India’s e-commerce market reached $125 billion in 2024 and continues to grow at a double-digit pace. Behind the consumer-facing transaction volume lies a merchant ecosystem of millions of sellers, most of them SMBs or individual traders, who onboard to platforms with varying degrees of verification rigour. Merchant fraud β fake listings, triangulation schemes, account takeovers, counterfeit goods, payment fraud β is the underside of this growth. Unlike consumer fraud, which tends to be individually small in value, merchant fraud can run at scale: a single fraudulent merchant can process thousands of orders before detection, generating chargebacks, reputational damage, and regulatory exposure simultaneously. This guide explains how merchant fraud operates in India’s e-commerce context, what detection looks like at each stage, and which verification controls are most effective.
How Merchant Fraud Operates in India: The Main Patterns
Merchant fraud in India’s marketplace and e-commerce context takes several forms, each with a distinct signature. Fake merchant listings involve fraudulent sellers creating product listings for goods they never intend to ship β taking payment, generating a shipping label with no package, and disappearing before the dispute window closes. This is most common on platforms with light onboarding requirements and high seller volume.
Triangulation fraud is more sophisticated: the fraudster creates a legitimate-looking merchant account, takes orders from real buyers using stolen credit card data to fulfil them at wholesale, and pockets the difference. The buyer receives the goods, has no complaint, but the stolen card’s owner disputes the charge β creating a chargeback liability for the platform.
Merchant account takeover occurs when a legitimate merchant’s account is compromised β through phishing, credential stuffing, or SIM swap β and the attacker redirects settlement funds or changes payout bank details before the next disbursement cycle. For platforms with daily or weekly settlement runs, this can result in significant losses before the legitimate merchant notices.
Counterfeit goods fraud β selling replicas as genuine branded products β creates reputational and regulatory risk for the platform, even if the platform itself is not the seller. SEBI has taken enforcement action in cases where platforms were found to have inadequate merchant verification controls that allowed counterfeit goods to reach consumers.
The Onboarding Window: Where Most Merchant Fraud Begins
Most merchant fraud exploits the onboarding process. If a fraudulent entity can pass verification and become an active merchant, the subsequent fraud is harder to catch and more expensive to reverse. The onboarding window is therefore the highest-leverage point for fraud prevention.
Effective merchant onboarding verification covers four layers. The first is business identity: confirming the entity’s legal registration through GSTIN lookup (active status, return filing), CIN or UDYAM verification for incorporated entities, and matching the registered business address against physical or digital signals.
The second is beneficial owner and director verification: identifying who actually controls the business, whether those individuals have prior fraud history or regulatory sanctions, and whether the director structure is consistent with a genuinely operating business (multiple recently-registered entities with the same directors and different GST numbers is a red flag).
The third is bank account verification: confirming that the payout account belongs to the registered entity, not a different individual or a newly-opened account linked to no prior commercial activity.
The fourth is digital presence and commercial signals: does the merchant have a website, social media presence, or trade references consistent with the business they claim to operate? A “five-year-old textile wholesaler” with no digital footprint and a freshly created email address is a verification red flag regardless of whether their GSTIN is valid.
Business Verification for Merchants: What to Check and Why
Business verification for merchants goes beyond confirming that a GSTIN exists. A comprehensive merchant verification check should cover: GSTIN status and return filing history (an entity that has not filed returns in the past six months is operationally suspect); CIN verification through MCA21 (for companies); director disqualification status; CIBIL commercial credit data for the entity and its directors; adverse media and court records for the entity name and director names; and phone number and email address history β whether the contact details are freshly created or have prior commercial associations.
For merchants operating in regulated categories β food, pharmaceuticals, financial services β additional licence verification is required. A merchant claiming to sell financial products must hold the appropriate SEBI or IRDAI registration. A food seller must hold the relevant FSSAI licence. Onboarding without licence verification creates platform liability for regulatory non-compliance by the merchant.
The combination of these checks, executed through API-driven verification rather than manual document collection, takes seconds and provides a structured risk output that can route high-risk merchants for manual review and approve low-risk merchants automatically.
Behavioural and Transactional Signals That Indicate Fraud
Not all merchant fraud is detectable at onboarding. Some patterns only emerge post-activation, and a risk monitoring programme must capture them. The most reliable post-onboarding signals are: sudden spikes in order volume without corresponding increase in fulfilment confirmations; high dispute or chargeback rates relative to category benchmarks; payout bank account change requests shortly after activation; high proportion of orders from new buyer accounts that do not match normal cohort behaviour; and device or IP anomalies β the merchant’s operational device changing frequently, or logins originating from geographies inconsistent with the claimed business location.
Transactional velocity monitoring β tracking order intake rate, average order value, and refund rate against a merchant’s established baseline and category average β is the operational backbone of post-onboarding fraud detection. Anomaly detection that fires an alert when a merchant’s chargeback rate exceeds a defined threshold, before the settlement cycle, can prevent a significant proportion of payment fraud losses.
RBI Merchant Verification Requirements for Payment Aggregators
The RBI’s guidelines for Payment Aggregators (PA) include explicit merchant due diligence requirements. PAs must conduct background checks on merchants before onboarding them, verify the merchant’s business legitimacy, check for adverse information, and conduct ongoing monitoring throughout the merchant relationship. Non-compliance has resulted in regulatory action: the RBI has directed several PAs to pause new merchant onboarding pending remediation of their KYC and due diligence processes.
The guidelines specify that merchant verification must include: registered business address verification, beneficial owner identification, and bank account ownership confirmation. For higher-risk merchant categories β travel, gaming, pharmaceuticals, financial services β enhanced due diligence is required, including licence verification and more frequent periodic review.
For marketplace platforms that are not themselves PAs but work with PA partners, the liability question is shared but not eliminated. The marketplace’s reputational and operational exposure from fraudulent merchants is real regardless of where the regulatory compliance obligation formally sits.
Building a Merchant Risk Monitoring Programme
An effective merchant risk monitoring programme has three components: a risk-tiered onboarding process, continuous behavioural monitoring, and an escalation framework for risk signals.
The onboarding process assigns each merchant an initial risk score based on business verification results, director history, and commercial signals. High-risk merchants β new entities, merchants in high-fraud categories, those with adverse director history β are routed to enhanced due diligence and activated with lower transaction limits until they establish a behavioural track record.
Continuous monitoring uses transactional analytics to track each merchant’s chargeback rate, fulfilment rate, dispute volume, and payout pattern against their cohort and baseline. Automated alerts trigger when defined thresholds are crossed, routing the merchant to a risk review rather than allowing the pattern to compound.
The escalation framework defines the actions available at each alert tier: increased monitoring, transaction limit reduction, settlement hold, account suspension, and regulatory reporting. A well-defined escalation framework prevents the most common operational failure in merchant fraud programmes β alert fatigue leading to inaction.
Technology Investments That Pay Back in Merchant Fraud Reduction
The return on investment from merchant fraud prevention technology is measurable and typically fast. For marketplace and payment aggregator businesses, even a one percentage point reduction in merchant fraud rate translates to significant P&L impact β because fraud losses compound through chargebacks, dispute processing costs, card network penalties, and regulatory reporting obligations.
The technology investments with the highest measured ROI in merchant fraud reduction are: real-time business verification at onboarding (catching fake entities before they transact), transaction velocity monitoring with automated alerts (catching fraud patterns before they reach material scale), and bank account ownership verification (preventing settlement fund diversion before the first settlement cycle).
For marketplaces processing more than βΉ100 crore in monthly GMV, the economic case for investing in a comprehensive merchant risk monitoring stack is straightforward. At a 1 percent merchant fraud rate and an average fraud loss of βΉ15,000 per incident, the annual fraud exposure is material. A technology investment that reduces this rate to 0.3 percent saves multiples of its cost in the first year.
The friction argument β that stronger merchant verification will reduce merchant onboarding rates β is less compelling in 2026 than it was five years ago. API-driven verification that completes in seconds adds negligible friction to the onboarding journey. The merchants deterred by a three-second GSTIN check are, in most cases, the merchants the platform should not be onboarding in the first place.
Key Takeaways
- Merchant fraud in India includes fake listings, triangulation schemes, account takeover, and counterfeit goods β each with a different detection signature.
- The onboarding window is the highest-leverage fraud prevention point; effective verification covers business identity, director history, bank account ownership, and commercial signals.
- RBI Payment Aggregator guidelines mandate merchant due diligence including background checks, business legitimacy verification, and ongoing monitoring β non-compliance has resulted in PA licence actions.
- Post-onboarding monitoring must track chargeback rate, fulfilment rate, payout change requests, and device anomalies β onboarding checks alone are insufficient.
- A risk-tiered onboarding process β routing high-risk merchants to enhanced due diligence β prevents fraud entry while maintaining low friction for verified, low-risk merchants.
Frequently Asked Questions
Q: What is the most common type of merchant fraud in India?
Fake listings fraud β creating a seller account, taking orders, and not fulfilling them β is the highest-volume fraud type on Indian marketplace platforms. Triangulation fraud (using stolen cards to fulfil legitimate orders) generates the largest per-incident losses. Account takeover, while less frequent, results in settlement fund diversion that can be difficult to reverse.
Q: What does RBI require for merchant verification by payment aggregators?
RBI guidelines require Payment Aggregators to conduct background checks, verify business legitimacy, check for adverse information, confirm registered address, identify beneficial owners, and verify payout bank account ownership. Enhanced due diligence is required for higher-risk merchant categories. Ongoing monitoring throughout the merchant relationship is also mandated.
Q: How do you verify a merchant business in India?
Comprehensive merchant verification in India covers: GSTIN lookup (active status, return filing history), CIN or UDYAM verification for incorporated entities, director disqualification and DIN status checks, CIBIL commercial credit data, adverse media and court record checks, and bank account ownership verification through penny drop or account validation API.
Conclusion
Merchant fraud is a scale problem. A single fraudulent merchant can generate dozens of chargebacks before manual review flags the pattern. The platforms that have reduced merchant fraud losses most significantly are those that treat it as a data problem β applying structured verification at onboarding, continuous monitoring post-activation, and automated escalation when risk signals emerge. The investment in these controls is substantially smaller than the cost of the fraud they prevent.
