By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: SiftPublished July 16, 2025

TL;DR: E-commerce marketplace payment fraud fell to 1.6% in Q1 2025, according to Sift, while account takeover remained 3.2% overall and marketplace ATO sat at 3.8%, showing fraud is shifting across payment, identity, and abuse vectors rather than simply declining. That means fraud teams need identity-centric decisioning, not card-only controls, to keep pace.


At a glance

What this is: This analysis links worsening economic conditions to shifting marketplace fraud patterns, with payment fraud down but account takeover, alternative payment methods, and abuse of trust-rich platform features still creating material risk.

Why it matters: IAM, fraud, and identity teams need to treat marketplace access, payment methods, and user trust signals as a single control problem because attackers exploit the weakest identity boundary, not just payment cards.

By the numbers:

👉 Read Sift's analysis of marketplace fraud, ATO, and economic pressure


Context

Marketplace fraud tends to follow economic pressure because it exploits uncertainty, urgency, and weaker user verification. In this case, the primary issue is not only payment fraud but the broader identity surface around accounts, listings, loyalty value, and alternative payout methods.

For IAM and identity verification practitioners, the important signal is that fraud increasingly blends authentication abuse with behavioural manipulation. That makes marketplace platforms a useful case study for how identity controls, trust signals, and fraud operations need to converge rather than operate as separate programmes.


Key questions

Q: How should marketplace teams reduce account takeover without overblocking legitimate users?

A: Focus on risk-based authentication around high-impact actions, not every login. Use device history, behavioural signals, payout change monitoring, and step-up checks when the account moves toward monetisation. That approach reduces friction for normal users while creating friction at the point fraudsters need it most.

Q: Why do marketplaces need identity controls beyond payment fraud filters?

A: Because the attacker’s real asset is often the account, not the card. A compromised marketplace account can hold payout routes, saved identities, listings, and trust history, which means payment-only controls miss the point where fraud becomes possible and profitable.

Q: What do fraud teams get wrong about falling fraud rates?

A: They often treat a lower number as a general improvement when it may reflect fraud migration, tighter review, or reduced visibility. A falling payment fraud rate can coexist with rising ATO, refund abuse, or scam listings if the attack path simply changed.

Q: Who is accountable when marketplace identity abuse leads to losses?

A: Accountability usually sits across fraud, identity, payments, and platform operations because the failure is cross-functional. If identity verification, authentication, dispute handling, and review queues are separate, the organisation needs a shared control owner and a common escalation path for abuse.


Technical breakdown

Account takeover in marketplaces is an identity problem, not just a fraud problem

Account takeover becomes more valuable in marketplaces because the account often bundles payment instruments, saved addresses, listings, ratings, and sometimes loyalty balances. Attackers use phishing, credential stuffing, and social engineering to get past login controls, then monetise trust already established by the platform. Once inside, they can change payout routes, post listings, or abuse stored value without needing to defeat payment authentication again. The security challenge is that the account itself is an identity container with multiple downstream privileges.

Practical implication: tie fraud detection to identity signals, session risk, and account-change monitoring instead of treating login success as low-risk.

Why alternative payment methods attract fraud at different rates

Cards remain the most commonly abused instrument, but points, financing, and crypto often present lower scrutiny, faster cash-out, or less mature dispute handling. Fraudsters prefer the path that converts account access into value with the least resistance and the lowest chance of recovery. High block rates on points-based methods suggest control pressure is already building there, but block rate alone does not equal control maturity. It can also indicate that the channel is both attractive and under attack.

Practical implication: segment payment risk by method and tune step-up controls, verification depth, and abuse monitoring by cash-out speed and reversibility.

Manual review trends can mask both automation gains and fraud migration

A falling manual review rate can mean better automation, but it can also mean constrained staffing or reduced sensitivity after tuning. In marketplace environments, that matters because fraud often migrates from overt payment abuse to subtler categories such as refund abuse, promotion abuse, scam listings, or mule recruitment. If review capacity shrinks while attack variety expands, the organisation may appear more efficient while actually becoming easier to exploit. Monitoring only one fraud KPI creates blind spots across the platform lifecycle.

Practical implication: measure fraud outcomes across payment, account, listing, and chargeback channels rather than relying on a single review or block metric.


Threat narrative

Attacker objective: The attacker aims to convert trusted marketplace access into fast, low-friction monetisation while avoiding detection and dispute recovery.

  1. Entry begins with phishing, credential stuffing, or social engineering that compromises a marketplace account with existing trust and saved payment context.
  2. Escalation follows when the attacker uses the account to alter payout destinations, abuse points or financing tools, or create deceptive listings and scam job posts.
  3. Impact occurs through fraud losses, chargebacks, refund abuse, and trust erosion across buyers, sellers, and the platform itself.

NHI Mgmt Group analysis

Identity-rich marketplaces now behave like access platforms as much as commerce systems. The article shows that the account, not the card, is the primary control surface because listings, payment methods, and loyalty balances are all attached to identity state. That shifts fraud governance toward access governance, where step-up controls, account-change monitoring, and session risk matter as much as payment blocking. For practitioners, the relevant question is whether identity signals are driving fraud decisions in real time.

Payment fraud falling does not mean attack pressure is falling. Lower payment fraud rates can reflect better controls, but they can also mean fraudster migration into ATO, promotion abuse, or social engineering around less scrutinised payment methods. That is a control-design problem, not a reporting problem, because one metric can improve while the overall abuse surface expands. Practitioners should read falling rates as a cue to test for channel migration, not as proof of reduced risk.

Marketplace fraud now reveals a verification trust gap. The platform may verify identity at signup and still fail to govern the changing trust state of the account over time. That gap becomes visible when buyers, sellers, and internal review teams all rely on stale assumptions about who controls the account. Practitioners should treat identity verification as a lifecycle control, not a one-time event.

Fraud operations and IAM need shared telemetry to manage abuse at scale. When login, payout change, listing creation, and dispute handling sit in separate queues, attackers move across them faster than controls can converge. The strongest signal from this article is that operational separation creates governance separation. Practitioners should align fraud decisioning with IAM and verification data so abuse patterns can be correlated before monetisation completes.

What this signals

Verification trust gap: marketplaces should assume that signup verification decays quickly once accounts begin trading, listing, and moving value. That makes lifecycle controls, risk-based authentication, and event-driven review more useful than static trust assumptions. For practitioners, the priority is to detect when a verified identity has become an untrusted operating context.

The next maturity step is convergence between fraud ops and identity governance. When review teams and IAM share the same telemetry on account changes, payout updates, and anomalous behaviour, the organisation can stop treating ATO as an isolated fraud event and start managing it as an access-risk problem.


For practitioners

  • Correlate login with account-change risk Use identity signals, device reputation, and step-up authentication when users change payout destinations, add payment instruments, or modify recovery details. Treat these actions as higher-risk than routine sign-in because they often mark the conversion point from access to monetisation.
  • Segment controls by payment method Apply different verification, velocity, and dispute controls to cards, points, financing, and crypto based on reversibility and cash-out speed. Review block rates and fraud rates separately so a high block rate does not hide a weak channel.
  • Expand detection beyond payment fraud Add monitoring for scam listings, refund abuse, promotion abuse, and job scam behaviour across marketplace workflows. Connect these signals to the same case management path so abuse is not treated as isolated incidents.
  • Use benchmarks to spot migration early Compare your payment fraud, ATO, and review metrics against market peers to detect when fraud is shifting rather than shrinking. Look for mismatches such as falling payment fraud alongside rising ATO or higher use of alternative payment methods.

Key takeaways

  • Marketplace fraud is no longer just a payment-card issue because attackers monetise trusted accounts, not only stolen credentials.
  • The data shows a mixed picture: payment fraud is down, but ATO and alternative-payment abuse remain active and operationally important.
  • Fraud teams should align identity verification, authentication, and review workflows so control gaps do not move faster than the attack path.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63BMarketplace login assurance and step-up checks relate to digital authentication strength.
NIST CSF 2.0PR.AA-01Identity and authentication controls underpin marketplace abuse detection.
GDPRArt.32Marketplace identity and fraud data often include personal data requiring protection.
NIST SP 800-53 Rev 5IA-2Strong user authentication is central to reducing account takeover risk.

Map marketplace identity controls to PR.AA-01 and review them at payout and listing change points.


Key terms

  • Account Takeover: Account takeover is the unauthorised control of a legitimate user account after an attacker bypasses or compromises authentication. In marketplace environments, it is especially damaging because the account often holds trust, payment instruments, listings, and payout paths that can be abused without creating a new identity.
  • First-Party Fraud: First-party fraud is abuse committed by a real customer or account holder, rather than an external intruder. In commerce and marketplaces it often appears as refund abuse, chargeback abuse, promotion manipulation, or deliberate misrepresentation that exploits legitimate enrolment and trust.
  • Step-Up Authentication: Step-up authentication is additional verification triggered by higher-risk behaviour or sensitive actions. It is not a replacement for baseline login controls, but a conditional control that adds friction when an account tries to change payout details, access value, or perform unusual actions.
  • Fraud Migration: Fraud migration is the shift of attack activity from one channel, method, or workflow to another after controls tighten. It is a governance problem as much as a detection problem because apparent improvement in one metric can mask a move into less visible abuse paths.

What's in the full article

Sift's full article covers the operational detail this post intentionally leaves for the source:

  • Benchmark context for payment fraud, ATO, and chargeback trends across multiple industries.
  • Channel-by-channel discussion of points, financing, and crypto as fraud targets.
  • Economic examples linking inflation, unemployment, and secondhand-market growth to fraud behaviour.
  • Practitioner guidance on monitoring fraud migration across marketplace workflows.

👉 The full Sift article covers benchmark detail, fraud method breakdowns, and marketplace risk implications.

Deepen your knowledge

NHI Mgmt Group covers identity security, NHI governance, and agentic AI through independent research, practitioner guides, and the NHI Foundation Level course, the industry's only accredited NHI security programme. It helps practitioners connect identity governance to the controls and operating models their broader security programme depends on.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org