TL;DR: Payment fraud attack rate fell from 3.3% to 2.8% and manual review dropped from 3% to 2.5%, while chargeback rate rose from 0.2% to 0.3% and fraudulent chargebacks edged up to 0.102%, according to Sift’s Q1 2026 benchmarking. The governance problem is no longer only volume reduction, but where losses concentrate when trusted accounts and payment flows are abused.
At a glance
What this is: Sift’s Q1 2026 data shows fraud attacks fell while chargeback losses rose, pointing to more concentrated and higher-impact fraud.
Why it matters: Fraud teams and IAM-adjacent programmes need to see how account takeover, stored credentials, and decision thresholds affect both trust and loss outcomes.
By the numbers:
- The payment fraud attack rate decreased from 3.3% in Q1 2025 to 2.8% in Q1 2026, a 14% decline.
- The overall chargeback rate increased from 0.2% to 0.3%, a 56% increase.
- The manual review rate decreased from 3% to 2.5%, a 17% reduction in review volume.
- 21% of consumers report experiencing account takeover in the past year.
👉 Read Sift's Q1 2026 fraud benchmarking analysis
Context
Fraud programmes often optimise for top-line attack volume, but that view can miss where losses are actually concentrating. In payment environments, fewer blocked attempts do not necessarily mean lower risk if the attacks that do succeed are aimed at trusted accounts, stored credentials, and high-value payment flows. That is why the primary question is not only how much fraud is arriving, but where the remaining fraud is landing.
The identity connection is direct. Account takeover turns a fraud problem into an access-control problem, because the attacker is using a legitimate account to create transactions that look normal until the loss appears. For IAM and fraud teams, the governance issue is how authentication strength, account lifecycle controls, and risk decisioning interact once a user has established trust in the system.
Key questions
Q: What breaks when account takeover controls are too focused on login only?
A: Login-only controls miss the point where a compromised account becomes profitable. Attackers often wait until the account looks normal, then add payment methods, redeem stored value, or trigger high-value purchases. Effective defence must extend into post-login behaviour, transaction risk, and step-up checks at monetisation points, not just authentication at the front door.
Q: Why do trusted accounts create more fraud loss than obvious new attacks?
A: Trusted accounts already carry behavioural history, payment permissions, and user confidence, so malicious actions blend in more easily. That makes them better vehicles for monetisation than noisy attack attempts. The result is higher downstream loss even when overall fraud volume appears to be falling.
Q: How do security and fraud teams know if automation is hiding risk?
A: They should compare automation outcomes with chargeback trends, fraud rate by channel, and the mix of cases reaching manual review. If review volume falls while disputes rise, the thresholds may be tuned for speed rather than resilience. The right signal is whether the programme is reducing loss, not just reducing workload.
Q: Who is accountable when account takeover leads to payment fraud?
A: Accountability sits across fraud operations, IAM, and product owners because the failure is usually distributed. Authentication, lifecycle controls, and transaction decisioning each contribute to the final outcome. Governance works when those teams share a common view of risk and agree which controls must intervene before monetisation occurs.
Technical breakdown
Why fraud concentration rises as attack volumes fall
Fraud metrics can improve at the entry point while losses worsen downstream. That happens when broad, low-value attack traffic is reduced but adversaries shift toward trusted accounts, stored payment methods, and behaviours that survive shallow detection. The result is concentration: fewer successful attacks, but higher-value outcomes when they do land. This is common in systems where approval logic is tuned for speed and attackers can wait for an account to age into legitimacy.
Practical implication: measure fraud by loss concentration and downstream disputes, not only by blocked attempts.
How account takeover turns into payment fraud
Account takeover is an identity problem that creates a payments problem. Once an attacker controls a valid account, they can add payment instruments, drain stored value, manipulate loyalty balances, or resell access to another fraudster. The core weakness is not only authentication failure but the trust granted after authentication, especially where session continuity and behavioural baselines are treated as proof of legitimacy. That is why ATO often precedes higher-value fraud rather than appearing as a standalone event.
Practical implication: tighten step-up checks around account changes, payout actions, and first-time high-risk transactions.
Why review automation can hide emerging risk
Manual review is a control, but it is also a measurement system. When review volume falls while chargebacks rise, the programme may be optimising for friction reduction rather than detecting changing attack patterns. That does not mean automation is wrong. It means the decision thresholds need continuous recalibration against loss outcomes, especially where attackers exploit cases that look ordinary until settlement or dispute time.
Practical implication: align review thresholds to chargeback outcomes and not just to throughput or conversion targets.
Threat narrative
Attacker objective: The attacker wants to monetise trusted account access with the highest possible conversion into chargebacks, resale value, or drained balances.
- Entry begins with account takeover or trusted-account abuse, where attackers obtain access to a legitimate user profile rather than attacking transactions directly.
- Escalation occurs when the attacker adds payment methods, leverages stored credentials, or waits for behavioural trust to accumulate inside the account.
- Impact follows through fraudulent purchases, chargebacks, account resale, and reputational damage that extends beyond the single transaction.
NHI Mgmt Group analysis
Fraud concentration is the real governance signal: when attack volume falls but chargeback loss rises, the programme is no longer dealing with a simple volume problem. The control question becomes where adversaries are concentrating effort and which accounts generate the highest downstream value. Fraud operations, IAM, and risk teams should treat concentration as the leading indicator, not average attack rate.
Account takeover is the bridge between fraud and identity governance: once a legitimate account is compromised, the attacker inherits the trust the business has already issued. That means authentication success is not the same as account safety, especially when stored credentials, payment methods, and mature behavioural history all make the account look safe. Teams should design controls for post-login risk, not just login risk.
Behavioural trust debt: this pattern describes the period in which an account accumulates normal activity that later makes malicious actions appear legitimate. The longer a business relies on historical trust as a proxy for current safety, the more expensive the eventual fraud is likely to be. Practitioners should reduce reliance on static trust signals and increase friction at high-value actions.
Benchmarking is becoming a control, not just a reporting exercise: the article shows why peer comparison matters when industry models create very different fraud profiles. A rate that looks acceptable in one segment can hide under-detection in another, while a rate that looks high may simply reflect a more exposed business model. Practitioners should benchmark by channel, payment type, and dispute outcome, not by aggregate fraud rate alone.
Fraud programmes need identity collaboration: the strongest signal in this data is the overlap between account compromise, transaction loss, and trust erosion. That overlap is where IAM, fraud operations, and customer authentication governance converge. Teams should align on a shared control model that measures not only prevention, but the cost of successful access abuse.
What this signals
Fraud teams should expect more scrutiny on the points where account trust converts into spend authority, because that is where concentration risk shows up first. Behavioural trust debt: the longer an account is allowed to accumulate normal-looking history, the more dangerous its eventual misuse becomes. The practical response is to combine transaction monitoring with account lifecycle signals and to revisit how post-login trust is granted.
The governance implication for IAM-adjacent programmes is that authentication metrics alone are no longer enough. If your controls do not distinguish between a successful login and a trustworthy action, you will miss the shift from volume fraud to high-loss fraud. Teams should align fraud, IAM, and customer experience teams on a shared risk model that uses peer benchmarking and outcome-based thresholds.
For practitioners
- Recalibrate controls around loss concentration Track chargeback rate, fraudulent chargeback rate, and account takeover together so the programme sees when fewer attacks are becoming more expensive. Use channel and payment-method segmentation to find where concentrated losses are building instead of relying on aggregate fraud volume.
- Add step-up friction to post-login risk points Require stronger verification when a user adds a payment method, changes payout details, redeems stored value, or initiates a first-time high-risk purchase. Those are the moments where a compromised account turns into measurable financial loss.
- Reassess manual review thresholds against outcomes Use review cohorts to test whether lower manual review volume is improving efficiency without allowing more disputes through. If chargebacks rise while review falls, tighten thresholds around the behaviours most associated with monetisation.
- Separate identity trust from transaction trust Treat login success as one signal, not a verdict. Combine account age, device history, payment change events, and behavioural drift before allowing the account to perform actions that are hard to unwind after settlement.
- Benchmark by business model and payment type Compare fraud outcomes across subscriptions, wallets, stored value, and high-value one-off purchases, because each model creates different attacker incentives. Use peer data to decide where friction is justified and where it is simply suppressing conversion.
Key takeaways
- Fraud risk is becoming more concentrated, which means fewer attacks can still produce more loss.
- Account takeover remains the critical bridge between identity compromise and payment fraud monetisation.
- Teams need to measure chargebacks, review thresholds, and post-login trust together or they will optimise the wrong control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Account takeover and post-login trust are access governance problems. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege matters when trusted accounts can be used for monetisation. |
| NIST SP 800-63 | SP 800-63B | The article hinges on authentication strength and step-up decisions. |
| GDPR | Art.32 | Fraud and identity controls process personal data and account information. |
Map account takeover scenarios to PR.AC-1 and verify access decisions reflect current risk, not just login success.
Key terms
- Account Takeover: Account takeover is the unauthorised control of a legitimate user account. In fraud programmes, it matters because the attacker operates through trusted credentials and normal-looking behaviour, which can bypass front-door controls and turn routine account actions into financial loss.
- Fraud Concentration: Fraud concentration is the pattern in which fewer successful attacks produce disproportionately higher losses. It usually appears when attackers focus on trusted accounts, valuable payment methods, or mature user behaviour, making downstream dispute and recovery costs more expensive.
- Behavioural Trust Debt: Behavioural trust debt is the hidden risk created when a system relies on historical account behaviour as proof of present safety. Over time, that trust accumulates, and an attacker who compromises the account later can exploit the account's established normality to make malicious actions look legitimate.
- Manual Review Threshold: A manual review threshold is the decision boundary that routes transactions or account events to human analysts instead of automation. It is a governance control because it defines which patterns are treated as uncertain, and it must be tuned against loss outcomes, not just workload or conversion goals.
What's in the full report
Sift's full post covers the operational detail this post intentionally leaves for the source:
- Segment-by-segment benchmark data across food delivery, software, gambling, fintech, and digital commerce.
- The specific relationship between manual review volume and downstream chargeback pressure.
- Examples of how payment type and account feature mix change attacker incentives.
- The underlying FIBR benchmarking context that supports peer comparison and operational tuning.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners who need to connect identity controls to broader security and risk programmes.
Published by the NHIMG editorial team on 2026-04-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org