TL;DR: A 3.15% average payment fraud attack rate, 0.99% account takeover rate, and only 2.7% average manual review in Q4 highlight how precision controls are replacing broad rejection strategies, according to Sift’s 2025 Fraud Industry Benchmarking Resource. The data suggests fraud teams now win by tuning governance, not by widening the net.
At a glance
What this is: Sift’s 2025 benchmark data shows fraud pressure remained persistent, but teams with tighter controls achieved lower attack rates and far less manual review than broader industry norms.
Why it matters: For IAM and fraud practitioners, the findings reinforce that identity assurance, layered authentication, and access governance shape fraud outcomes as much as transaction rules do.
By the numbers:
- Across industries, the average payment fraud attack rate was 3.15% in 2025, 37% lower than the MRC’s reported 5% order rejection rate.
- While the MRC reports that merchants manually screen approximately 23% of orders, Sift’s average manual review rate in Q4 sat at just 2.7%.
- Account takeover attacks averaged 0.99% in 2025 and showed little seasonality compared to payment fraud.
- Two-factor authentication adoption averaged 8.2%, helping keep account takeover rates relatively contained.
👉 Read Sift's 2025 fraud trends and benchmarking analysis
Context
Fraud teams rarely lose because one control fails in isolation. They lose when review thresholds, authentication strength, and transaction policy drift out of alignment with how attackers actually behave, especially during seasonal traffic shifts and credential-driven account takeover campaigns.
This matters to identity practitioners because account takeover is fundamentally an identity problem, even when the loss shows up at checkout. The article’s benchmark data shows that better fraud outcomes depend on authentication, risk scoring, and operational tuning rather than blanket blocking, which is a familiar pattern for IAM and verification programmes.
Key questions
Q: How should fraud and IAM teams handle account takeover risk together?
A: They should treat account takeover as an identity control problem that becomes a fraud problem downstream. The practical response is to connect login telemetry, step-up authentication, recovery workflows, and dispute analysis so suspicious access states can be blocked before payments, data, or account settings are abused. Identity assurance and fraud rules need shared signals, not separate dashboards.
Q: Why do leaked credentials often drive account takeover spikes?
A: Leaked credentials matter because they let attackers present valid authentication data without proving legitimate user intent. Once a reused password or token works, the attacker can blend into normal traffic unless anomaly detection, step-up controls, and session monitoring are aligned. That is why credential exposure events often translate quickly into takeover attempts and downstream fraud.
Q: What do security teams get wrong about manual review in fraud programmes?
A: Teams often assume more manual review means better fraud control. In practice, high review volume can hide weak upstream controls and create avoidable friction for legitimate users. The better model is selective escalation based on strong signals, with review reserved for cases where the system cannot confidently decide on its own.
Q: Who is accountable when fraud and account takeover controls fail?
A: Accountability usually sits across fraud, IAM, and customer operations, because the failure is lifecycle wide. Fraud teams own detection and dispute handling, IAM teams own authentication and recovery, and product or operations teams often own the user experience that shapes false positives. The control question is whether those functions share the same risk signals and escalation rules.
Technical breakdown
Why payment fraud rates diverge from rejection rates
Payment fraud attack rate measures the share of attempted transactions that are fraudulent, while rejection rate measures how many orders are blocked, whether fraudulent or legitimate. Those are not interchangeable. A merchant can reject many legitimate buyers and still miss fraud if rules are blunt or poorly tuned. The gap between the 3.15% fraud attack rate and the 5% rejection rate in the article shows that operational precision matters more than raw blocking volume. In practice, fraud programmes need separate measures for detection quality, false positives, and customer friction, otherwise the control set optimises the wrong outcome.
Practical implication: separate fraud detection performance from customer rejection metrics so governance decisions do not reward overblocking.
Account takeover as an identity governance failure
Account takeover is not just a fraud event. It is a downstream failure of identity assurance, credential hygiene, and step-up authentication design. When attackers reuse leaked credentials, they exploit the assumption that a valid login still represents a valid user intent. The article’s note that ATO spikes track large credential leaks is consistent with that pattern. In modern programmes, ATO controls must connect login telemetry, anomaly detection, and recovery flows so that compromised identity states are detected before stored payment data or personal data is accessed.
Practical implication: tie authentication events to anomaly and recovery workflows so leaked credentials do not become durable access.
Why manual review is shifting from volume to precision
Manual review is expensive, slow, and often too blunt to keep up with fast-changing fraud patterns. The article’s comparison between a 23% industry manual review rate and Sift’s 2.7% Q4 rate suggests a wider operational shift toward selective escalation. That shift only works when teams have reliable signals, not when they simply reduce headcount or tighten every rule. Precision review depends on clean data, stronger upstream authentication, and consistent policy boundaries across payment methods and customer segments.
Practical implication: reserve human review for high-signal exceptions and use policy rules to reduce low-value manual queues.
Threat narrative
Attacker objective: The attacker wants to monetise stolen access through fraud, payment abuse, or resale of compromised account value.
- Entry begins when attackers use leaked or reused credentials to initiate account takeover against customer accounts.
- Escalation occurs when valid sessions or weak step-up controls let attackers access stored payment details, personal data, or account settings.
- Impact follows through fraudulent purchases, chargeback pressure, and operational cost from review and remediation.
NHI Mgmt Group analysis
Fraud benchmarking is becoming an identity governance signal, not just a merchant KPI. The article shows that payment fraud and account takeover are shaped by authentication quality, review discipline, and operational context. That means fraud programmes increasingly overlap with IAM, verification, and access governance. Teams that treat fraud data as separate from identity telemetry will miss the control connections that actually reduce loss.
Account takeover is the clearest example of identity controls shaping fraud outcomes. The article’s ATO data tracks closely with credential leaks and layered authentication adoption, which is exactly where identity assurance and fraud prevention meet. In practice, this pushes practitioners toward stronger step-up logic, better recovery design, and tighter monitoring of suspicious login states.
Precision review is the right concept for modern fraud governance. The article’s contrast between broad manual screening and low Q4 review rates shows that scale alone is not the answer. Precision review: a control model that escalates only the highest-confidence cases, preserving revenue while reducing friction. For practitioners, the lesson is to govern exceptions with evidence, not volume.
Seasonality should be treated as a control stress test, not a business quirk. The article notes that fraud behaviour and merchant tolerance both shift around peak periods. That means governance has to be dynamic enough to absorb temporary policy changes without losing the ability to detect abuse. For practitioners, the operational question is whether controls still work when risk tolerance rises.
Chargeback growth shows that fraud governance now spans the full identity-to-payment lifecycle. The article’s rising chargeback trend suggests that first-party misuse and economic pressure are now part of the same governance problem set. Identity teams, fraud teams, and payments teams need common signals if they want to understand whether a dispute is a product issue, an abuse pattern, or both. For practitioners, this is a lifecycle control problem, not a single-team issue.
What this signals
Identity and fraud teams should expect sharper pressure to prove that controls reduce loss without increasing false positives. The real operational test is whether authentication, review, and dispute handling share the same risk picture. Where they do not, teams end up optimising one stage of the funnel while weakening another.
Precision review will become a governance expectation, not an efficiency preference. The benchmark data implies that teams need evidence-based escalation logic, especially as seasonal traffic and payment diversity increase. For practitioners, that means control design has to be measurable, explainable, and resilient under business pressure.
Fraud programmes are moving closer to lifecycle identity governance. The strongest teams will correlate login anomalies, recovery activity, and payment risk in one operating model instead of treating them as separate disciplines. That is where the next reduction in chargebacks and takeover loss is likely to come from.
For practitioners
- Separate fraud detection from rejection metrics Track false positives, fraud capture, and customer rejection as distinct controls so policy changes do not hide deteriorating detection quality.
- Tie login telemetry to account recovery workflows Alert on leaked-credential patterns, anomalous device changes, and rapid recovery attempts so takeover can be interrupted before stored value is accessed.
- Tune manual review to high-signal exceptions Use risk tiers, payment method context, and historical dispute patterns to keep the review queue focused on cases that actually need analyst judgment.
- Use step-up authentication at value-bearing events Apply stronger verification when users change payment details, reset credentials, or access high-risk account functions.
- Review seasonal policy drift before peak periods Test whether relaxed holiday acceptance rules still preserve detection quality and whether fraud thresholds need temporary guardrails.
Key takeaways
- The 2025 benchmark data shows that fraud outcomes depend on control precision, not simply higher rejection rates.
- Account takeover remains an identity-driven fraud problem, especially when leaked credentials meet weak step-up and recovery design.
- Teams that connect IAM, fraud review, and payment governance can reduce loss while keeping friction under control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | Authentication and authenticator assurance are central to account takeover risk. |
| NIST CSF 2.0 | PR.AC-1 | The article hinges on access control and identity verification outcomes. |
| GDPR | Art.32 | Fraud and ATO controls often process personal data and must be secured appropriately. |
Strengthen authentication and recovery flows so leaked credentials do not become durable account access.
Key terms
- Account Takeover: Account takeover is the unauthorised use of a legitimate account after an attacker gains access to valid credentials or session state. In fraud programmes, it often begins with credential leaks or phishing and ends with misuse of stored value, personal data, or account settings.
- Manual Review Rate: Manual review rate is the share of transactions or cases escalated to human analysts for decisioning. It is a governance signal as much as an operations metric, because it shows how much a programme still depends on judgement rather than confidence in automated controls.
- Step-up Authentication: Step-up authentication is an additional verification step triggered when risk rises, such as a password reset, payment change, or device shift. It is used to confirm intent when standard login signals are not enough to trust the session.
- Chargeback: A chargeback is a payment reversal initiated through the card network or issuing bank, often because a transaction is disputed as fraudulent or unauthorised. Repeated chargebacks can indicate fraud, first-party misuse, or weak transaction governance across the customer lifecycle.
What's in the full report
Sift's full report covers the operational detail this post intentionally leaves for the source:
- Industry-by-industry benchmark breakdowns that show where fraud pressure diverged across verticals.
- Order-value, payment-method, and chargeback-reason analysis for teams tuning detection rules.
- Deeper console-level context on how Sift customers adjusted review and authentication controls.
- Seasonal trend detail that helps fraud and identity teams compare peak-period behaviour against baseline risk.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, secrets management, and workload identity. It helps security practitioners connect identity controls to operational risk across modern programmes.
Published by the NHIMG editorial team on 2026-01-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org