TL;DR: Payment fraud attempt rates held around 3.25% in 2025 while transaction volume across the Sift Global Data Network grew 18%, but account takeover incidents rose, with 21% of consumers reporting one and login block rates peaking at 1.8% in Q1, according to Sift. The control problem has shifted upstream: account access now drives the fraud blast radius, not checkout monitoring alone.
At a glance
What this is: Sift reports that payment fraud stayed relatively stable in 2025 while account takeover became the more important attack surface.
Why it matters: That shift matters to IAM, fraud, and identity teams because account access now determines exposure to stored value, saved payment methods, loyalty balances, and customer trust.
By the numbers:
- Transaction volume across the Sift Global Data Network grew 18% in 2025, while payment fraud attempt rates held steady at around 3.25%.
- 21% of consumers reported an account takeover (ATO) incident in 2025.
- The login block rate peaked at 1.8% of all login attempts in Q1.
- 5.2%.
👉 Read Sift’s analysis of account takeover and payment fraud in 2025
Context
Account takeover is a governance problem as much as a fraud problem. When attackers get into a customer account, they do not need to win at the payment layer because the account already contains stored value, trusted devices, and behavioural history that make abuse harder to distinguish from legitimate activity.
For identity and fraud teams, the key issue is that authentication controls and recovery flows now sit on the critical path of fraud prevention. This is an identity-adjacent attack pattern with direct implications for account lifecycle, step-up verification, and trust scoring across digital services.
Key questions
Q: What breaks when account takeover controls are too focused on checkout fraud?
A: Teams lose visibility into the earlier stages of abuse, where attackers use legitimate login access to reach stored payment methods, recovery options, and loyalty value. Checkout-only controls often detect fraud too late because the transaction is already coming from a trusted account. Stronger governance needs to cover authentication, recovery, and session behaviour.
Q: Why does account takeover complicate fraud prevention for identity teams?
A: Because the attacker is operating through an apparently valid identity, which makes the session look normal while the intent is malicious. That means fraud, IAM, and trust-and-safety teams must share signals about login risk, recovery risk, and account drift instead of treating them as separate problems.
Q: How do security teams know whether ATO controls are actually working?
A: Look for fewer successful takeovers, lower recovery abuse, and earlier challenge outcomes at high-risk events such as device change, payment updates, and credential resets. If stable payment fraud numbers are hiding growing login abuse, the controls are probably being measured at the wrong stage of the journey.
Q: Who is accountable when account takeover leads to fraud losses?
A: Accountability usually sits across fraud, identity, product, and customer operations because the failure often spans login, recovery, and monetisation paths. Frameworks such as NIST CSF and identity assurance practices make that shared ownership clearer, especially where customer trust and regulated payments intersect.
Technical breakdown
Why account takeover shifts fraud upstream
Account takeover changes the attack surface because the attacker is no longer trying to steal only a payment instrument. Instead, they compromise the account that already holds the payment method, loyalty balance, purchase history, and recovery options. That makes the session itself the trust boundary. Once authenticated, the attacker benefits from the account’s normal reputation signals, which can weaken risk scoring and reduce the likelihood of challenge. In practice, fraud detection has to evaluate identity continuity across login, recovery, checkout, and device change, not just the transaction event.
Practical implication: align fraud controls with account lifecycle events, not only with checkout decisions.
How authentication gaps enable repeated access
The article shows a clear mismatch between consumer willingness to use stronger verification and the low adoption of 2FA across websites and apps. That means many services still rely on weak or reusable credentials, predictable recovery paths, or insufficient step-up controls. From an identity perspective, this is where human identity governance and fraud prevention overlap: the system must verify whether the person returning is the legitimate account holder, not simply whether the password was accepted. Recovery and login policy are therefore fraud controls, not just IAM settings.
Practical implication: harden login and recovery paths with risk-based step-up verification and stronger account recovery assurance.
Why trusted sessions are harder to detect than card testing
Traditional card-not-present fraud often creates a visible mismatch between the cardholder and the device or merchant context. Account takeover removes much of that mismatch because the attacker acts through a legitimate account, sometimes from familiar devices, and can move gradually from login to profile change, stored credential abuse, or points redemption. That sequence is more consistent with identity abuse than simple payment fraud. Detection therefore needs behavioural and session-level signals that cover identity drift, not only payment anomalies or velocity rules.
Practical implication: add session and behavioural anomaly detection to fraud models so trusted-account abuse is visible earlier.
Threat narrative
Attacker objective: The attacker wants to monetise a trusted customer account while avoiding the signal patterns that usually expose payment fraud.
- Entry begins with credential stuffing, phishing, or credential reuse against customer login flows.
- Escalation occurs when the attacker passes authentication and uses the trusted session to inspect stored payment methods, loyalty balances, or recovery options.
- Impact follows when the attacker monetises the account through fraudulent purchases, points redemption, or downstream fraud that is harder to block than card testing.
NHI Mgmt Group analysis
Account takeover is now the more important identity-fraud boundary than checkout fraud. Sift’s data shows payment fraud staying flat while ATO rises, which means the control problem has moved upstream into authentication, recovery, and account trust. Merchants and digital platforms that still optimise only the transaction step are defending too late. Practitioners should treat account access as the primary fraud surface.
The authentication gap is really a trust-governance gap. The article shows consumers are willing to use more verification, yet adoption remains low. That tells us many organisations have not translated customer willingness into policy design, because recovery, step-up, and session continuity remain under-governed. In identity terms, the weakest link is often the account restoration path, not the password box. Practitioners should govern recovery with the same rigour as login.
Account takeover creates a verification trust gap that security teams underestimate. Once an attacker inherits a legitimate session, the system’s own trust signals can work against detection. This is where identity assurance, fraud scoring, and customer experience have to be aligned rather than managed separately. The industry needs a clearer model for measuring when trusted behaviour becomes attacker camouflage. Practitioners should design for identity drift, not only failed authentication.
For account-based services, fraud resilience depends on identity lifecycle controls as much as on payment controls. If a platform cannot distinguish a legitimate return from a takeover, it will continue to over-rely on transaction monitoring and under-invest in account governance. That is a structural problem, not a tuning problem. Practitioners should place account assurance, recovery assurance, and behavioural risk on the same governance agenda.
What this signals
Account takeover should now be treated as a core identity governance problem in digital trust programmes, not only as a fraud-rate problem. Once a trusted account is compromised, downstream controls inherit the attacker’s legitimacy, which makes recovery assurance and behavioural detection more valuable than static login checks.
Verification trust gap: when users are willing to accept stronger checks but organisations do not use that willingness to harden recovery and step-up, the gap becomes a governance failure. Teams should align fraud, IAM, and customer experience controls so that identity assurance improves before attackers exploit the account lifecycle.
For practitioners building risk-based access and trust models, the next step is to examine where a legitimate session becomes attacker camouflage. That means integrating identity signals with fraud telemetry and using account change events as triggers for policy enforcement, not just for monitoring.
For practitioners
- Benchmark account takeover alongside payment fraud Track ATO rates, login block rates, recovery abuse, and checkout fraud together so the business can see where the attack shifts upstream. Separate metrics for authentication, account recovery, and monetisation help teams avoid false confidence from stable transaction-level fraud numbers.
- Harden account recovery as a fraud control Review password reset, email change, MFA reset, and help-desk verification paths for abuse resistance. Recovery flows should require stronger assurance than routine login because they are the most common route around good authentication controls.
- Add behavioural signals to identity decisions Use device reputation, session drift, velocity, and unusual redemption patterns to identify trusted-account abuse before the final transaction. These signals are especially valuable where attackers inherit a legitimate session and avoid obvious payment anomalies.
- Increase step-up verification at account-risk events Trigger additional verification when users change payment methods, request recovery, modify profile data, or redeem high-value assets. This gives security teams a control point earlier in the fraud chain without forcing friction on every interaction.
Key takeaways
- Payment fraud can look stable while account takeover grows underneath it, so teams need upstream identity signals, not only checkout controls.
- The strongest signal in this article is the governance gap between user willingness for stronger verification and low adoption of 2FA.
- Fraud resilience now depends on account recovery, session behaviour, and step-up verification being treated as identity controls.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST SP 800-63 and NIST CSF 2.0 set the technical controls, and GDPR and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | Authentication and recovery are central to the ATO problem described here. |
| NIST CSF 2.0 | PR.AC-7 | This article is about limiting access abuse through stronger identity verification. |
| GDPR | Art.32 | Account takeover can expose personal data and payment-linked identity data. |
| OWASP Non-Human Identity Top 10 | NHI-05 | The article’s account abuse patterns align with identity assurance and recovery weaknesses. |
| ISO/IEC 27001:2022 | A.5.16 | Identity management and authentication controls are directly relevant to the attack path. |
Map account-risk decisions to PR.AC-7 and enforce stronger verification at sensitive events.
Key terms
- Account Takeover: Account takeover is the unauthorised use of a legitimate user account after an attacker gains access to the login or recovery path. In practice, it matters because the attacker inherits the account’s trust, history, and stored assets, which makes abuse harder to distinguish from normal customer activity.
- Step-up Verification: Step-up verification is an additional authentication check triggered when risk increases, such as a password reset, device change, or high-value transaction. It is used to raise assurance without forcing the strongest control at every login, and it becomes most valuable when attackers try to exploit trusted sessions.
- Verification Trust Gap: A verification trust gap is the mismatch between the level of assurance a system assumes and the level of assurance it actually enforces. In fraud and identity programmes, it appears when users are willing to verify more strongly but the organisation keeps relying on weak login or recovery controls.
What's in the full report
Sift's full post covers the operational detail this post intentionally leaves for the source:
- Quarter-by-quarter fraud attempt trends that show how the attack pattern changed across 2025
- Breakdowns by account type, including social media, banking, delivery, subscriptions, and rideshare
- Consumer response data on willingness to accept stronger verification and what that means for adoption
- The article's own interpretation of how merchants should rebalance transaction and account-level defenses
Deepen your knowledge
NHI Mgmt Group covers identity security, NHI governance, and agentic AI through independent research, practitioner guides, and the NHI Foundation Level course, the industry's only accredited NHI security programme. It is built for practitioners who need to connect identity governance to operational control decisions across modern security programmes.
Published by the NHIMG editorial team on 2026-03-31.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org