TL;DR: Recovered travel demand is exposing gaps in rules-based fraud management, manual review, and 3DS as airlines try to balance approval rates, loyalty, and margin protection, according to Riskified’s November 2024 airline fraud report. The governance challenge is no longer just stopping fraud, but controlling the trade-off between friction and resilience.
At a glance
What this is: This report argues that airline fraud operations are being stressed by post-recovery growth, with rules-based controls and manual review creating weak points in the customer journey.
Why it matters: It matters because airline payments teams need fraud governance that protects margins without hardening the booking flow in ways that suppress approvals or create avoidable customer friction.
👉 Read Riskified's report on airline fraud management and growth headwinds
Context
Airline fraud management gets harder when demand returns and fraudsters adapt to the controls already in place. In this setting, static rules, manual review queues, and overused 3DS checks can become blunt instruments that miss evolving abuse patterns while still adding friction for legitimate travellers.
For payments and security teams, the identity angle is indirect but real: fraud controls often depend on signals from account behaviour, transaction trust, and customer verification. When those signals are weak, the organisation ends up optimising checkout convenience without a reliable way to distinguish legitimate customers from abuse at scale.
Key questions
Q: What breaks when airlines rely on rules-based fraud controls alone?
A: Rules-based fraud controls break down when attackers learn the thresholds and legitimate customer behaviour becomes too variable for fixed logic. In airline commerce, that leads to false positives, missed abuse, and policy drift. The control can still work as a signal layer, but it should not be the only decision point because static rules age quickly in dynamic booking environments.
Q: Why do manual review queues create fraud governance risk in travel?
A: Manual review queues create governance risk because they introduce delay, inconsistency, and scale limits. They can also hide weak detection design by making humans absorb the uncertainty that automation should have resolved earlier. In airline programmes, a growing queue often indicates that the policy layer is not discriminating well enough between legitimate customers and abuse.
Q: How should airlines decide when to use 3DS in payment flows?
A: Airlines should use 3DS selectively, based on transaction risk, customer confidence, and the likelihood of abandonment. Blanket use can reduce fraud in some cases, but it also increases friction and may harm conversion. The better approach is to align challenge rates with behavioural signals, booking value, and account trust rather than applying one standard to every payment.
Q: Who is accountable when fraud policy lowers approvals and still misses abuse?
A: Accountability sits with the payments and fraud governance function, because policy design is a business control decision, not just a tooling decision. Teams should review which thresholds, exceptions, and review rules were chosen, how they affect approval rates, and whether they still match current fraud patterns. If the policy creates predictable loss or friction, the governance model needs recalibration.
Technical breakdown
Rules-based fraud detection and why it degrades in airline flows
Rules-based fraud detection uses fixed thresholds and if-then logic to flag suspicious activity. In airline commerce, that approach struggles because attackers adapt quickly, legitimate customers book across devices and geographies, and high-value purchases create more false positives. Once rules become common knowledge, they are easy to route around or trigger intentionally. The result is a control layer that looks deterministic but is often reactive and brittle, especially in an environment with seasonal spikes and changing traveller behaviour.
Practical implication: review whether your highest-friction rules still reduce fraud more than they suppress approved bookings.
Manual review queues as a control bottleneck
Manual review is a human decision layer inserted where automation is uncertain. It can catch nuanced abuse, but it also creates latency, inconsistent outcomes, and scaling problems when booking volume rises. In travel, the queue itself becomes part of the attack surface because fraudsters can probe which cases receive delay, escalation, or approval. If review criteria are too vague, teams spend analyst time on marginal cases while real abuse moves through adjacent paths.
Practical implication: define review triggers around measurable risk signals, not broad case-by-case discretion.
3DS, approval rates, and customer trust trade-offs
3DS adds an authentication step to online card payments, but it is not a universal fraud solution. In airline commerce, it can help shift liability or increase trust in some cases, yet it also introduces abandonment risk and can worsen conversion when applied too broadly. The challenge is policy design, not protocol alone. Teams need to distinguish high-risk flows from low-risk repeat travellers, because treating every transaction the same undermines both customer experience and fraud outcomes.
Practical implication: segment 3DS policy by risk and customer context instead of using it as a blanket control.
Threat narrative
Attacker objective: The attacker seeks to complete fraudulent bookings or payment abuse while remaining below the airline’s detection and review thresholds.
- Entry occurs through weak airline technology, policy, or process gaps that scammers can exploit during booking or payment flows.
- Escalation follows when rules-based fraud logic, manual review, or 3DS decisions are predictable enough to be tested and bypassed.
- Impact is higher fraud loss, more operational friction, and pressure on approval rates and customer loyalty.
NHI Mgmt Group analysis
Rules-based fraud management creates policy debt when travel demand rebounds. Airlines often preserve legacy fraud thresholds long after booking patterns and attacker behaviour have changed. That leaves teams governing yesterday’s risk model while the business operates in a very different channel environment. Practitioners should treat static rules as a liability that accumulates until it is actively re-tuned.
Manual review should be treated as a scarce control, not a default control. In travel, review queues absorb uncertainty but also obscure whether the underlying signal quality is improving or degrading. The more an organisation depends on analyst judgment to compensate for weak automation, the less scalable and more inconsistent its fraud governance becomes. Teams should reserve review for edge cases that genuinely need human context.
Customer-friendly fraud policy is now a resilience issue, not just a conversion issue. Airlines that overcorrect toward frictionless checkout expose margin, while those that overcorrect toward heavy challenge risk suppressing revenue and loyalty. The better model is risk segmentation, where policy decisions align to traveller context, transaction value, and behavioural confidence. That requires fraud governance to sit closer to revenue strategy than many programmes currently allow.
Airline fraud programmes need a named concept for decision drift: approval-rate erosion. Once teams tune controls repeatedly to preserve conversion, the operating baseline can shift until high-risk transactions blend into normal traffic. That is not just a fraud problem, it is a governance problem because the organisation loses visibility into how much risk it is absorbing to protect revenue. Practitioners should measure where policy exceptions have become the real control.
What this signals
Airline payments teams should expect fraud policy to become more dynamic as booking volumes recover and abuse patterns shift. The main risk is not simply higher fraud, but the slow accumulation of control exceptions that distort both approvals and loss prevention.
Approval-rate erosion: when teams repeatedly loosen controls to protect conversion, they can lose sight of the point at which fraud policy is effectively subsidising abuse. That drift is operationally hard to reverse because each exception feels local, but the cumulative effect changes the programme's risk posture.
This is where close alignment between fraud operations, payments, and revenue leadership matters. The programme needs shared metrics for chargebacks, approvals, manual review burden, and abandonment so that security decisions are made with business context rather than in isolation.
For practitioners
- Re-tune rules against current booking behaviour Reassess existing fraud rules against present-day airline booking patterns, device diversity, and route mix so the policy set reflects current threat behaviour rather than pre-recovery assumptions.
- Reduce reliance on manual review as a primary control Use analyst review only for cases with genuinely ambiguous risk signals, and track queue age, reversal rates, and reviewer consistency to identify when the review layer is masking poor upstream logic.
- Segment 3DS by risk and customer context Apply 3DS selectively for riskier transactions, new accounts, and higher-value itineraries, while preserving lower-friction paths for trusted repeat customers and lower-risk booking scenarios.
- Measure approval-rate erosion alongside fraud loss Track how often fraud controls are suppressing legitimate bookings, and compare approval-rate movement with chargeback outcomes so policy changes are judged on both security and revenue impact.
Key takeaways
- Airline fraud programmes are being tested by a mismatch between static controls and changing booking behaviour.
- The real governance problem is not choosing between friction and fraud loss, but measuring how policy decisions shift both.
- Practitioners should treat approval-rate erosion, manual review load, and 3DS policy scope as board-visible controls.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access and policy decisions shape who gets trusted in payment flows. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege applies to fraud analyst access and exception handling. |
| CIS Controls v8 | CIS-5 , Account Management | Account lifecycle governance matters where customer trust states affect approvals. |
| GDPR | Art.32 | Payment and identity signals used in fraud decisions can involve personal data processing. |
Ensure fraud scoring and traveller data handling are protected with appropriate security measures.
Key terms
- Rules-Based Fraud Detection: Rules-based fraud detection is a decision method that applies fixed thresholds or if-then logic to flag suspicious activity. It is easy to operate and explain, but it can become brittle when attackers adapt faster than the rules are updated, especially in high-volume commerce environments.
- Manual Review: Manual review is a human decision layer used when automated fraud detection cannot confidently approve or decline a transaction. It can improve nuance, but it also introduces delay, inconsistency, and scaling limits that can turn the review queue into a control bottleneck.
- 3DS Authentication: 3DS authentication is an extra verification step for card-not-present payments that can shift liability or raise trust in some transactions. It is not a universal fraud fix because overuse can increase abandonment and reduce approvals, particularly in customer-sensitive booking flows.
- Approval-Rate Erosion: Approval-rate erosion is the gradual decline in legitimate transaction approvals that happens when fraud controls are tightened, repeated exceptions accumulate, or policy drift is left unmanaged. It is a governance signal that security optimisation is beginning to suppress business performance.
What's in the full report
Riskified's full report covers the operational detail this post intentionally leaves for the source:
- Industry-facing fraud trends for airlines as demand returns to pre-pandemic levels and fraud pressure changes.
- Examples of where rules-based fraud management, manual review, and 3DS create control gaps in airline flows.
- The report's own framing for how airlines can balance customer experience, revenue predictability, and fraud resilience.
- A broader view of how global expansion and policy tuning interact in travel commerce.
Deepen your knowledge
NHI Mgmt Group covers identity security, NHI governance, and agentic AI through independent research, practitioner guides, and the NHI Foundation Level course, the industry's only accredited NHI security programme. Explore it if your role involves access governance, identity assurance, or securing the systems that grant and manage trust.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org