TL;DR: Fraud losses continue to rise, with American businesses losing more than $12.5 billion in 2024 and global losses nearing $50 billion annually, while roughly 80% of that loss came from attempted payment fraud, according to Sift. The real control question is no longer whether to buy a fraud platform, but how to govern identity signals, decision transparency, and friction without weakening customer trust.
At a glance
What this is: This is Sift's analysis of fraud prevention software features, showing that real-time monitoring, device intelligence, machine learning, and transparent decisioning are now baseline requirements for scaling fraud defence.
Why it matters: It matters to IAM, fraud, and identity verification teams because fraud controls increasingly depend on identity context, device signals, and policy decisions that overlap with account security and trust governance.
By the numbers:
- In 2024, American businesses lost more than $12.5 billion to fraud.
- Global fraud losses hit nearly $50 billion per year, with around 80% lost to attempted payment fraud.
- Nearly 60% of companies report that fraud losses continue to increase in 2025.
- In financial institutions and fintech, almost 30% of organizations have reported losses breaching $1 million.
👉 Read Sift's evaluation guide for fraud prevention software platforms
Context
Fraud prevention software now sits at the intersection of identity verification, transaction risk, and customer trust. The operational problem is not simply detecting bad activity, but doing so fast enough and with enough context to avoid blocking legitimate users while fraud patterns keep evolving.
For IAM and identity verification programmes, this matters because fraud signals are increasingly part of access and trust decisions. Device fingerprinting, behavioural analysis, and risk scoring all influence whether an interaction is treated as a normal login, an account takeover attempt, or a broader trust failure.
The article reflects a common enterprise starting position: teams know fraud is rising, but often lack a consistent way to connect transaction monitoring with identity governance and account protection.
Key questions
Q: How should fraud teams use behavioural signals without adding too much customer friction?
A: Use behavioural signals to adjust friction dynamically, not to block every anomaly. The best approach is to combine device, network, and velocity data with context from the customer journey, then increase challenges only when the risk score crosses a meaningful threshold. That keeps trusted users moving while still disrupting coordinated abuse.
Q: Why do account takeover controls and fraud prevention need to be connected?
A: Because attackers often move from identity compromise to transaction abuse in one chain. If login risk and payment risk live in separate workflows, teams miss the handoff point where a compromised account becomes a fraud event. Shared telemetry makes the attack path visible and improves intervention timing.
Q: What do security teams get wrong about fraud scoring?
A: They often treat scoring as a black box that either approves or blocks a transaction. In practice, the score needs to be explainable, tunable, and tied to business context so teams can understand false positives, support appeals, and adjust thresholds as fraud patterns shift.
Q: How do organisations know whether fraud prevention training is working?
A: Look for better case quality, faster escalation, fewer repeated review mistakes, and stronger correlation between verification, access, and transaction signals. If training is effective, teams should make more consistent decisions with the same evidence and spend less time re-litigating the same fraud pattern in separate functions.
Technical breakdown
Real-time fraud decisioning and risk scoring
Modern fraud platforms move from static rules to continuous scoring because attackers change tactics faster than manual review cycles can keep up. Real-time decisioning ingests transaction signals, device attributes, and behavioural patterns, then classifies risk before the interaction completes. The point is not perfect certainty, but enough confidence to route high-risk activity into step-up controls, manual review, or outright decline. In practice, this shifts fraud prevention from a retrospective investigation model to a live control plane that can adapt thresholds by market, product, and customer segment.
Practical implication: Practitioners need policy-based decision paths that can act before checkout or account action completes.
Device fingerprinting, behaviour analytics, and identity signals
Device fingerprinting combines browser characteristics, IP reputation, operating system data, geolocation, and session behaviour to distinguish legitimate users from automated abuse or compromised accounts. These signals are not identity proof on their own, but they materially strengthen trust decisions when combined with account history and transaction context. For IAM and identity verification teams, this is where fraud prevention and access governance overlap: the same signals that detect account takeover can also inform suspicious login response, adaptive authentication, and account recovery decisions.
Practical implication: Teams should treat device and behaviour telemetry as part of identity assurance, not as a separate fraud-only stack.
Transparent scoring and configurable thresholds
Transparent fraud scoring matters because teams need to understand why a transaction or account was flagged, not just that it was blocked. Explainability supports tuning, appeals handling, and operational trust between fraud, IAM, and customer support teams. Configurable thresholds also let organisations separate high-value transactions from low-value, high-volume ones, which is essential when false positives can create revenue loss as well as fraud loss. The core technical issue is governance of decision quality, not just model accuracy.
Practical implication: Require risk outputs that can be audited and tuned by business context, not opaque scores that block without explanation.
Threat narrative
Attacker objective: The attacker aims to monetise stolen or fabricated identity trust while staying below detection thresholds long enough to complete fraudulent transactions or account abuse.
- Entry begins with account takeover, synthetic identity abuse, or automated abuse that reaches the transaction or login flow with plausible credentials and behavioural camouflage.
- Escalation follows when the attacker uses stolen identity context, weak device controls, or low-friction checkout paths to increase trust and complete higher-risk actions.
- Impact is realised through fraudulent purchases, chargebacks, account abuse, or brand damage that persists after the transaction because the underlying trust model was too permissive.
NHI Mgmt Group analysis
Fraud prevention is now an identity governance problem, not only a payments problem. The article describes a market where device signals, behavioural telemetry, and adaptive scoring decide whether a user is trusted. That means fraud teams are effectively making identity assurance decisions at runtime, often before IAM or support workflows have a chance to intervene. Practitioners should treat fraud decisioning as part of the trust architecture.
Identity signal quality is the new control plane for fraud resilience. Static rules fail when fraudsters automate and adapt quickly, but signals such as device reputation, location patterns, and account history can still collapse attacker uncertainty. The governance challenge is to ensure those signals are consistent, explainable, and tied to business-specific thresholds. Practitioners should prioritise signal governance over blunt rule expansion.
Account takeover and fraud detection now share a common failure mode: weak linkage between identity context and transaction context. When teams separate login risk from purchase risk, they create blind spots that attackers can chain together. This is where IAM, fraud, and identity verification must share telemetry and escalation logic. Practitioners should align access response with fraud response.
Transparent risk scoring is a control requirement, not a nice-to-have feature. The article repeatedly points to the need for teams to understand why an event was flagged and how to tune thresholds by business segment. That reflects a broader governance trend in which explainability supports auditability, customer experience, and internal accountability. Practitioners should require decision transparency as part of fraud programme design.
Fraud tooling will keep converging with identity security stacks. The more systems depend on behavioural and device intelligence, the more fraud prevention, adaptive authentication, and account protection will overlap operationally. That convergence will reward organisations that build shared policy logic and punish those that keep teams and telemetry fragmented. Practitioners should plan for integrated trust governance.
What this signals
Identity-linked fraud defence is becoming a governance discipline. As fraud platforms absorb more behavioural and device telemetry, the key question shifts from detection accuracy to who owns the policy decisions, the escalation thresholds, and the evidence trail. That is where identity programmes need explicit operating models, not just better models or rules.
Signal governance will matter more than model enthusiasm. A platform can score events quickly and still fail if the organisation cannot explain why a customer was challenged or a transaction was blocked. Teams should design around auditability, appeals, and segmented thresholds, then connect those controls back to identity assurance and account protection.
The strategic signal for practitioners is convergence: fraud, IAM, and identity verification are moving toward the same decision layer. Organisations that keep these functions isolated will struggle to see attack chains end to end, while those that align telemetry and policy will reduce both fraud loss and unnecessary friction.
For practitioners
- Map fraud signals into identity assurance workflows Feed device reputation, behavioural anomalies, and transaction context into account protection and adaptive authentication so fraud risk can influence access decisions in real time.
- Define explainable risk thresholds by business segment Set different decision thresholds for high-value, low-volume transactions versus high-volume, low-value flows, and document why each threshold exists for audit and customer support.
- Share telemetry between fraud and IAM teams Unify login, recovery, and purchase signals so account takeover patterns are visible across the full trust journey instead of only at checkout or only at sign-in.
- Test controls against automated abuse patterns Run scenarios for credential stuffing, synthetic identity creation, and purchase fraud to verify that monitoring, scoring, and step-up actions trigger before losses accumulate.
Key takeaways
- Fraud prevention is increasingly an identity governance function because the same signals that detect abuse also shape trust decisions.
- The scale of loss is material, with American businesses losing more than $12.5 billion in 2024 and global fraud losses nearing $50 billion annually.
- Practitioners should align fraud scoring, adaptive authentication, and account protection so decisions are explainable, auditable, and tied to business context.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | Identity assurance and authentication matter where fraud scores influence login and recovery decisions. |
| NIST CSF 2.0 | PR.AC-1 | Fraud controls depend on identity validation and access decision governance. |
| NIST SP 800-53 Rev 5 | IA-2 | Authentication controls are central when account takeover and transaction trust intersect. |
| GDPR | Art.32 | Fraud decisioning often processes personal data and behavioral signals that need protection. |
Map fraud-triggered access actions to PR.AC-1 and ensure identity assertions are verified consistently.
Key terms
- Real-Time Fraud Decisioning: Real-time fraud decisioning is the practice of evaluating a payment or account action before it completes, using identity, behavioural, and transaction signals. In fast-moving P2P systems, it is the difference between preventing abuse and only documenting it after funds have moved.
- Device fingerprint: A bundle of client signals used to recognise the same browser, app, or device across sessions. It often includes user agent, platform traits, and other stable characteristics. For impossible travel, fingerprinting helps separate a real attacker on a different device from a user switching networks.
- Account Takeover: Account takeover is when an attacker gains control of a legitimate user account and uses that trust to commit abuse, fraud, or further compromise. In modern environments, takeover often blends stolen credentials, behavioural mimicry, and low-friction recovery paths that bypass weak identity controls.
- Identity Intelligence: Identity intelligence is the layer that turns raw identity data into context about risk, usage, and privilege. It helps teams distinguish harmless access from materially risky access by linking identity records, entitlement patterns, and behavioural signals, which is essential when non-human identities scale faster than manual review.
What's in the full article
Sift's full article covers the operational detail this post intentionally leaves for the source:
- Platform-by-platform feature breakdowns for real-time decisioning, device intelligence, and risk scoring.
- Commercial positioning and pricing-style distinctions across the seven fraud prevention vendors.
- Vendor-specific claims about support for account protection, chargeback reduction, and API integration.
- The article's full list of practical differentiators for teams comparing fraud tools at procurement stage.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle controls. It gives security and identity practitioners a common governance language for programmes where fraud, access, and trust signals overlap.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org