Subscribe to the Non-Human & AI Identity Journal

How do security teams reduce fraud without blocking legitimate applicants?

Use layered verification that raises assurance only when risk increases. Cryptographic authentication, phone ownership checks, reputation scoring, and verified pre-fill can strengthen trust while keeping the application flow usable. The goal is to target fraud friction where it matters most, rather than forcing every user through the same high-bar process.

Why This Matters for Security Teams

Fraud controls that are too strict drive applicant abandonment, while controls that are too weak leave openings for account takeover, synthetic identities, and benefits abuse. The practical challenge is not choosing between security and usability, but applying assurance in proportion to risk. A risk-based approach aligns with NIST SP 800-53 Rev 5 Security and Privacy Controls, especially where identity proofing, access restrictions, and monitoring need to work together rather than as isolated checks.

Teams often miss that fraud is rarely stopped by a single control. Attackers adapt to whichever step is easiest to bypass, whether that is email verification, phone reuse, or weak document review. Good programmes treat the application flow as a series of trust signals, then increase scrutiny only when those signals degrade. That means looking at device reputation, velocity, behavioural anomalies, and identity consistency across sessions before forcing higher-friction steps.

In practice, many security teams encounter fraud only after legitimate users have already been filtered out by overly rigid verification, rather than through intentional risk-tier design.

How It Works in Practice

Operationally, the best pattern is progressive assurance. The first pass should be lightweight and mostly invisible, using signals that are hard to fake at scale. If those signals look normal, the applicant moves through with minimal disruption. If the signals indicate elevated risk, the workflow can step up to stronger proofing or manual review.

Common layers include phone ownership checks, email age and domain reputation, device fingerprinting, velocity checks across submissions, and cross-field consistency checks that compare name, address, and date-of-birth patterns. Cryptographic authentication can help where an account is already established or where a trusted device has been bound to the applicant. For stronger identity assurance, teams may use verified pre-fill from trusted data sources, but current guidance suggests that source quality and consent handling matter as much as the lookup itself.

The control objective is to reduce fraud without creating unnecessary friction. That usually means:

  • Applying stronger checks only when risk scoring crosses a threshold.
  • Using step-up challenges that are relevant to the suspicious signal.
  • Keeping manual review for high-impact or ambiguous cases, not routine traffic.
  • Logging every challenge outcome so model tuning and analyst review improve over time.

Where identity verification touches credential binding, access, or recovery, this also intersects with identity assurance guidance in NIST SP 800-63 Digital Identity Guidelines. Strong governance depends on separating low-risk onboarding from high-risk exceptions, then keeping those decisions explainable for compliance and fraud operations. These controls tend to break down when applicant populations are highly diverse and data quality is inconsistent because risk scores become noisy and step-up rules start rejecting legitimate edge cases.

Common Variations and Edge Cases

Tighter fraud control often increases operational overhead, requiring organisations to balance lower loss rates against review cost, user friction, and false positives. There is no universal standard for exactly which signals should trigger step-up verification, so best practice is evolving.

High-volume consumer onboarding, regulated financial services, and cross-border applications usually need different thresholds. In a low-risk environment, a phone check plus reputation scoring may be enough. In a higher-risk environment, teams may need document validation, liveness checks, or direct review by an investigator. The tradeoff is that each extra step can exclude legitimate users who share devices, use prepaid numbers, or have thin digital footprints.

Privacy and fairness also need explicit attention. Verification workflows should avoid using protected attributes as proxies for risk, and they should provide alternative routes when a user cannot complete a particular check. This is especially important where identity verification supports access to essential services. For teams managing broader trust and safety programmes, the most defensible pattern is to document why each step exists, what risk it mitigates, and when an alternate path is allowed. That keeps fraud friction targeted instead of arbitrary, and it helps preserve trust when applicants are challenged.

For governance-heavy environments, CISA Zero Trust Maturity Model is useful for thinking about continuous verification, while OWASP Application Security Verification Standard can help teams align application-layer controls with secure onboarding design.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST AI RMF set the technical controls, while EU AI Act and PCI DSS v4.0 define the regulatory obligations.

Framework Control / Reference Relevance
NIST SP 800-63 IAL/AAL/FAL Identity assurance levels shape how much proofing is justified for applicants.
NIST CSF 2.0 PR.AA Identity authentication and access assurance support fraud-resistant onboarding.
NIST AI RMF GOVERN If risk scoring or decisioning uses AI, governance is needed for model accountability.
EU AI Act Automated decisioning in identity contexts may need risk classification and transparency controls.
PCI DSS v4.0 Req. 8 Strong authentication principles are relevant where onboarding links to payment or financial risk.

Set assurance tiers so low-risk applicants pass fast and higher-risk cases trigger stronger verification.