TL;DR: A stable 3.1% payment fraud rate, a 21% drop in manual review to 2.2%, a 110% surge in cryptocurrency fraud, and a 55% decline in account takeovers as 2FA adoption rose 10% are reported in Q3 2025 Fraud Industry Benchmarking Resource, according to Sift. The operational lesson is that fraud teams are shifting from broad review toward sharper identity and behavioral controls.
At a glance
What this is: Sift’s Q3 2025 fraud benchmarking update shows payment fraud staying steady overall while cryptocurrency fraud and sector-specific tactics shift sharply.
Why it matters: Fraud programmes, trust and safety teams, and identity governance leads need to see where authentication, behavioural signals, and manual review are losing ground or paying off.
By the numbers:
- The payment fraud attack rate remained stable at 3.1% overall, with a 6% year-over-year decline.
- Manual review rate dropped 21% year-over-year to 2.2% in Q3 2025.
- Cryptocurrency fraud surged 110% year-over-year, making it the riskiest payment method this quarter with a 6.7% fraud rate.
- Account takeovers declined 55% year-over-year, supported by a 10% increase in 2FA adoption.
👉 Read Sift's Q3 2025 fraud benchmarking update for payment, chargeback, and ATO trends
Context
Fraud programmes increasingly fail when teams treat all payment and account-risk signals as interchangeable. The Q3 2025 benchmark data shows a stable overall fraud rate, but that stability hides major movement underneath, especially in crypto payments, chargeback patterns, and account takeover trends.
For IAM and identity verification teams, the useful signal is not just fraud volume but where stronger authentication is reducing abuse and where behavioural or payment-layer controls still lag. The same principle applies to NHI and agentic AI programmes: if trust signals are weak, attackers look for the least governed path into the transaction or access flow.
Key questions
Q: What breaks when fraud controls are too broad across different payment channels?
A: Broad fraud controls miss the fact that card, crypto, marketplace, and subscription payments behave differently. When teams use one threshold across all channels, they either over-block legitimate users or under-protect the riskiest paths. Effective fraud governance segments by payment method, user behaviour, and dispute pattern so controls reflect actual attacker incentives.
Q: Why do stronger authentication controls reduce account takeover risk?
A: Stronger authentication increases the effort required to reuse stolen credentials and forces attackers toward more expensive techniques such as device compromise or token theft. It does not eliminate takeover risk, but it changes the economics enough to reduce casual abuse and many automated attacks. The right measure is ATO trend plus authentication coverage.
Q: How do teams know if manual review is still adding value?
A: Manual review adds value when it catches high-impact edge cases that automation cannot reliably classify. If review volume is falling but fraud losses are also falling, the programme may be working well. If review is falling while disputes, chargebacks, or high-risk exceptions rise, the review model needs retuning.
Q: Who is accountable when fraud shifts into emerging payment methods?
A: Accountability sits with the teams that own fraud strategy, identity assurance, customer experience, and payment risk. Emerging methods need explicit ownership because they often outpace existing controls and dispute processes. Governance should define who can approve risk thresholds, who monitors loss patterns, and who escalates control gaps when a new rail becomes material.
Technical breakdown
Why stable fraud rates can still mask shifting attack patterns
Fraud benchmarks often compress very different behaviours into one headline rate. A flat aggregate payment fraud number can hide rising abuse in one channel and declines in another, which is why practitioners need to segment by payment type, industry, and trust signal. The article shows that broad automation can coexist with sharper attacker adaptation. In practice, this means the control question is not whether fraud exists, but where the controls still distinguish legitimate users from synthetic or opportunistic ones.
Practical implication: break fraud metrics out by channel and segment before you tune thresholds or staffing.
How 2FA changes the account takeover equation
Two-factor authentication reduces the value of stolen passwords because the attacker needs an additional proof factor or session path. That does not eliminate takeover risk, but it does force attackers toward more expensive methods such as device compromise, SIM swap, or token theft. The reported decline in ATO alongside increased 2FA adoption is consistent with that pattern. For identity teams, the lesson is that authentication strength changes attacker economics, not just login success rates.
Practical implication: measure ATO reduction alongside 2FA coverage, not as a standalone security win.
Why emerging payment methods need stricter trust and fraud controls
New payment rails often become attractive to fraudsters before mature controls catch up. Cryptocurrency stands out in the article because its fraud rate is materially higher than the overall payment average, which suggests that novelty, weaker dispute handling, and different user expectations create exploitable gaps. This is not just a payment issue. Where identity assurance, account linking, or behavioural scoring are weak, the fraud surface expands across onboarding, transaction approval, and dispute handling.
Practical implication: apply stronger verification and step-up controls to high-risk payment methods before scaling volume.
Threat narrative
Attacker objective: The attacker seeks to monetise trust gaps by completing fraudulent transactions, extracting refunds, or taking over accounts with minimal resistance.
- Entry begins when attackers exploit weaker guardrails in emerging payment channels or low-friction account flows.
- Escalation follows when synthetic behaviour, refund abuse, or stolen credentials pass through controls that were tuned for lower-risk populations.
- Impact appears as fraudulent transactions, chargeback costs, and in some cases account takeover that bypasses customer trust assumptions.
NHI Mgmt Group analysis
Fraud benchmarking is becoming an identity governance problem, not just a trust and safety problem. The article shows that account takeover, 2FA adoption, and identity signal quality are now central to fraud outcomes. That means identity teams should treat fraud data as governance data, because the quality of authentication and behavioural assurance directly changes loss rates and review load.
Cryptocurrency fraud highlights the verification trust gap. The riskiest payment method this quarter is not necessarily the most attacked overall, but the one where controls, recovery paths, and user verification are easiest to outpace. Verification trust gap: when a channel is newer than the control model around it, attackers can exploit the lag between adoption and assurance design. Practitioners should view this as a governance lag, not a niche payment anomaly.
Identity assurance is now part of fraud resilience across human and non-human workflows. The same control logic that reduces account takeover in consumer flows also matters for API-driven ordering, automation, and AI-assisted transaction flows where synthetic behaviour can pass as legitimate demand. Where identity signals are weak, both human fraud and NHI abuse become easier to scale, so practitioners should align fraud controls with the wider identity architecture.
Manual review is not disappearing, but it is being pushed toward the edges of the decision tree. A 21% drop in review rates indicates that teams are using automation to absorb volume, but that only works when the underlying risk model is dependable. If review is decoupled from evidence quality, organisations create blind spots that fraudsters learn to exploit, so the operating model must be redesigned around risk tiering rather than blanket human intervention.
What this signals
Verification trust gap: fraud teams should expect attackers to move toward the least governed payment and account paths whenever controls tighten in the core flow. The practical response is to align identity assurance, behavioural analytics, and payment risk scoring so that a weaker edge channel cannot become the new default abuse route.
The benchmark data also suggests that lower review rates are only safe when the underlying segmentation is mature. Where manual review becomes a catch-all for ambiguous cases, losses often shift rather than disappear, so programmes should watch for false confidence created by automation efficiency.
For identity-led programmes, the lesson extends beyond fraud operations. If authentication and assurance signals do not adapt quickly enough, attackers will keep exploiting the gap between customer trust and control design, and that same pattern increasingly appears in NHI and agent-assisted transaction flows.
For practitioners
- Segment fraud by channel and payment method Separate card, crypto, marketplace, and recurring payment flows so that thresholds reflect different abuse patterns and dispute dynamics. Treat aggregate fraud rates as a dashboard metric only, not a control input.
- Use 2FA coverage as an operational control metric Track 2FA adoption alongside account takeover trends, recovery friction, and support contacts. If ATO falls while coverage rises, preserve the control and inspect the remaining bypass paths before relaxing other checks.
- Harden verification for high-risk payment methods Require stronger identity proofing, step-up verification, or behavioural checks for payment types with disproportionate fraud, especially emerging rails where controls are still maturing.
- Re-tune manual review to target ambiguous cases only Use automation to handle the clear majority, but reserve human review for edge cases that combine weak identity signals, anomalous behaviour, and high-value transactions. This keeps review capacity focused where it changes outcomes.
Key takeaways
- Fraud loss is increasingly shaped by where controls are weakest, not by a single enterprise-wide rate.
- A 55% drop in account takeovers alongside higher 2FA adoption shows that authentication strength still changes attacker economics.
- Teams should segment by channel, raise verification on high-risk payment methods, and treat review capacity as a precision tool rather than a blanket defence.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | 2FA and account takeover trends map directly to authenticator and session controls. |
| NIST CSF 2.0 | PR.AC-1 | Identity assurance and access control are central to fraud reduction and account protection. |
| GDPR | Art.32 | Fraud and identity verification programmes often process personal data and require security safeguards. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management underpins the 2FA and takeover trends discussed in the article. |
Apply Art.32 to align verification, access control, and fraud monitoring with data protection obligations.
Key terms
- Account Takeover: Account takeover is the unauthorized capture of a user account after an attacker defeats the original authentication or recovery path. In fraud programmes, it is a control failure that can lead to payments, refunds, or account settings being manipulated as if the attacker were the legitimate user.
- Manual Review: Manual review is the human inspection of transactions or account events that automated controls cannot classify confidently. It is useful for ambiguous cases, but it becomes costly and slow if teams rely on it to compensate for weak segmentation or poor signal quality.
- Chargeback: A chargeback is a payment reversal initiated through the card network or issuing bank after a transaction is disputed. It may reflect true fraud, first-party misuse, or a customer dispute, so practitioners need to separate fraud signals from commercial friction.
- Two-Factor Authentication: Two-factor authentication requires a second proof of identity beyond a password, such as a device prompt, token, or one-time code. It raises attacker effort and often reduces account takeover, but it remains vulnerable to phishing, token theft, and recovery weaknesses if not paired with stronger session controls.
What's in the full report
Sift's full post covers the operational detail this analysis intentionally leaves for the source:
- Quarter-by-quarter benchmark breakdowns by payment type, including the crypto and card mix behind the headline fraud rates.
- Industry-specific movement in digital commerce, marketplaces, travel, and food delivery that helps teams tune controls by segment.
- Chargeback and dispute context that explains why some rises are not straightforward fraud signals.
- Console and customer-community access paths for users who need the fuller benchmark dataset and in-product metrics.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and workload identity. It helps practitioners connect identity control design to the broader security decisions their programmes depend on.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org