TL;DR: Black Friday and Cyber Monday 2025 drove a 13.6% jump in account takeover attack rates across Sift's Global Data Network, with digital commerce seeing ATO rise from 1.35% to 1.67% and e-commerce fraudulent attempt values surging 93% to $250, according to Sift. Peak-season fraud now behaves like a scaled identity abuse problem, not a holiday nuisance.
At a glance
What this is: The article says holiday traffic spikes are being used to scale account takeover and high-value fraud, with ATO rates and attempted fraud values both rising sharply in key sectors.
Why it matters: This matters because IAM, fraud, and trust teams need controls that can distinguish legitimate seasonal volume from credential abuse, especially where human identity, account recovery, and step-up authentication intersect.
By the numbers:
- Overall account takeover attack rates climbed 13.6% above 2025 year-to-date levels, increasing from 1.64% to 1.87%.
- The average value of attempted fraudulent transactions fell 16% overall during BFCM 2025, declining from $138 to $116.
- In e-commerce, the average value of attempted fraudulent transactions surged 93%, jumping from $130 to $250.
👉 Read Sift's analysis of Black Friday ATO surges and 2026 fraud trends
Context
Black Friday and Cyber Monday fraud is no longer just a payments issue. It is a governance problem where peak demand, low-friction checkout, and automated abuse collide to create a larger account takeover surface across consumer identity, account recovery, and transaction risk.
For teams running IAM and fraud programmes, the key issue is that seasonal volume can hide credential abuse until disputes or chargebacks surface later. That makes identity verification, step-up controls, and behavioural detection part of the same operational control stack, not separate functions.
Key questions
Q: What breaks when account takeover controls are too focused on checkout fraud?
A: Teams lose visibility into the earlier stages of abuse, where attackers use legitimate login access to reach stored payment methods, recovery options, and loyalty value. Checkout-only controls often detect fraud too late because the transaction is already coming from a trusted account. Stronger governance needs to cover authentication, recovery, and session behaviour.
Q: Why do high-volume commerce periods increase fraud risk even when sales controls are strong?
A: High-volume commerce periods increase fraud risk because legitimate traffic creates noise that hides abuse. Attackers use that cover to test stolen credentials, scale account takeovers, and move to higher-value purchases once trust is established. Strong sales performance does not reduce risk unless identity and transaction controls scale with it.
Q: How do security teams know whether ATO controls are actually working?
A: Effective ATO controls reduce successful abuse across recovery, step-up, and session channels, not only failed logins. Teams should measure campaign-level correlation, repeat device reuse, suspicious recovery completions, and the percentage of risky flows that trigger additional verification. If only login telemetry is monitored, the real attack path stays hidden.
Q: Who is accountable when fraud depends on both identity abuse and payment misuse?
A: Accountability should be shared across IAM, fraud, customer operations, and payments because the control failure spans more than one team. IAM owns authentication and recovery, fraud owns transaction decisions, and operations owns customer-facing remediation. That shared model prevents gaps where each team assumes another layer will stop the attack.
Technical breakdown
Why account takeover spikes during peak commerce windows
Account takeover, or ATO, happens when attackers gain control of a legitimate user account and use that trust to transact, change profile details, or harvest value before detection. Peak shopping periods create cover because traffic is noisy, approval thresholds loosen, and organisations tolerate more frictionless login and checkout flows. That combination increases the value of stolen credentials and reduces the chance that anomalous activity is investigated quickly enough to stop abuse at scale.
Practical implication: teams need risk-based authentication and real-time anomaly scoring during seasonal surges, not blanket trust in peak traffic.
How high-value transaction fraud evades detection
The shift from low-dollar testing to high-value attempted fraud shows that attackers adapt to the controls they face. Low-value transactions can be used to validate stolen credentials or payment methods, while higher-value e-commerce attempts aim to maximise return once trust is established. Behavioural patterns, device reputation, velocity checks, and transaction context matter because a valid login does not mean the account holder initiated the purchase.
Practical implication: separate login trust from transaction trust and apply step-up controls when purchase risk exceeds normal account risk.
Why AI-driven scams amplify identity and trust risk
Generative AI now helps attackers create realistic phishing pages, fake storefronts, and impersonated brand experiences that look credible enough to capture credentials and payment details. In parallel, more consumers are using AI to discover products, which shifts trust earlier in the purchase journey and gives attackers more opportunity to intercept intent. The result is a broader trust boundary where identity, content authenticity, and transaction verification all need to align.
Practical implication: organisations should treat brand impersonation, phishing, and account abuse as one linked trust problem across discovery, login, and payment.
Threat narrative
Attacker objective: The attacker aims to monetise trusted accounts and payment paths at scale while hiding inside peak-season shopping noise.
- Entry begins with phishing, fake storefronts, or credential stuffing that captures account credentials during high-volume shopping periods.
- Escalation occurs when attackers use those credentials to take over accounts, test payment methods, or raise purchase values while blending into seasonal traffic.
- Impact follows as fraudulent orders, chargebacks, and downstream account misuse increase across commerce and fintech environments.
NHI Mgmt Group analysis
Peak-season fraud is an identity abuse problem disguised as a commerce trend. The article shows that attackers do not need to defeat the whole control stack when they can ride seasonal volume, noisy signals, and relaxed user expectations. That makes account takeover a governance issue spanning authentication, account recovery, and transaction policy. The practitioner conclusion is that fraud controls must be designed as identity controls, not just payment controls.
High-value fraud reveals a control gap in transaction trust, not only login trust. A valid session can still be the wrong actor if the account has already been taken over or if the transaction pattern departs from the real user's behaviour. Organisations that treat authentication as the final gate miss the point of modern ATO, where value extraction happens after login. The practitioner conclusion is to align step-up policies with transaction context and behavioural evidence.
AI-driven impersonation expands the trust boundary beyond the account itself. Fake storefronts, brand mimicry, and AI-generated phishing blur the line between identity verification and content authenticity. That creates a named concept worth tracking: trust boundary drift, where the place users decide what is real moves upstream into search, ads, and discovery channels. The practitioner conclusion is to coordinate fraud, IAM, and brand protection around the same trust signals.
Seasonal surges expose whether teams can make automated decisions without losing precision. The article's numbers show that manual review does not scale cleanly when attack traffic and customer traffic rise together. This is where policy-based automation, device intelligence, and adaptive thresholds matter most. The practitioner conclusion is that peak-period resilience depends on decision quality under load, not just the existence of controls.
What this signals
Trust boundary drift: as AI-assisted discovery, fake storefronts, and impersonation ads become normalised, the trust decision moves upstream from checkout to search and discovery. That means IAM and fraud teams need shared signals before the account ever reaches payment, with the MITRE ATT&CK Enterprise Matrix useful for mapping the adversary behaviour behind credential abuse.
Holiday fraud patterns also show why adaptive policy beats static thresholds. Teams that can raise assurance only when transaction context changes will preserve conversion while still catching takeover attempts, especially where account recovery and payment changes are the real monetisation point.
For programmes that also govern NHI and automation, the lesson is broader than consumer fraud. Repeated compromise and fast reuse are what turn isolated events into persistent exposure, which is why the Top 10 NHI Issues remains relevant when identity abuse is being scaled by automation.
For practitioners
- Tune ATO policies for peak-season traffic Adjust authentication thresholds, velocity rules, and device reputation scoring before seasonal surges begin so that trusted customers keep moving while suspicious sessions receive step-up checks.
- Separate login risk from transaction risk Apply different control decisions to login, account-change, and high-value purchase events so that a clean sign-in does not automatically green-light a risky transaction.
- Harden account recovery and profile-change flows Require stronger verification for password resets, email changes, payout edits, and new payment methods because attackers often monetise accounts after the initial login compromise.
- Use automated review for seasonal spikes Reserve manual analyst time for truly ambiguous cases and use automated acceptance and blocking thresholds for high-volume, low-signal periods such as holiday commerce peaks.
- Coordinate fraud and identity operations Share signals across IAM, fraud, customer support, and payments teams so that repeated login anomalies, device changes, and transaction outliers trigger a single response path.
Key takeaways
- Black Friday fraud is increasingly an identity abuse problem, with attackers using seasonal noise to hide account takeover and monetise trusted accounts.
- The article's data shows a sharp rise in ATO rates and high-value attempted fraud, which means transaction trust now matters as much as login trust.
- Teams need shared IAM and fraud controls that adapt in real time, or peak traffic will keep masking abuse until chargebacks expose it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | ATO and step-up controls map directly to digital authentication guidance. |
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control are central to stopping account abuse. |
| NIST SP 800-53 Rev 5 | IA-2 | Strong authentication is needed where takeover risk rises during peak traffic. |
| GDPR | Art.32 | Fraud controls that process personal data must still protect confidentiality and integrity. |
Use SP 800-63B to tighten authentication assurance around account recovery and high-risk transactions.
Key terms
- Account Takeover: Account takeover is the unauthorised capture and use of a legitimate user account. Attackers exploit stolen credentials, weak recovery flows, or session trust to act as the account holder, often turning one successful login into fraud, data access, or downstream abuse.
- Step-up Authentication: Step-up authentication is an additional verification step triggered when a session becomes higher risk or a user attempts a sensitive action. It is used to reduce exposure without forcing extra friction across every interaction, which makes it useful for runtime access governance.
- Trust Boundary Drift: Trust boundary drift is the gradual shift of where users and systems decide something is legitimate. In fraud and identity environments, that boundary can move from checkout to search, ads, or account recovery, which creates new opportunities for impersonation and abuse.
- Behavioural Signal: A pattern in how a user acts over time that can help distinguish normal activity from abuse. In fraud operations, behavioural signals include timing, repetition, device consistency, channel switching, and claim history. They are most useful when combined with human review and case context.
What's in the full article
Sift's full post covers the operational detail this post intentionally leaves for the source:
- Sector-by-sector ATO rate comparisons across digital commerce, fintech, internet software, and travel.
- Detailed discussion of how attempted fraud values shifted from low-dollar testing to high-value retail attacks.
- Recommended controls for step-up authentication, automated blocking thresholds, and escalation paths during peak traffic.
- The article's view of how AI-driven scams and agentic commerce may shape 2026 fraud patterns.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners build the control thinking needed for identity-heavy security programmes across cloud, fraud, and AI-adjacent environments.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org