Why Merchant Clusters Are a Threat to Your Merchant Portfolio

three hooded figures

LegitScript increasingly encounters groups of related merchants whose websites are nearly exact duplicates of each other. We refer to these merchant groups as clusters, and they pose a variety of threats to merchant portfolios. Keep reading to understand what they are, why they appear, and how you can spot them.

What are merchant clusters?

Cluster merchants will typically share similar merchant application details or characteristics that, under scrutiny, appear to be falsified or randomly generated. These shared details or characteristics may indicate that these accounts are controlled by a single entity. Oftentimes, merchants in a cluster appear innocuous at first glance; however, LegitScript analysts who investigate merchant clusters by identifying patterns or similarities across merchant application data, website templates, metadata, registrar information, and product offerings, often find them engaged in fraud, transaction laundering, or other problematic behavior.

Why watch out for merchant clusters?

Identifying clusters is increasingly important as merchants engaged in problematic activity often create accounts en masse as a way of load balancing. Clusters of merchant accounts can be highly profitable for fraudsters, who can use them for transaction laundering, card testing, card cashing, and other forms of fraud.

Merchant Clusters and Synthetic Identity Fraud

Merchant clusters often engage in synthetic identity fraud — a combination of genuine and fabricated details to make account applications appear genuine. Synthetic identity fraud differs from traditional identity fraud in a few key ways. With traditional identity fraud, a criminal pretends to be another person — using all of the victim’s stolen information — to gain access to his or her credit. With synthetic identity fraud, a criminal uses a blend of real and falsified information to establish a credit record under a new synthetic identity. Read more about this tactic in our Synthetic Identity Fraud Guide.


two laptops showing a car website

An example of two websites that were part of the same merchant cluster

Merchant Cluster Case Study

The two websites featured above appear nearly identical, save for a slight variation in their names (Car Kalama and Car Kalema, respectively). Because of their striking similarities, LegitScript analysts researched these websites and discovered that they had similar authoritative domains, merchant names, website titles, and merchant email addresses. Analysts also identified additional websites that appeared to be part of the same cluster. Further analysis suggested that the accounts were being used for transaction laundering.

Want to learn about other high-risk trends?

The payments risk and compliance space is dynamic — it must constantly adapt to advancing technologies, changing regulations, criminal innovation, and new products. Navigating this ever-shifting landscape can be both difficult and time- consuming. In our fully updated guide, LegitScript shares new high-risk trends in card-not-present transactions that all payment service providers should avoid. Click the image below to get yours.

cover of high-risk trends guide