In the spring of 2020, COVID-19 transformed fear into a marketplace. Search results and social posts pointed people to offers of at-home tests, vaccines or even cures — none of which existed. The online storefronts looked credible, including the checkout button ready to make payment.

Unlike the tests, vaccines and “cures,” that button actually worked – because it was a scam.

The pandemic-era surge in digital commerce and the growth of digital payments helped millions of legitimate businesses move online fast and gave people a convenient, safe way to shop from home. But the same tools that help a real merchant launch quickly — out-of-the-box templates, targeted ads, easy payment acceptance — also made it simpler for criminals to set up fake storefronts. And in the years since, technology like generative AI has made it even harder for consumers to detect them, thanks to deepfake videos from non-existent satisfied customers, rafts of glowing testimonials generated from a single prompt and professional-grade websites and ads.  

These scam merchants lure shoppers with hard-to-find items or unbelievably low prices, then take the money — sometimes shipping a low-grade counterfeit, often nothing at all — and disappear. This is a fake business problem, but it can turn into a stolen card problem. Some of these storefronts also serve as phishing expeditions, with scammers harvesting card information to make fraudulent purchases of their own or reselling the card details on the dark web. Consumers lost $442 billion worldwide to online scams, according to the Global Anti-Scam Alliance’s “Global State of Scams 2025” report.

“Digital commerce only works when people trust what’s on the other side of the screen,” says Ann Johnson, executive vice president of Security Solutions at Mastercard. “If we let scammers keep posing as legitimate businesses, we don’t just lose money — we lose confidence. We need to secure this trust for the good of the entire digital ecosystem: from consumers to banks and the honest merchants who are trying to grow.”

The challenge of AI-driven cyberattacks isn’t only the scale, but the speed at which scam merchants set up shop, with traditional warning signals arriving too late and the sheer volume of newly created businesses overwhelming early checks.

That’s the thinking behind Mastercard Merchant Trust Services, a new strategy for harnessing the company’s network-wide intelligence, advanced cyber and identity capabilities and real-time analytics to provide intelligence to distinguish legitimate merchants from risky ones, both online and in store.  

Merchant Trust Services, announced ahead of Mastercard’s cybersecurity conference RiskX in Singapore, Mastercard’s cybersecurity, risk and innovation leadership forum, helps acquirers — the banks that service merchants — and payment service providers root out scam merchants during the time-consuming and expensive process of onboarding merchants, stopping them from opening their digital doors, or in the early stages of their “business.”

The fallout from scam merchants also impacts issuers, the cardholders’ banks, which carry the burden of consumer complaints, the dispute resolution process and the cost of replacing compromised cards. Mastercard is also launching Merchant Scam & Risk Indicator (MSRI), which provides issuers with merchant risk signals during authorization, proactively enabling fraud mitigation.

In a pilot with a leading issuer, MSRI detected approximately 80% of the issuer-identified risky merchants, with many flagged as early as 90 days prior to the issuer’s initial escalation. MSRI will be available first in Europe and the United States, with plans to expand globally within the year.

“Every bad experience online makes shoppers second-guess legitimate businesses — and that makes it harder for real merchants to win and keep customers,” says Simon Collins, Mastercard’s chief franchise officer. “When confidence cracks, businesses pay for it in more declines, more disputes and more abandoned carts.”

Mastercard is revising its franchise standards to drive greater consistency in fraud mitigation efforts. For example, starting in July, Mastercard is compressing the window between suspicious signals and enforcement by requiring acquirers and payment facilitators to actively monitor merchant behavior and to initiate an investigation within 72 hours when potential scam activity hits a certain risk threshold.

If the activity is confirmed, the merchant must be stopped from accepting Mastercard transactions. This shift toward faster detection is exactly what Merchant Trust Services intends to support: combining signals that are often scattered across systems into merchant-level insights that can be used from onboarding through ongoing monitoring and, for issuers, at the point of transaction.

A merchant’s dynamic 360-degree trust profile, informed by behavior both on and off the network, will enable insights such as anomalies in transaction behavior compared to other merchants as well as external digital signals such as changes in business data, goods and services sold, and negative social content.

“If we want everyone to benefit from the digital economy — from a small business starting out to a family shopping online — then trust has to be built in, not bolted on after something goes wrong,” Johnson says. “The price of convenience should never be fear.”