Case study: how Stitch detected a complex fraud scam impacting customers across industries

Fraud rarely stays confined to a single merchant or industry. As fraud tactics evolve, the same patterns can surface in very different environments. Over the past few months, the fraud team at Stitch observed this firsthand through a repeatable vishing-driven pattern that emerged across two unrelated merchants operating in completely different industries.

What is a vishing / social engineering scam? 

Vishing scams: a vishing scam is fraud in which criminals use phone calls to impersonate trusted organisations or people in order to trick victims into revealing sensitive information or transferring money. 

Social engineering scams: social engineering is a fraud technique where attackers manipulate people into divulging sensitive information or performing actions instructed by fraudsters by exploiting trust, fear, or urgency.  

From a merchant perspective, these scams are particularly challenging because transactions are often customer-authorised, meaning traditional indicators of account compromise may not be present.

A case study: how the Stitch embedded fraud platform prevented losses for merchants across industries

Towards the end of last year, the fraud team identified an increase in fraud disputes linked to a highly specific transaction profile within one merchant environment. Across this activity, the overwhelming majority of disputed transactions, approximately 99%, were for a fixed amount. Customers reported near-identical circumstances in which they were contacted via vishing scams and socially engineered into authorising payments under false pretences. Although the affected customers varied, disputes showed a consistent concentration among clients of a single major retail bank, pointing to targeted and deliberate activity rather than opportunistic fraud.

In response, a targeted control was introduced within the Stitch internal fraud engine to detect and mitigate this specific typology within the affected merchant environment. The results were both immediate and sustained. From late November to date, more than 200 attempted fraudulent transactions have been blocked, preventing approximately R208,000 in potential losses on that merchant’s platform. These attempts involved multiple unique payers, identity numbers, cards, and devices, reinforcing that the activity was coordinated and systematic.

Once these attributes were identified through transactions that triggered the fraud controls, they were proactively blocked to prevent further abuse. This ensured that subsequent attempts using the same identifiers were stopped early, reducing the risk of repeat losses for the affected merchant. The learnings from this activity were also retained at a platform level, strengthening our ability to recognise similar patterns elsewhere. Following implementation, no further disputes matching this pattern were observed for this merchant, confirming that the control effectively disrupted the fraud before it could scale further.

The scammers resurface

Several weeks later, in mid-January 2026, similar fraud markers surfaced again, this time within a completely different merchant environment, operating in a separate industry with a distinct customer use case and transaction behaviour. Despite these differences, the characteristics were unmistakable. The same social-engineering method was used, the same fixed transaction amount appeared, and customer impact again showed a disproportionate concentration among clients of the same major retail bank. Rather than a new threat, this reflected the reuse of a proven fraud tactic in a new context.

Because the typology had already been identified in an unrelated environment, the response time in this second case was significantly shorter. Existing fraud controls were rapidly applied, and within the first week alone, more than 150 attempted fraudulent transactions were blocked, preventing approximately R155,000 in potential losses. These attempts spanned dozens of unique customers, cards, and devices, confirming that the activity was actively scaling at the point of intervention. As before, mitigation was achieved through a layered combination of velocity controls, account-sharing detection, and device-level behavioural monitoring. Following implementation, dispute volumes reduced significantly.

Taken together, these interventions resulted in more than 350 attempted fraudulent transactions being blocked across two merchant environments, preventing over R360,000 in potential losses. While the fraud typology was reused across industries, our ability to recognise it quickly and act decisively limited its overall impact and prevented broader platform-wide exposure.

This case reinforces a key reality of today’s fraud landscape: effective fraud tactics are often reused across sectors, but early identification and consistent application of controls can materially reduce risk.

 When patterns are recognised early and mitigations are applied swiftly, it limits customer harm and prevents scams from escalating into larger, coordinated schemes, even as fraudsters move from one industry to the next.

What merchants should look out for to protect themselves from vishing scams 

Across the activity observed, several behavioural indicators consistently appeared:

• Transactions following unsolicited or unexpected customer contact
• Urgency-driven payment behaviour, often involving fixed transaction amounts
• Customers being instructed to authorise payments while still on a call
• Repeated use of the same transaction values, devices, or customer attributes across multiple attempts

While no single signal is definitive on its own, these indicators become meaningful when observed in combination.

Considerations for merchants:

Merchants operating in customer-authorised payment environments should be aware that vishing-driven fraud often occurs outside of the merchant’s direct interaction with the customer, making it harder to detect through traditional user-journey checks alone. Effective mitigation relies on:

• Monitoring for behavioural patterns rather than single events
• Identifying repeatable attributes such as transaction amounts, payer behaviour, or device reuse
• Acting early when consistent signals emerge, before disputes begin to surface

Importantly, addressing social-engineering fraud is less about preventing individual incidents and more about recognising typologies that can be reused across customers, merchants, and industries.

‍