attack patterns may be miscalibrated for current fraud patterns. Fraud risk scoring requires regular recalibration to remain accurate.

Your product is an outlier. If your product type is rare in the training data, the model has less signal specific to your context and the score is less reliable.

Chargeback Feedback as Model Input

One of the most important inputs to fraud model improvement is chargeback outcome data. When a fraud chargeback arrives, it retrospectively labels a transaction as fraudulent — even if the score at time of transaction was low.

Feeding chargeback outcomes back into the scoring model improves calibration over time. The model learns that certain feature combinations it previously scored as low-risk are actually associated with fraud in your specific context.

This feedback loop is why chargeback management and fraud prevention aren't separable operations — the outcome data from chargebacks directly improves fraud detection quality. Merchants who track and analyze chargeback patterns by transaction feature aren't just recovering lost revenue; they're continuously improving their fraud detection. Systematic chargeback analysis, as part of a professional dispute management process, generates the labeled data that makes fraud models more accurate over time.

Setting Score Thresholds: A Starting Framework

If you're configuring thresholds for the first time:

  1. Run your current transactions through the model without acting on scores (shadow mode) for 30 days
  2. Compare scores on transactions that later received fraud chargebacks against those that didn't
  3. Identify the score range where precision (portion of high-score transactions that were actually fraud) is above your target — typically 60–80%
  4. Set your decline threshold at that point; set your review threshold 15–20 points lower
  5. Measure false positive rate at that threshold using customer service contact rate and manual review approval rate as proxies
  6. Adjust monthly based on observed outcomes

Fraud scoring is not a one-time configuration. The fraud environment evolves, your transaction mix changes, and the model needs to evolve with it.

Need help with chargebacks?

Fincoro delivers 94% average win rates across all clients.

Get in touch