TL;DR: Fraudsters and legitimate shoppers both become harder to distinguish during peak season, as merchants see bigger baskets, faster shipping, atypical addresses, and account warm-up behaviors that can mislead rule-based review, according to Riskified. Identity-based fraud intelligence and automated decisioning are now essential to separate malicious mimicry from legitimate holiday shopping.
At a glance
What this is: This is an analysis of how holiday shopping behaviour and fraudster mimicry collide, with the key finding that static rules and manual review struggle when both attackers and real customers look unusual.
Why it matters: It matters to identity and IAM practitioners because fraud detection, account trust, and identity signals increasingly overlap with access decisions, especially where human identity, account takeover, and risk-based authentication intersect.
By the numbers:
- Riskified says it can instantly recognize 85% of new customers so merchants can calibrate checkout for facilitation or friction.
👉 Read Riskified's holiday fraud analysis on identity-based merchant decisioning
Context
Holiday fraud becomes more effective when merchant controls depend on fixed rules and a narrow view of normal behaviour. During peak shopping periods, both attackers and genuine customers generate signals that look risky, so the core governance problem is deciding which identity and transaction patterns deserve friction and which deserve trust. For teams that run fraud, identity verification, IAM, and customer access programmes, the challenge is not only detection but also avoiding false positives that damage legitimate revenue.
In practice, this is an identity verification problem as much as a fraud problem. Attackers try to look established by warming up accounts with small purchases, returns, and browsing, while genuine customers may create the same anomalies during holiday shopping. That overlap makes adaptive risk scoring, behavioural intelligence, and lifecycle-aware account trust more valuable than static rule enforcement.
Key questions
Q: How should merchants handle holiday shoppers who look risky but are legitimate?
A: Merchants should use adaptive risk scoring that weighs seasonality, customer history, shipping patterns, and login behaviour together. Holiday shoppers often trigger the same signals as fraudsters, so static rules create false positives. The goal is not to remove friction entirely, but to apply it selectively when the broader identity and transaction context supports higher risk.
Q: Why do fraudsters warm up accounts before launching attacks?
A: Fraudsters warm up accounts to make them look established and trustworthy before attempting abuse. Small purchases, returns, and normal browsing build behavioural credibility that can defeat simple rules. This turns account history into a shield, which is why merchants need identity-linked behaviour analysis instead of one-off transaction checks.
Q: What do security and fraud teams get wrong about rule-based review?
A: They often assume a rule that works in one period or channel will keep working during holiday peaks. In reality, the meaning of risky behaviour changes when legitimate volume rises. Effective review needs season-aware thresholds, reviewer judgement, and behavioural context so good customers are not treated like confirmed fraud.
Q: How do organisations reduce false positives without letting fraud through?
A: They should combine automated decisioning with escalation rules that use account age, behaviour history, and transaction composition. That gives the model room to approve low-risk activity while pushing ambiguous cases into review. The strongest controls are calibrated, not binary, so they can preserve both revenue and fraud resistance.
Technical breakdown
How fraudsters use behavioural mimicry to bypass merchant controls
Fraudsters do not always attack with obviously malicious patterns. They often mix low-risk and high-risk items in one cart, stage stolen accounts with benign activity, and wait for periods of elevated legitimate traffic to hide inside the noise. The mechanism is social and statistical at the same time: merchants train controls on expected signals, so attackers deliberately behave like edge-case customers. This is why detection that only checks transaction attributes misses the wider identity pattern across browsing, purchasing, and account history.
Practical implication: merchants need identity-linked behavioural scoring, not just transaction rules, to recognise staged fraud patterns before approval.
Why holiday seasonality breaks rule-based fraud review
Peak retail periods change the baseline. Bigger baskets, unusual shipping addresses, faster checkout, and atypical logins can all be normal during holidays, which means a rule that would be useful in March can become noisy in December. Static review models fail because they assume the same risk meaning holds across all periods. Adaptive systems work better when they incorporate seasonality, customer tenure, channel context, and historical behaviour into the decision. That is a governance issue, not just a data science one, because review thresholds determine both fraud loss and customer friction.
Practical implication: recalibrate fraud thresholds by season and channel so controls do not punish legitimate holiday buyers.
Identity-based fraud intelligence in merchant decisioning
Identity-based fraud intelligence combines account history, device and network signals, and cross-merchant behaviour to decide whether a user is likely genuine. In this model, the identity is not just the login account. It is the pattern of behaviour around that account across time and transactions. This matters for merchants because account takeover, fake account creation, and return abuse often look different in isolation but converge in the same risk engine. The right question is whether the account behaves like a trusted customer over time, not whether one transaction matches a single rule.
Practical implication: use cross-signal decisioning to connect account trust, checkout risk, and fraud escalation paths in one policy layer.
Threat narrative
Attacker objective: The attacker wants to convert a trusted-looking account into approved fraudulent purchases while hiding inside normal holiday commerce patterns.
- Entry begins with stolen or compromised accounts that are warmed up through browsing, small purchases, and returns so the account looks established.
- Escalation happens when the attacker combines benign activity with risky cart composition, such as high-value digital goods or gift cards, to increase approval odds.
- Impact is fraudulent order approval, revenue loss, and customer trust erosion, especially when fraud blends into legitimate peak-season traffic.
NHI Mgmt Group analysis
Holiday fraud is an identity governance problem disguised as a commerce problem. Merchants are not only classifying transactions, they are classifying trust in human identities that may be genuine, compromised, or synthetic. When account behaviour and customer behaviour converge during peak season, rigid rules stop being governance and start being guesswork. Practitioners should treat fraud scoring as a trust framework, not a one-time review process.
Behavioural warm-up is the same control-gap pattern as credential ageing in IAM. Fraudsters stage accounts so they pass as established identities before abuse begins, which is conceptually similar to standing trust that never gets revalidated. The named concept here is identity trust drift, where the risk posture of an account changes faster than the merchant’s ability to notice it. That is why lifecycle-aware verification matters across both customer identity and access governance.
Peak-season false positives are a governance failure, not just a model tuning issue. When legitimate shoppers look unusual, the organisation must know which signals justify friction and which should be tolerated. This is where policy design, escalation paths, and reviewer guidance matter as much as scoring accuracy. Teams should calibrate controls to preserve both fraud prevention and customer experience.
Cross-network intelligence is becoming the differentiator for fraud and identity teams. Single-merchant signals are often too thin to distinguish holiday shopping spikes from coordinated abuse. Cross-network patterning helps separate isolated anomalies from repeated fraud behaviours across accounts, devices, and channels. Practitioners should expect fraud governance to increasingly resemble identity threat intelligence, with stronger integration into IAM and verification workflows.
AI-assisted shopping will make the line between legitimate automation and malicious automation harder to draw. As consumer behaviour changes, merchant controls will need to decide whether the signal comes from a person, a bot, or a delegated assistant. That creates a new governance layer for identity verification, because the account may be legitimate even when the interaction pattern is machine-shaped. Practitioners should prepare for policies that account for AI-mediated commerce without collapsing trust entirely.
What this signals
Identity trust drift: merchants should expect fraud programmes to move closer to IAM-style lifecycle thinking, because account trust decays and changes faster than static rules can track. The more commerce is mediated by AI assistants and automated shopping behaviours, the more important it becomes to distinguish genuine users from delegated or synthetic activity.
For teams that also govern machine identities, the lesson is familiar. Standing trust and unmanaged access create blind spots, whether the subject is a service account or a customer account. Control design should assume that behaviour can change faster than approval logic and should align with the NIST Cybersecurity Framework 2.0 where identity trust is continuously evaluated.
The practical signal is programme convergence. Fraud, identity verification, and access governance teams will need shared policy logic, especially where account recovery, login behaviour, and device trust influence both customer experience and abuse resistance. That convergence is where identity security programmes can reduce both fraud loss and false-positive friction.
For practitioners
- Recalibrate holiday risk thresholds Adjust approval and review thresholds for peak periods using seasonality, basket composition, shipping patterns, and customer tenure so legitimate holiday behaviour does not trigger blanket friction.
- Link account history to fraud scoring Feed browsing, small purchases, returns, and login consistency into the decision engine so warmed-up accounts are scored on behavioural history, not just single-transaction attributes.
- Separate genuine anomaly from staged mimicry Create reviewer guidance that distinguishes holiday shopping anomalies from account warm-up patterns, especially when high-value digital goods are mixed with low-risk physical items.
- Use cross-signal identity intelligence Combine device, network, account, and order data into one policy layer so fraud teams can spot coordinated abuse that looks legitimate when each signal is viewed alone.
Key takeaways
- Holiday fraud works best when it looks like ordinary commerce, which makes identity-aware detection more useful than fixed rules.
- The scale problem is not only attacker activity but also the way legitimate peak-season behaviour widens the false-positive window.
- Merchants need adaptive, lifecycle-aware decisioning that connects account history, behavioural context, and cross-signal intelligence.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | The article hinges on authenticating and re-evaluating customer identity signals during checkout. |
| NIST CSF 2.0 | PR.AC-4 | Adaptive trust decisions map to access control that reacts to identity and context signals. |
| GDPR | Art.5 | Merchant identity and behavioural data can implicate lawful processing and data minimisation. |
Limit retention and use of behavioural signals to what is necessary for fraud prevention and governance.
Key terms
- Identity-Based Fraud Intelligence: A fraud decisioning approach that evaluates a customer account using behaviour, device, network, and transaction context over time. It treats trust as a dynamic property rather than a single verification event, which helps merchants distinguish staged abuse from legitimate shopping anomalies.
- Account Warm-Up: A fraud technique where a stolen or synthetic account is gradually made to look legitimate through small purchases, browsing, and returns. The aim is to build behavioural credibility so later malicious activity blends into normal usage patterns and bypasses simple review logic.
- Behavioural Mimicry: The deliberate imitation of normal customer actions to reduce suspicion and improve approval odds. In fraud operations, behavioural mimicry can include cart composition, login patterns, timing, and shipping choices that look like established customer behaviour even when the underlying intent is malicious.
- Identity Trust Drift: The gap that appears when an account’s real risk changes faster than the organisation updates its trust decision. It is a governance problem because the policy, model, or reviewer still treats the identity as stable even though behaviour, compromise status, or intent has shifted.
What's in the full article
Riskified's full analysis covers the operational detail this post intentionally leaves for the source:
- How Riskified calibrates checkout facilitation versus friction for new customers.
- The report's category-level observations on electronics, travel, fast fashion, and gift cards.
- Regional fraud anomalies from EMEA and LATAM that are not expanded in this post.
- The vendor's view on how AI assistants are reshaping merchant risk signals.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It gives identity and security practitioners a structured way to govern access, trust, and lifecycle risk across modern programmes.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org