In simple terms, as a merchant, you confirm a transaction by viewing a public decentralized ledger called the blockchain [↗]. You check to confirm that there is a block containing a record of an expected amount being sent to your address.
Of course, this is a crude way of describing the process, but that's essentially the idea in a nutshell.
Any method that can falsify these records, whether through a forged (real but manipulated) transaction or a fake (non-existent but perceived as real) one, can result in a double-spend, since the coins were never truly spent and could later be used in another valid transaction.
This explanation is overly simplified but helps convey the main concept.
There are several known and possibly unknown ways this can occur.
For example, if a malicious organization or individual controls 50% or more of the participants required to achieve consensus, they can effectively approve fraudulent blockchain entries, which would then appear legitimate to the rest of the network.
Another example is when some nodes or users misinterpret an unconfirmed transaction or block as confirmed and mistakenly provide a service based on it.
These two are well-known problems, and most blockchains are well-equipped, both at the infrastructure and governance levels, to prevent or mitigate them.
Here is another article you might like 😊 What Is A 51% Attack?