TL;DR: Transaction volume across its Global Data Network grew 15.2% from Q1 2025 to Q1 2026 while global payment fraud block rates fell and account takeover rates dropped 28%, but coordinated fraud rings spanning 90+ businesses and a 383% rise in online gambling payment fraud show the risk is becoming less visible, not disappearing, according to Sift. Averages are no longer enough: network linkage, behavioural signals, and post-incident response now shape fraud governance.
At a glance
What this is: Sift’s fraud data shows aggregate block rates improving even as coordinated rings and vertical spikes make attacks harder to detect with isolated controls.
Why it matters: IAM, fraud, and identity teams need to look beyond login and transaction averages because networked abuse can hide inside otherwise healthy headline metrics.
By the numbers:
- Transaction volume across the Sift Global Data Network grew 15.2% from Q1 2025 to Q1 2026.
- Global payment fraud block rates fell and account takeover rates dropped 28% year over year.
- Online gambling payment fraud rose 383% year over year.
- Users associated with fraudulent chargebacks scored 15.8x higher than clean users.
👉 Read Sift’s analysis of fraud rings, account takeover, and retention risk
Context
Fraud programmes often fail when they rely on averages, isolated alerts, or a single control point such as login, device, or payment screening. The article argues that the fraud economy is becoming harder to see because attackers move as coordinated rings across businesses, payment methods, and account types rather than as single-event outliers.
For IAM and identity verification teams, that is a familiar governance problem in a different wrapper. Account takeover, compromised identities, and fraudulent account creation all benefit when controls cannot correlate identity signals with behaviour, transaction context, and downstream trust decisions.
Key questions
Q: What breaks when fraud teams rely only on transaction-level rules?
A: Transaction-only rules miss coordinated abuse that is spread across devices, payment methods, and merchants. A ring can keep each individual event within normal-looking thresholds while the cross-network pattern is clearly malicious. Fraud teams need linkage analysis and identity context, not just per-event scoring, to detect that behaviour.
Q: Why do account takeover attacks still succeed when MFA is enabled?
A: MFA protects the login step, but it does not govern what happens after the session is established. Attackers can still change recovery details, alter payment paths, or exploit trusted account workflows. Effective defence requires monitoring account changes, device drift, and downstream transaction behaviour, not only authentication success.
Q: How do security teams know if fraud controls are actually working?
A: Look beyond block rates and measure whether suspicious activity clusters across accounts, devices, and merchants are shrinking. Also track false positives, customer friction, and recovery outcomes after fraud incidents. If controls only improve headline block numbers but do not reduce ring behaviour or customer loss, governance is incomplete.
Q: Who is accountable when fraud prevention damages legitimate customers?
A: Accountability sits across fraud, IAM, product, and customer operations because blocking decisions affect access, revenue, and trust. Teams should define ownership for thresholds, appeals, and recovery paths, and map those responsibilities to risk governance so no single team optimises only for loss reduction at the expense of customer experience.
Technical breakdown
Why isolated fraud detection misses ring behaviour
Isolated detection treats each account, payment, or transaction as a separate event. Fraud rings break that assumption by reusing devices, payment instruments, and identity attributes across multiple merchants, which makes individual events look normal while the network pattern looks abnormal. Linkage scoring, graph analysis, and cross-merchant correlation expose the shared infrastructure behind apparently unrelated abuse. The key point is that a single merchant view often cannot distinguish organic traffic from coordinated fraud because the evidence is distributed across the network, not concentrated in one control plane.
Practical implication: teams need cross-channel and cross-merchant correlation rules, not only merchant-local thresholds.
How account takeover and fraud use the same identity weaknesses
Account takeover is not only a login problem. Once an attacker controls an account, they can test payment methods, change account details, and move into higher-value transactions where the fraud surface widens. The article’s data shows that strong authentication alone does not close the gap because many breached accounts still had MFA enabled at compromise. That means fraud defence has to combine authentication, device and behavioural signals, and monitoring of sensitive account changes after login, especially where identity assurance is reused as a proxy for trust.
Practical implication: add post-authentication monitoring and transaction-context checks to your identity controls.
What transaction value and false positives change in fraud controls
Fraud controls are economic decisions, not just detection decisions. A low-value transaction stream can tolerate more friction than a high-value digital commerce flow, and the cost of a false positive can exceed the fraud loss in some categories. That is why uniform thresholds underperform. Risk-based policies need to account for method, sector, customer behaviour, and the expected cost of blocking legitimate activity. The right control is not the most aggressive one. It is the one calibrated to loss exposure and user impact.
Practical implication: tune fraud policy by segment, payment method, and business loss tolerance.
Threat narrative
Attacker objective: The attacker’s objective is to monetise trusted digital accounts and payment paths while avoiding merchant-local fraud controls.
- Entry begins when attackers acquire or create accounts and blend them into normal customer activity across multiple businesses.
- Escalation occurs when they reuse devices, cards, or account attributes to build a coordinated fraud ring that bypasses isolated detection.
- Impact follows when the ring completes account takeover, card testing, or fraudulent purchase attempts at scale, creating financial loss and trust erosion.
NHI Mgmt Group analysis
Fraud now behaves like an identity graph problem, not a transaction-only problem. The article’s linkage data shows why isolated scoring breaks down when the same device, payment instrument, or account pattern appears across many businesses. That shifts the governance question from 'did this transaction look bad' to 'does this identity have a networked abuse pattern'. Practitioners should treat graph correlation as part of core fraud and identity governance, not as an optional analytics layer.
Account takeover remains an identity assurance failure even when MFA is present. The article’s point that many breached accounts still had MFA enabled means login assurance is necessary but insufficient. Fraud teams need to govern account change events, recovery flows, and behavioural drift after authentication because those are the places where identity confidence is actually spent. This is where fraud prevention intersects with IAM, lifecycle controls, and step-up policy design.
Transaction-level controls create blind spots unless they inherit identity context. A merchant can block obvious fraud and still miss a distributed ring because the abuse signal lives across merchants, devices, and time. That creates a named concept worth tracking: networked fraud visibility gap: the distance between a clean local alert set and a dirty cross-network pattern. Teams should assume local thresholds will miss coordinated abuse unless they can correlate identity signals beyond one business unit.
Fraud prevention is now customer trust governance, not just loss prevention. The article shows that response quality directly affects whether customers stay, lose trust, or leave. That means fraud operations, IAM, and CX teams need a shared incident model for account compromise, communications, and recovery. Practitioners should measure both detection quality and trust recovery outcomes.
Identity verification programmes need stronger links to behavioural governance. The article sits at the boundary of fraud and identity verification because trust decisions are being made on partial evidence. When verification, authentication, and transaction monitoring are disconnected, attackers can move from one weak point to the next. Practitioners should design identity assurance as a continuous control chain, not a one-time onboarding event.
What this signals
Networked fraud visibility gap: fraud programmes that optimise only for per-transaction precision will keep missing coordinated abuse. The practical shift is toward graph-based monitoring, shared identity context, and business-wide signal correlation, because the attack surface now spans accounts, devices, and payment paths rather than a single checkout flow.
The governance implication for practitioners is that fraud, IAM, and identity verification can no longer operate as separate decision layers. If account recovery, behavioural monitoring, and transaction authorisation are not linked, attackers will keep moving from one control boundary to the next. Teams should prepare for more emphasis on continuous trust evaluation and shared incident workflows.
For practitioners
- Implement cross-merchant linkage scoring Correlate devices, payment instruments, account attributes, and transaction histories so fraud rings can be detected as networks rather than isolated events. Use linkage thresholds that surface coordinated behaviour without over-blocking legitimate repeat customers.
- Add post-authentication account-change monitoring Monitor recovery email edits, payout changes, password resets, and beneficiary changes after successful login because MFA at the front door does not prevent downstream account abuse. Escalate when identity signals shift faster than normal customer behaviour.
- Tune fraud policy by segment and payment method Set different thresholds for digital commerce, subscriptions, gaming, and low-value transaction flows, and review them against the actual cost of false positives. Avoid one-size-fits-all blocking rules that either miss high-risk rings or frustrate low-risk users.
- Align fraud operations with customer recovery workflows Create a shared playbook for account takeover and fraudulent charge response that covers user notification, restore steps, and trust repair. Measure resolution speed and customer retention alongside loss prevention so the programme reflects real business impact.
Key takeaways
- Fraud is becoming more networked, which makes isolated merchant controls less reliable than graph-based detection.
- Headline improvements in block rates do not remove the need to detect coordinated rings, account takeover, and trust erosion.
- Teams should link identity signals, transaction context, and customer recovery processes if they want fraud defence to protect both revenue and retention.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring is needed to detect distributed fraud patterns. |
| NIST SP 800-53 Rev 5 | IA-2 | Identity assurance underpins account takeover prevention and recovery. |
| GDPR | Art.32 | Fraud and identity data used for verification must still be protected as personal data. |
Correlate identity and transaction events so anomalous network patterns are detected across the full fraud surface.
Key terms
- Account Takeover: Account takeover is the unauthorised use of a legitimate user account after an attacker gains access through stolen credentials, social engineering, or recovery abuse. In fraud programmes, the risk is not only initial login compromise but everything the attacker can do once the account is trusted.
- Linkage Scoring: Linkage scoring evaluates whether an account, device, payment method, or transaction is connected to a broader pattern of suspicious activity. It helps fraud teams move from isolated alerting to network-level detection, where coordinated abuse is often easier to see than in single-event review.
- Fraud Ring: A fraud ring is a coordinated set of accounts, devices, or actors that work together to bypass controls and scale abuse. The ring may blend compromised and newly created identities, making it harder to detect with per-user or per-transaction thresholds alone.
- Identity Assurance: Identity assurance is the degree of confidence a programme has that an account, credential, or person is who it claims to be. In fraud and IAM contexts, assurance must extend beyond login to include recovery, behaviour, and downstream activity if it is to remain useful.
What's in the full report
Sift's full article covers the operational detail this post intentionally leaves for the source:
- The underlying Global Data Network methodology and how linkage scores are calculated across merchants.
- Vertical-by-vertical fraud and ATO comparisons for teams that need implementation benchmarks.
- The customer retention findings after fraud and account takeover incidents, including response-quality effects.
- The full set of payment method and transaction value trade-offs that shape control tuning.
👉 Sift’s full post covers the network linkage findings, vertical spikes, and customer trust data.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management. It helps practitioners connect access control, ownership, and lifecycle governance across modern security programmes.
Published by the NHIMG editorial team on 2026-06-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org