TL;DR: Fraud cost U.S. companies an average of 3.3% of annual revenue in 2025, while 84% of those losses hit revenue directly or indirectly, according to Sift. The practical lesson is that fraud prevention now has to be treated as a revenue-control and identity-risk problem, not just a detection function.
At a glance
What this is: This is a fraud-prevention analysis arguing that the old tradeoff between security and customer experience is outdated, with revenue protection now dependent on faster, broader, and less friction-heavy decisioning.
Why it matters: It matters to IAM and fraud practitioners because account takeover, credential abuse, and risky identity decisions increasingly sit inside the same operational path as customer onboarding, login, and transaction approval.
By the numbers:
- In 2025, U.S. companies lost an average of 3.3% of annual revenue to fraud, and 84% of those losses affected revenue directly or indirectly.
- Sift customers have been able to pair a 99.4% acceptance rate with 80% fewer chargebacks, 37% fewer false positives, and 70% fewer manual reviews.
- Sift says it denied entry to 37.5 million attacks and saw a 122% surge in account takeover attempts in 2025.
👉 Read Sift’s analysis of how fraud prevention protects revenue without adding friction
Context
Fraud prevention fails when teams treat it as a binary choice between blocking bad actors and preserving customer experience. In practice, fraud creates a governance problem across identity verification, account access, and transaction trust, because the same signals that stop abuse can also block legitimate users if they are applied too aggressively.
For IAM and fraud teams, the real issue is not whether controls exist, but whether they can make fast decisions across the full customer journey without creating avoidable friction. That boundary matters for login risk, account takeover detection, and payment decisions, where identity assurance and fraud scoring increasingly overlap.
Key questions
Q: How should security teams balance fraud prevention with customer conversion?
A: Use risk-based decisioning rather than broad blocking. The goal is to distinguish high-risk from low-risk activity using multiple signals, then apply friction only when the evidence justifies it. Teams should track approval rate and false-positive rate alongside fraud loss so prevention does not damage trusted-user experience.
Q: Why do identity and fraud teams need shared controls?
A: Because the same attacker journey often starts with identity abuse and ends with fraud. Account creation, login, and transaction controls all consume overlapping signals, so separate teams can create gaps or duplicate friction. Shared governance helps ensure trust decisions remain consistent across the customer lifecycle.
Q: What do fraud teams get wrong about automation?
A: They often measure automation by how much work it removes, instead of whether it improves decision quality. Automation that only speeds up bad rules will scale false positives and missed attacks. The better test is whether automated decisions reduce analyst noise while preserving legitimate approvals.
Q: How do you know if fraud controls are actually improving?
A: Fraud controls are improving when teams can correlate fewer false handoffs, faster escalation, and better detection of staged attacks across the full user journey. The best signal is not volume of alerts, but whether the organisation can connect identity, device, and behaviour evidence to a defensible decision. If investigations still rely on manual stitching, the model is not mature.
Technical breakdown
Continuous risk scoring across the customer journey
Fraud is rarely a single event. It often begins with account creation, credential testing, or suspicious login behaviour, then progresses into abuse at transaction or payout stages. Continuous risk scoring means the system evaluates signals across signup, login, transaction, and post-transaction events instead of making a one-time trust decision. That design is closer to identity assurance than legacy rules engines because it treats trust as dynamic, not permanent.
Practical implication: teams should score identity and transaction risk as a single flow, not as isolated checkpoints.
Decision latency and customer friction
Fraud controls only help if they can act quickly enough to matter. If a platform takes too long to score an event, the attacker has already moved on, but if it is too aggressive, legitimate users pay the price in false positives and manual review. The technical challenge is balancing machine-speed decisioning with human override paths for edge cases.
Practical implication: set latency and false-positive targets together so speed gains do not erase trust gains.
Network intelligence and linked identity behaviour
A single merchant can only see a narrow slice of attacker behaviour. Network intelligence expands that view by linking signals across many events, identities, and environments, which helps spot patterns such as repeated device behaviour, credential reuse, or multi-account abuse. For fraud and IAM teams, this is the difference between local anomaly detection and population-level risk analysis.
Practical implication: enrich fraud and access decisions with cross-environment signals where identity reuse is a known attack pattern.
Threat narrative
Attacker objective: The attacker’s objective is to convert identity abuse into monetisable fraud without triggering controls quickly enough to stop the transaction flow.
- Entry begins with fake account creation, credential testing, or suspicious login behaviour that blends into normal traffic.
- Escalation follows when the attacker moves from initial access into account takeover, payment abuse, or fraudulent order execution.
- Impact occurs when the activity drives chargebacks, revenue loss, manual review burden, and friction for legitimate customers.
NHI Mgmt Group analysis
Fraud prevention has become an identity governance problem, not just a loss-prevention problem. The article shows that fraud now reaches directly into onboarding, login, and transaction control points. That means the boundary between fraud detection and identity assurance is collapsing in practice, especially where account takeover and credential abuse create the first foothold. Practitioner conclusion: teams should govern fraud as a trust decision across the customer lifecycle, not as a late-stage checkout filter.
Decision latency is the real control plane. The article’s emphasis on decisions in under 150 milliseconds highlights a simple truth: fraud controls fail when they are too slow to influence the transaction path. Fast scoring matters, but so does calibration, because a fast false positive is still a revenue event. Practitioner conclusion: measure fraud tooling by response latency, not just detection volume.
Network-level identity intelligence creates a broader fraud perimeter. When behaviour can be linked across 1.9 billion digital identities, the governance model shifts from single-tenant observation to population-level pattern recognition. That is especially relevant for organisations trying to separate repeat abuse from legitimate first-party behaviour. Practitioner conclusion: identity, fraud, and IAM teams should treat cross-network signals as part of the control architecture.
False positives are a governance failure when they erase legitimate revenue. The article correctly reframes customer friction as a business loss, not an acceptable side effect. That matters because many programmes still optimise for block rates while leaving approval quality, analyst workload, and customer abandonment under-measured. Practitioner conclusion: balance fraud controls against acceptance rate, review volume, and customer impact, not only stop rates.
Named concept: revenue-aware fraud governance. This is the operating model implied by the article, where fraud controls are judged by revenue protection, customer experience, and analyst efficiency together. It aligns well with IAM-adjacent governance because identity trust decisions now happen inside revenue-bearing flows. Practitioner conclusion: teams should define fraud success metrics across security, conversion, and operational cost, not in a single silo.
What this signals
Revenue-aware fraud governance is becoming the practical model for programmes that sit between identity assurance and conversion. The organisations that will manage this best are the ones that treat fraud, IAM, and customer experience as a single control problem, not as separate reporting lines.
Where identity risk and fraud risk converge, the strongest signal is not a single blocked event but a pattern of friction, analyst escalation, and approval quality across the journey. That is the programme-level question now: whether controls are preserving trusted interactions or simply relocating loss into another operational queue.
For identity-heavy fraud environments, the next step is to align access, verification, and transaction controls around shared outcomes and shared telemetry. In that context, the 27-day secret-remediation lag from The State of Secrets in AppSec is a reminder that trust systems often move slower than attackers expect.
For practitioners
- Unify identity and fraud decisioning Map signup, login, transaction, and post-transaction controls into one policy flow so attackers do not move between blind spots. This is especially important where account takeover and payment abuse share the same identity signals.
- Set latency targets for fraud controls Measure whether automated decisions can act fast enough to change the outcome, not just whether they detect suspicious behaviour. A useful benchmark is the point at which a suspicious action can still be stopped before revenue is lost.
- Track customer friction as a security metric Include false positives, manual reviews, and approval rates in fraud reporting alongside blocked events. That gives fraud, IAM, and product leaders a shared view of whether the control stack is preserving trust or quietly destroying conversion.
- Use network signals to spot reuse patterns Look for device linkage, repeated identity behaviour, and multi-account abuse patterns that are invisible inside a single environment. Cross-environment signal sharing is most valuable where attackers rotate accounts but preserve behaviour.
Key takeaways
- Fraud prevention is now a revenue governance issue because attack success, customer friction, and analyst workload are tightly linked.
- The article’s numbers show that fraud can be reduced without sacrificing acceptance, but only when decisions are fast, continuous, and properly tuned.
- Identity, fraud, and IAM teams should measure the full journey, because the most expensive failure is often the one that looks like a normal customer action.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity assurance and access decisions are central to fraud controls here. |
| NIST SP 800-53 Rev 5 | IA-2 | Fraud detection often depends on strong identity verification at login and enrollment. |
| NIST SP 800-63 | SP 800-63A | Account creation fraud and identity proofing are directly relevant to the article. |
| GDPR | Art.32 | Fraud platforms processing identity and behavioural data must protect personal data appropriately. |
Map customer trust decisions to PR.AC-1 and review where identity checks precede high-risk transactions.
Key terms
- Account Takeover: Account takeover is the unauthorised control of a legitimate user account after an attacker bypasses or abuses the original trust boundary. In fraud programmes, it is often the bridge between identity compromise and direct financial harm because the attacker acts through an account that already appears valid.
- False Positive: A false positive is a scanner result that looks like a secret but is not actually sensitive. In secret governance, false positives matter because they consume analyst time, weaken trust in alerts, and can delay response to the findings that truly change exposure and access risk.
- Manual Review: Manual review is the human escalation path for cases that automated identity checks cannot resolve cleanly. It matters because edge cases often reveal whether the programme can explain exceptions, preserve evidence, and maintain consistent decision quality under fraud pressure.
- Identity Signal Curation: The practice of selecting and maintaining a small set of trusted external voices that consistently produce identity-relevant insight. It is not about following more sources. It is about building a repeatable filter for commentary that helps teams spot governance gaps, breach patterns, and access control drift faster.
What's in the full article
Sift's full post covers the operational detail this post intentionally leaves for the source:
- Customer-facing examples of how to reduce chargebacks without increasing false declines.
- The way Sift tunes thresholds, workflows, and manual review handling across the customer journey.
- Specific outcome metrics such as acceptance rate, chargeback reduction, and manual review reduction.
- How Sift combines platform signals with fraud expertise when attack patterns change.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners who need to connect identity control with broader security operations and governance.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org