Wave Business fraud detection: a merchant-side blind spot in 2026
Wave Business is very clean on the payer KYC side (verified number, PIN, biometrics on the app). But on the merchant side, you remain exposed to 4 fraud vectors:
- Refund fraud: customer pays 80K FCFA, receives the product, disputes with Wave claiming error — partial refund granted
- Velocity fraud: a single payer (or bot behind) generates 50 checkouts in 2 minutes to saturate / test / launder
- Diverted card testing: using your Wave checkout as an oracle to validate mobile money numbers (uncommon but exists)
- Account takeover: compromised customer Wave account used to buy on your store — you ship, the real owner disputes
Across 8 Senegalese e-commerce SMBs audited in 2026, average fraud rate = 0.18% of Wave revenue. Not catastrophic but significant on 200M FCFA/year = 360K FCFA/year lost. With a basic rules engine, you drop to 0.03-0.05%.
H2: Fraud detection stack — 2026 technical choices
| Solution | Use case | Monthly cost | Relevance for SN merchant |
|---|---|---|---|
| In-house rules (Next.js + Redis) | Volume < 50K transactions/month | 0 + dev | Ideal 0-2 years |
| Stripe Radar | If you mix Stripe + Wave | included in Stripe | Good (cross-channel) |
| Sift Science | Volume > 50K transactions/month | €850/month (entry) | Excellent but pricey |
| Castle.io | Account takeover focus | $290/month | Great for ATO |
| Seon | KYC + fraud combo | $599/month | Good, average ROI in Africa |
| ChargeHero / Justt | Chargeback management | % of recovered chargeback | Useful from chargebacks > 0.2% |
For 80% of SN e-commerce merchants under 100M FCFA/year, the in-house stack is enough. Beyond that, switch to Sift or Castle.
H2: Fraud detection rules — top 12 to implement
`typescript
// Fraud detection rules engine — TypeScript example
type FraudSignal = {
rule: string;
weight: number; // 1-10
matched: boolean;
};
async function evaluateCheckout(ctx: CheckoutContext): Promise
const signals: FraudSignal[] = [];
// Rule 1: velocity — > 5 checkouts in 1 min from same IP
const recentByIp = await redis.zcount(
checkouts:ip:${ctx.ip},
Date.now() - 60_000,
Date.now()
);
signals.push({ rule: 'velocity_ip_1min', weight: 9, matched: recentByIp > 5 });
// Rule 2: device velocity — > 3 checkouts in 1 min same device
const recentByDevice = await redis.zcount(
checkouts:dev:${ctx.deviceFingerprint},
Date.now() - 60_000,
Date.now()
);
signals.push({ rule: 'velocity_device_1min', weight: 8, matched: recentByDevice > 3 });
// Rule 3: datacenter / VPN IP
const ipInfo = await ipQualityScore(ctx.ip);
signals.push({ rule: 'ip_datacenter', weight: 6, matched: ipInfo.datacenter || ipInfo.vpn });
// Rule 4: IP country different from Wave phone
signals.push({ rule: 'ip_country_mismatch', weight: 4, matched: ipInfo.country !== 'SN' && ctx.phonePrefix === '+221' });
// Rule 5: Wave number on blocklist
const phoneBlocked = await db.fraudBlocklist.findFirst({ where: { phone: ctx.phone } });
signals.push({ rule: 'phone_blocklist', weight: 10, matched: !!phoneBlocked });
// Rule 6: suspicious amount (round + high first-time customer)
const isFirstTime = !(await db.customer.findFirst({ where: { phone: ctx.phone } }));
signals.push({
rule: 'high_amount_first_time',
weight: 7,
matched: isFirstTime && ctx.amount > 500_000 && ctx.amount % 50_000 === 0,
});
// Rule 7: disposable email
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
const emailTemp = isDisposableEmail(ctx.email);
signals.push({ rule: 'disposable_email', weight: 5, matched: emailTemp });
// Rule 8: shipping address + Wave number region mismatch
signals.push({
rule: 'shipping_phone_region_mismatch',
weight: 4,
matched: ctx.shippingRegion !== ctx.phoneRegion,
});
// Rules 9-12: custom business rules (suspicious cart, abused promo code, etc.)
const totalScore = signals
.filter((s) => s.matched)
.reduce((sum, s) => sum + s.weight, 0);
let verdict: 'approve' | 'review' | 'deny';
if (totalScore >= 15) verdict = 'deny';
else if (totalScore >= 8) verdict = 'review';
else verdict = 'approve';
return { verdict, score: totalScore, signals };
}
`
H2: Device fingerprinting and IP intelligence
Without a device fingerprint, 60% of your velocity rules are blind. 2026 solutions:
FingerprintJS Open Source (free, browser-based hash). 60-70% accurate. OK for starters.
FingerprintJS Pro (€1,200/month for 100K identifications). 99.5% accurate. ROI from > 30M FCFA/month Wave revenue.
IPQualityScore ($35/month entry) — VPN, proxy, datacenter, bot detection.
MaxMind GeoIP2 (free for country accuracy, paid for city accuracy).
H2: Wave Business chargeback management
Wave Business lets payers dispute a payment within 30 days via the app. On the merchant side, you receive a dispute.created webhook with a 7-day window to provide evidence.
Evidence accepted by Wave during a dispute:
- Signed delivery slip (photo)
- WhatsApp / email exchange with customer confirming receipt
- Courier tracking (TerraTech, NDIAGA, etc.)
- Screenshot of customer account on your platform with order history
Average recovery rate on Wave disputes (2026 data on 4 merchants): 65-78% if evidence provided within 5 days, 22-35% if provided between D+5 and D+7, 0% beyond.
Automating evidence collection from order creation = key.
H2: Fraud detection engine investments
| Item | Upfront cost | Monthly recurring |
|---|---|---|
| In-house rules engine dev (Next.js + Redis + Prisma) | 1,800,000 to 3,800,000 FCFA | — |
| Redis hosting (Upstash) | — | 12,000 to 45,000 FCFA |
| FingerprintJS Pro (volume > 30M/month revenue) | 25,000 FCFA setup | 780,000 FCFA |
| IPQualityScore | — | 22,000 FCFA |
| Chargeback management + auto-evidence module | 1,200,000 FCFA | — |
| Sift Science (>100K transactions/month) | optional | 560,000 FCFA |
In-house upfront investment: 3-5M FCFA. In-house recurring: 35-80K FCFA/month (without FingerprintJS Pro). Full pro stack: ~1.3M FCFA/month. ROI: minimum 0.15% Wave revenue saved = 25-35K FCFA/month saved for 200M FCFA/year.
FAQ
Does Wave Business notify merchants when Wave-side fraud is detected?
Yes, via the fraud.flagged webhook (recent since February 2026). You receive a signal with risk level (low / medium / high). For high, the checkout is automatically blocked Wave-side before the payer even validates.
Can you block a Wave Business number on the merchant side?
Yes, via blocklist on your platform side. You refuse the checkout if phone is on the blocklist. Wave does not provide a native merchant blocklist (Wave's blocklist is global, managed by their internal fraud team).
What latency does the fraud detection engine add to checkout?
Well-optimized in-house stack (Redis in RAM, parallelized queries): 80-150ms added. Pro stack (Sift): 200-400ms. Beyond 500ms, checkout conversion drops — always measure.
What to do on a chargeback won merchant-side?
Wave returns the amount to your Business account within 24-48h of favorable ruling. No action required in your code, just log the event (dispute.resolved webhook with outcome: merchant_won).
Do you need to declare fraud losses to BCEAO / DGID?
BCEAO-side: no, Wave consolidates fraud statistics at the EMI level. DGID-side: fraud losses are tax-deductible (exceptional charges 658) if you can document (police report, complaint, loss evidence). Keep the records.
Let's discuss your case
If you want to wire a fraud detection engine on your Wave Business checkouts (in-house rules, FingerprintJS, chargeback management), we can architect and ship it in 4-7 weeks. WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
