Because of the difficulties inherent in accurately identifying individuals on the Internet, online merchants reduce the risk of credit card fraud by increasing restrictions on consumers. The restrictions are often overly burdensome on consumers and may result in lost sales. This paper uses the concept of a fraud tree, an extension of an attack tree, to comprehensively model online fraud techniques and to suggest defensive obstacles for merchants to counter threats. The fraud tree model can advise merchants about the checks to be performed to reduce risk even in the presence of incomplete knowledge of the circumstances of the transactions. Since fraud cannot be completely avoided, the paper also describes auditing that can be performed to assist merchants in identifying the responsible parties and potentially limiting, if not avoiding, liability due to fraud.