ChapaChapa Docs

Fraud Prevention

Best practices for stopping fraudulent activity before it impacts your business.

Fraud prevention is about stopping fraudulent activity before it turns into disputes, losses, or account restrictions.

Chapa provides built-in protections (Radar, monitoring, compliance checks), but merchants play a critical role in preventing fraud at the application level.

A layered approach — technical, operational, and behavioral — is the most effective.

Common Types of Fraud

Payment Fraud

  • Stolen cards or wallets
  • Unauthorized mobile money usage
  • Account takeovers

Refund & Chargeback Abuse

  • Repeated refund requests
  • "Friendly fraud" (customer denies legitimate charge)

Payout Fraud

  • Fake beneficiaries
  • Compromised payout destinations
  • Sudden changes in bank details

Platform Abuse

  • Bot-driven transactions
  • Velocity attacks
  • Testing stolen credentials

Built-In Chapa Protections

Chapa automatically provides:

  • Radar risk scoring
  • Velocity and amount limits
  • Compliance and AML checks
  • Blocked and challenged transactions
  • Webhook-based real-time signals

These protections operate silently and cannot be bypassed.

What Merchants Should Do (Best Practices)

1. Always Verify Payments

Never trust frontend success messages. Always verify via:

GET /v2/payments/{reference}/verify

Use webhooks as the final authority.

2. Enforce Idempotency

Fraud often exploits retry loops.

  • Use Idempotency-Key for all write operations
  • Reject duplicate merchant_reference values

3. Limit Transaction Velocity

Apply application-level rules such as:

  • Maximum attempts per user, IP, or device
  • Cool-down periods between failed attempts
  • Daily transaction caps for new users

4. Validate Customer Data

  • Enforce correct phone number formats
  • Validate email addresses
  • Avoid anonymous high-value transactions
  • Require authentication for wallet actions

5. Monitor Payout Changes

For payouts:

  • Lock bank details after verification
  • Require manual review for:
    • First-time payouts
    • Large amount changes
    • New beneficiaries
  • Delay payouts for suspicious accounts

6. Use Clear Status Handling

Treat these statuses as final unless updated by webhook:

  • blocked
  • failed
  • cancelled
  • incomplete

Do not auto-retry blocked transactions.

7. Log for Audit (But Safely)

Log:

  • Timestamps
  • References
  • Status changes
  • Error codes

Do not log:

  • PINs
  • OTPs
  • Full card numbers
  • API keys
  • Allow refunds only after success
  • Cap refund frequency per customer
  • Track partial refunds carefully
  • Monitor "refund-first" user behavior

Red Flags to Watch For

Warning SignDescription
Many failed attempts followed by successPossible credential testing
Same phone or email across multiple accountsAccount farming
Sudden spikes in transaction amountsUnusual activity
Frequent payout destination changesPossible account compromise
High refunds with low support interactionPotential abuse

Incident Response

If you suspect fraud:

  1. Stop further transactions
  2. Review logs and webhook history
  3. Verify affected payments or payouts
  4. Contact Chapa support with references
  5. Communicate transparently with users

Key Takeaways

PointDescription
Continuous effortFraud prevention is ongoing, not one-time
Layered approachCombine Chapa tools with your own logic
Verification is criticalWebhooks and verification endpoints are essential
Proactive controlsReduce disputes and losses before they happen

Next Steps

On this page

Common Types of Fraud
Payment Fraud
Refund & Chargeback Abuse
Payout Fraud
Platform Abuse
Built-In Chapa Protections
What Merchants Should Do (Best Practices)
1. Always Verify Payments
2. Enforce Idempotency
3. Limit Transaction Velocity
4. Validate Customer Data
5. Monitor Payout Changes
6. Use Clear Status Handling
7. Log for Audit (But Safely)
Refund-Related Fraud Prevention
Red Flags to Watch For
Incident Response
Key Takeaways
Next Steps