TL;DR: European merchants lose 2.8% of revenue to fraud and 3% of orders, while only 16% screen users during browsing or account creation, creating an early blind spot that helps synthetic identities and fake accounts progress unchecked, according to Sift’s analysis. The practical lesson is that fraud control now depends on earlier identity and behavioural signals, not just checkout-time review.
At a glance
What this is: This is Sift’s analysis of 2025 e-commerce fraud trends in Europe, with the key finding that fraud is moving earlier in the user journey and increasingly into real-time payment and account abuse.
Why it matters: It matters because identity verification, step-up authentication, device intelligence, and account lifecycle controls now influence fraud loss, customer friction, and trust outcomes across digital commerce programmes.
By the numbers:
- 2.8% of revenue is lost to fraud across Europe, while fraud accounts for 3% of all orders.
- Only 16% of EU merchants currently screen users during the browsing or account-creation stages.
- 24% of European transaction screening., f European transaction screening.
👉 Read Sift's analysis of European e-commerce fraud trends for 2025
Context
European e-commerce fraud is no longer concentrated only at checkout. Attackers are using phishing, refund abuse, card testing, and real-time payment scams to exploit gaps across the full customer journey, which means trust decisions now begin before payment and continue after fulfilment. That shift creates direct governance pressure for identity verification, authentication, and fraud operations.
For IAM and identity verification teams, the important change is that fraud control is becoming a lifecycle problem rather than a single control point. Weak account creation, poor step-up logic, and inconsistent evidence collection all increase exposure, especially where synthetic identities and reused credentials can move quickly from registration to loss.
Key questions
Q: How should retailers reduce account takeover risk across ecommerce and store operations?
A: Retailers should focus on the identity paths that unlock revenue-impacting actions, not only login events. That means step-up controls for sensitive changes, session monitoring for unusual behaviour, and tighter rules around account recovery, support access and privileged workflows. If attackers can reuse one trusted session across systems, the business impact grows quickly.
Q: Why do real-time payment scams create different controls than card fraud?
A: Real-time payment scams settle too quickly for slow review processes to work. Because funds can move instantly into mule accounts, merchants need pre-transaction decisioning based on velocity, recipient reputation, and behavioural anomalies. The core difference is that prevention must happen before settlement, not after chargeback or reversal.
Q: What do security teams get wrong about refund abuse?
A: They often treat refund abuse as a customer service issue rather than an identity and policy problem. Refund flows can be exploited through false non-receipt claims, manipulated tracking data, or repeated legitimate-account misuse. Strong controls require item-level evidence, clear refund terms, and identity-linked validation for high-risk returns.
Q: Who is accountable when account takeover and synthetic identity fraud occur?
A: Accountability usually sits across fraud, IAM, security, and product teams because the failure spans onboarding, session trust, and action-level controls. In practice, the owner should be the team that can change the decision point where abuse becomes possible. Shared risk does not mean shared inaction.
Technical breakdown
Why early journey screening matters in e-commerce fraud
Fraud controls that start only at checkout miss the phase where synthetic identities, device reputation, and behavioural patterns are easiest to observe. Early screening uses signals from browsing, registration, and login to establish whether the actor is likely to be legitimate before value is exchanged. In practice, this is an identity governance problem because the first trust decision often determines whether later transactions should be challenged, stepped up, or blocked. When merchants defer screening until payment, they lose the chance to correlate account age, device consistency, and velocity patterns across the session.
Practical implication: Move risk scoring into account creation and first-login flows, not just payment authorisation.
How step-up authentication and device signals reduce ATO risk
Account takeover typically begins with credential compromise through phishing, pharming, or executive impersonation. Step-up authentication adds friction only when the risk profile changes, while device fingerprinting and behavioural biometrics help distinguish the real customer from the attacker using valid credentials. The technical value is not just challenge generation, but decision quality: the system can compare current session behaviour with historical patterns and escalate only when the signal crosses an agreed threshold. This makes authentication a dynamic trust control rather than a static gate.
Practical implication: Tie step-up rules to device and behaviour anomalies so authentication adapts to real risk.
Why real-time payment fraud needs sub-second decisioning
Real-time payment rails settle instantly, which removes the recovery window that exists in card-based disputes. Once a payment is initiated, fraud prevention must happen within a narrow decision window using velocity, recipient reputation, transaction amount, and user behaviour. If the control stack cannot evaluate those signals quickly enough, the transaction completes before manual review or after-the-fact detection can intervene. That makes payment fraud detection a latency problem as much as a policy problem, especially where mule accounts are used to route funds immediately.
Practical implication: Engineer fraud controls for the payment decision window, not for post-transaction investigation.
Threat narrative
Attacker objective: The attacker wants to monetise trusted account and payment paths before the merchant can validate identity or reverse the transaction.
- Entry begins with phishing, pharming, or whaling that captures credentials or persuades a user to trust a fake login path.
- Escalation occurs when the attacker uses those credentials to take over an account, create fraudulent access, or exploit weak payout and refund controls.
- Impact follows through stolen funds, chargebacks, refund abuse, or card-testing validation that enables larger fraud operations.
NHI Mgmt Group analysis
Journey-based fraud control is becoming an identity governance discipline. The article shows that fraud now begins before checkout, which means merchants must govern trust at registration, login, and payout as a single lifecycle. That is an identity problem as much as a fraud problem because the same customer, device, and session signals decide whether access should continue. Practitioners should treat early journey governance as part of identity risk management, not a separate fraud-only control plane.
Early-stage screening is the missing control concept here: pre-value trust validation. Only 16% of merchants screen during browsing or account creation, which leaves synthetic identities and low-cost account farms able to establish credibility before any payment risk is visible. That gap is especially relevant to identity verification and IAM teams because account proofing, session continuity, and step-up policy need to align before a customer reaches the checkout boundary. Practitioners should close the trust gap before value transfer begins.
Refund abuse and RTP fraud expose a lifecycle offboarding failure, not just a payment failure. When refund paths, payout flows, and dispute handling are weakly governed, attackers can recycle legitimate identities or create mule-linked accounts to extract value after purchase. This is where identity lifecycle, device binding, and recipient verification intersect with fraud operations. Practitioners should review whether post-purchase controls are as strict as onboarding controls.
Fraud defence now depends on evidence integrity as much as detection accuracy. The article notes stronger chargeback outcomes where merchants improve evidence-gathering protocols, which means account logs, device signals, and delivery records have become control artefacts, not just audit leftovers. For IAM and compliance teams, this shifts the programme question from 'Can we detect fraud?' to 'Can we prove what happened across identity, device, and transaction layers?' Practitioners should design evidence retention as part of the control framework.
Payment fraud is forcing convergence between fraud teams and identity teams. Real-time payment scams, phishing, and card testing all rely on weak trust decisions about who or what is acting. That means identity verification, behavioural analytics, and authentication policy need shared governance if merchants want fewer false positives and faster decisions. Practitioners should align fraud, IAM, and customer experience owners around the same risk signals.
What this signals
Early-stage identity screening is becoming the differentiator between manageable fraud and scale loss. Merchants that wait until checkout will continue to miss synthetic identities, reused credentials, and low-friction abuse that begins earlier in the journey. The operational signal is clear: fraud programmes need shared instrumentation with IAM and identity verification so trust can be assessed before value transfer, not after it.
Pre-value trust validation is a useful concept for commerce teams that are trying to align fraud operations with identity governance. It captures the idea that the first trust decision often happens before payment and that weak account proofing can undermine every downstream control. Teams should treat signup, login, payout, and dispute handling as one connected control chain, not four separate workflows.
For identity leaders, the implication is that fraud control metrics should be reviewed alongside access and authentication metrics. When a programme cannot explain who, what, and which device created an account, it will struggle to defend against both account takeover and refund abuse. That is where governance discipline and behavioural telemetry need to converge.
For practitioners
- Extend trust controls to account creation Score browsing, signup, and first-login activity so synthetic identities are challenged before they reach a payment or payout event. Use device fingerprinting, velocity checks, and behaviour baselines as part of onboarding rather than after loss occurs.
- Tune step-up authentication to session risk Trigger step-up when the device, geography, or behaviour changes materially from the enrolled profile. Avoid static challenge rules that frustrate legitimate users while missing real takeover attempts.
- Add recipient verification to payout workflows Validate beneficiary names, trusted profiles, and payout history before executing real-time transfers. This is especially important where instant settlement removes the chance to reverse a mistaken or fraudulent transfer.
- Preserve fraud evidence as a governed control Retain IP address, device ID, user account activity, and delivery logs in a form that supports dispute resolution and chargeback evidence. Treat those records as part of the control stack, not as after-the-fact reporting artefacts.
- Reduce manual review where rules are stable Automate low-risk decisions and reserve human review for edge cases that genuinely need judgment. This cuts inconsistency, lowers customer friction, and helps analysts focus on patterns that rules alone will not catch.
Key takeaways
- European fraud is moving earlier in the customer journey, which means onboarding and login controls now matter as much as checkout controls.
- The scale is material, with 2.8% of revenue and 3% of orders lost to fraud, while only 16% of merchants screen during browsing or account creation.
- Merchants should respond by aligning identity verification, step-up authentication, device intelligence, and evidence retention across the full transaction lifecycle.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 and NIST SP 800-63 set the technical controls, and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control underpin early fraud screening. |
| NIST SP 800-63 | SP 800-63B | Authentication assurance is central to account takeover mitigation. |
| GDPR | Art.32 | Fraud screening uses personal and device data that must be protected appropriately. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity-driven access abuse overlaps with unmanaged trust and credential misuse. |
Use NHI-01 concepts to review whether non-human and automated access paths are governed consistently.
Key terms
- Account Takeover: Account takeover is the unauthorized use of a legitimate customer account after credentials or trust signals are compromised. In commerce environments, it often appears as login abuse, payout redirection, or transaction manipulation rather than obvious break-in activity.
- Real-Time Payment Fraud: Real-time payment fraud is abuse of instant payment rails where funds settle too quickly for traditional post-transaction controls to help. The attacker relies on short decision windows, mule accounts, and weak recipient verification to move money before detection or reversal.
- Synthetic Identity: A synthetic identity is a fabricated or blended identity built from real and invented attributes to pass low-friction checks. These identities are valuable to fraudsters because they can establish credibility early and then be used across onboarding, payment, and dispute workflows.
- Step-Up Authentication: Step-up authentication is an adaptive challenge applied when session risk rises above an expected baseline. It combines stronger verification with signals such as device change, location change, or abnormal behaviour so the system can challenge suspicious activity without punishing every user.
What's in the full article
Sift's full article covers the operational detail this post intentionally leaves for the source:
- The article breaks down mitigation steps for phishing, RTP fraud, refund abuse, friendly fraud, and card testing in practitioner terms.
- It explains how merchants can tune device, behavioural, and payment signals for fast decisioning at the point of risk.
- It summarises European regulatory and scheme changes affecting scam reimbursement, CoP, and SCA usage.
- It outlines the data-access priorities and automation goals that merchants are using to reduce manual review.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management. It helps practitioners connect identity controls to broader security and trust decisions across modern programmes.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org