By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: Prove IdentityPublished September 25, 2025

TL;DR: Consumers are worried about online fraud this holiday season, with 84% concerned about AI-based fraud and 81% worried about shopping fraud overall, while 79% would still sign up for loyalty accounts if onboarding took 30 seconds or less, according to Prove Identity’s 2023 survey-based report. The operational lesson is that trust and conversion now have to be engineered together, not treated as competing goals.


At a glance

What this is: This report says consumers are deeply concerned about AI-based fraud, but still respond to fast, low-friction onboarding and mobile authentication.

Why it matters: It matters because identity teams, fraud leads, and customer experience owners have to reduce fraud risk without creating checkout friction that drives abandonment.

By the numbers:

👉 Read Prove Identity's report on consumer concern over AI-based fraud and checkout trust


Context

AI-based fraud is fraud that uses artificial intelligence to scale social engineering, password abuse, and impersonation. In this article's context, the identity problem is not only stopping attacks, but preserving conversion when shoppers expect fast checkout and quick account creation.

The report is built from two Dynata surveys commissioned by Prove Identity, and it reflects a broader retail pattern: buyers will tolerate security steps when they are fast and understandable, but they disengage when identity proofing feels slow or opaque. That creates a governance problem for consumer IAM, fraud operations, and mobile authentication design.

For teams responsible for onboarding and account security, the key question is how to raise assurance without recreating the friction that pushes customers to guest checkout. That balance is central to modern identity programme design, especially when fraud pressure and revenue goals collide.


Key questions

Q: How should retailers reduce fraud without making checkout too slow?

A: Use progressive verification. Keep low-risk browsing and sign-up flows fast, then increase assurance only when users request account recovery, payment enrolment, or other high-value actions. That approach preserves conversion while still creating a real control point where fraud risk is highest. Measure both fraud loss and abandonment so you can see whether the balance is working.

Q: Why do mobile-based identity flows appeal to consumers and fraudsters alike?

A: Mobile feels convenient because it shortens login and sign-up steps, but that same convenience can hide weak recovery paths and phone-based compromise. Fraudsters benefit when the phone becomes the easiest route back into an account. Teams should therefore treat mobile as a context signal, not as proof of identity.

Q: What do security teams get wrong about guest checkout and account creation?

A: They often assume guests are lower risk simply because they avoid account creation. In practice, guest-heavy journeys can reduce visibility, delay trust building, and push fraud controls to the edge of the transaction. The better approach is to make account creation fast enough that legitimate users choose it willingly.

Q: How do you know if identity verification is actually working in ecommerce?

A: Look at fraud rate, conversion, recovery abuse, and account quality together. If fraud falls but guest checkout climbs sharply, the control may be too disruptive. If sign-ups rise but account abuse also rises, assurance is too weak. Effective identity verification improves trust without forcing customers away from the journey.


Technical breakdown

AI-based fraud in consumer onboarding

AI-based fraud amplifies familiar attack paths rather than replacing them. Fraudsters can use generative tools to produce convincing messages, automate social engineering at scale, and improve password guessing against weak consumer accounts. In checkout and sign-up flows, the result is a higher volume of believable attempts that target identity proofing, account recovery, and password-based trust. The core technical issue is that many consumer journeys still rely on signals that are easy to imitate, such as phone numbers, email access, and one-time prompts. Practical implication: teams need assurance steps that validate the person behind the session, not just the device or inbox.

Practical implication: strengthen consumer identity checks where account creation, password reset, and payment enrolment create the highest fraud exposure.

Frictionless onboarding versus identity assurance

The report shows that customers will accept stronger onboarding if it is fast enough, which is a design constraint rather than a contradiction. Identity verification works best when it is embedded into a short, mobile-friendly flow and uses data already available to the merchant or its verification provider. That reduces the gap between user intent and assurance, which is where many fraud attempts succeed. The technical challenge is to remove unnecessary form filling, redundant steps, and brittle verification handoffs without lowering the assurance threshold. Practical implication: use progressive verification so the highest-risk actions trigger stronger checks, while low-risk sign-up remains lightweight.

Practical implication: design progressive verification so low-risk onboarding stays fast while higher-risk actions receive step-up controls.

Mobile authentication as a consumer trust signal

The report's mobile preference data reinforces a wider shift away from memorised passwords toward phone-centred identity journeys. Mobile authentication can improve convenience, but it also changes the attack surface because phone compromise, SIM swap abuse, and device takeover become more relevant. In practice, mobile should be treated as a trust context, not a trust guarantee. Strong implementations combine device binding, risk scoring, and recovery controls that do not rely solely on SMS. Practical implication: treat the phone as one factor in a broader assurance model, not as proof that the account holder is genuine.

Practical implication: use mobile signals with device binding and recovery controls, not SMS alone, to support consumer authentication.


Threat narrative

Attacker objective: The attacker aims to convert convincing but low-cost identity manipulation into account access, fraudulent sign-ups, or payment abuse.

  1. entry begins when AI-assisted phishing, impersonation, or password guessing reaches consumer accounts and onboarding paths that still depend on weak verification signals.
  2. escalation follows when attackers exploit account recovery, SIM swap, or low-assurance sign-up flows to take control of identities or create fraudulent accounts at scale.
  3. impact is fraud loss, account takeover, and reduced trust in digital checkout and loyalty programmes, especially where merchants cannot distinguish real users from synthetic or manipulated ones.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

AI-based fraud is now an identity governance problem, not just a fraud problem. The report shows consumers are worried about fraud, but they still accept low-friction journeys when the experience is fast enough. That means onboarding design, assurance policy, and fraud controls are now part of the same control plane. Practitioners should treat consumer identity as a governed lifecycle, not a one-time login event.

Fast onboarding is becoming the new control boundary. The report's 30-second sign-up finding is a useful signal because it shows where the user experience can absorb verification without collapse. Teams that push all assurance into long, rigid step-up flows risk losing the customer before the identity decision is complete. The practical conclusion is that assurance must be embedded at the point of least friction, not bolted on later.

Phone-centred identity increases convenience but expands recovery risk. Consumers prefer mobile access, yet the same channel is exposed to SIM swap abuse, device loss, and account recovery abuse. That creates a governance tension between what is easiest for the customer and what is safest for the programme. Security leaders should separate convenience signals from recovery authority so one compromised phone does not become a master key.

AI-driven fraud changes the economics of false trust. When fraudsters can scale persuasive, personalised attacks cheaply, the cost of weak assurance rises faster than the cost of stronger verification falls. This is why the market is moving toward adaptive identity verification, risk-based onboarding, and continuous authentication. For practitioners, the message is clear: if the trust model is static, the fraud model will outrun it.

Consumer identity programmes now need measurable trust thresholds. The report points to a practical truth that many programmes miss: a checkout flow is only effective if security and completion rates are both visible. Without threshold metrics for fraud, abandonment, and recovery, teams cannot tell whether they have reduced risk or merely pushed users away. Identity governance for retail now requires joint reporting across CX, fraud, and IAM.

From our research:

  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity risk persists without basic inventory control.
  • That visibility gap is why teams should also review Top 10 NHI Issues for the lifecycle and governance failures that usually sit behind fraud and access abuse.

What this signals

Consumer identity programmes are converging with NHI-style governance patterns. The same control question appears across people, service accounts, and automated journeys: can the programme prove who or what is acting fast enough to matter? When customer onboarding becomes an identity decision engine, teams need governance that spans fraud, IAM, and lifecycle policy rather than treating them as separate queues.

With 92% of organisations exposing NHIs to third parties, according to the Ultimate Guide to NHIs, the broader lesson is that trust assumptions break quickly once identity is delegated. Retail and consumer systems face a parallel risk when they outsource verification logic or rely on brittle recovery methods that extend trust too far.

Checkout security is now a trust-threshold problem. The next stage in programme maturity is not simply adding more controls, but defining where assurance must increase and where friction must stay low. Teams that can measure those thresholds will be better positioned to reduce fraud without making legitimate customers abandon the journey.


For practitioners

  • Implement progressive verification at account creation Start with low-friction identity checks for low-risk sign-up, then step up assurance for password resets, payment enrolment, and high-value actions. Keep the flow short enough to preserve conversion, but do not let speed remove the decision point where fraud is most likely to succeed.
  • Use mobile as context, not proof Treat mobile access as one signal inside a risk model, not as a substitute for stronger identity assurance. Add device binding, fraud scoring, and recovery controls that continue to work when SIM swap or device compromise is suspected.
  • Separate recovery authority from convenience Review which account recovery paths can reissue access with too little assurance. Revoke or harden any process where a compromised phone number, inbox, or simple OTP can restore full control of the account.
  • Measure abandonment alongside fraud reduction Track sign-up completion, guest checkout use, fraud rate, and post-onboarding account quality in the same dashboard. A stronger identity control is only effective if it reduces loss without pushing customers into unmanaged guest flows.

Key takeaways

  • The report shows that AI-based fraud is now shaping consumer trust, not just fraud operations.
  • Consumers will accept stronger identity checks when they are fast, mobile-friendly, and tied to clear value.
  • The practical challenge for practitioners is to raise assurance without turning checkout and onboarding into abandonment points.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63BConsumer authentication and phishing-resistant sign-in are central to this report.
NIST CSF 2.0PR.AC-1The report centers on identity assurance in customer access flows.
NIST SP 800-53 Rev 5IA-2Identity verification and authentication controls support the account assurance theme.
GDPRArt.32Consumer identity verification can involve personal data and security of processing.

Assess identity workflows under Art.32 and minimise data exposure in onboarding and recovery.


Key terms

  • AI-Based Fraud: Fraud that uses artificial intelligence to make impersonation, phishing, password abuse, or synthetic identity activity more convincing and scalable. In consumer identity programmes, the threat is not just volume, but the ability to tailor attacks to the verification step that feels least risky to the user.
  • Progressive Verification: A sign-up or authentication design that starts with low-friction checks and increases assurance only when risk rises. It helps preserve conversion while still protecting high-value actions such as account recovery, payment enrolment, or credential reissue.
  • Mobile-Centred Authentication: An identity pattern that uses the phone as the main user channel for access or verification. It improves convenience, but it also shifts risk toward device compromise, SIM swap, and recovery abuse, so it must be designed as part of a broader assurance model.
  • Guest Checkout Exposure: The governance gap created when customers can complete transactions without creating a durable account relationship. It reduces immediate friction, but it can also limit visibility, weaken identity assurance, and force fraud teams to make decisions with less context.

What's in the full report

Prove Identity's full report covers the survey detail this post intentionally leaves for the source:

  • Survey methodology and the two October 2023 Dynata survey samples behind the findings
  • Breakdowns of consumer concern by fraud type, including AI-based fraud, SIM swap, and identity fraud
  • Additional detail on account creation behaviour, guest checkout preference, and mobile authentication habits
  • Prove Pre-Fill onboarding context for teams evaluating faster sign-up design

👉 Prove Identity's full post includes the survey findings, consumer behaviour data, and onboarding implications in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org