By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: RiskifiedPublished September 24, 2025

TL;DR: U.S. online grocery sales hit $10 billion in July as retailers push faster delivery, broader assortments, and loyalty-led growth, but Riskified says those same conditions increase fraud, abuse, and false declines. The governance challenge is not just transaction screening, but policy design that protects revenue without breaking customer trust.


At a glance

What this is: This is Riskified’s analysis of how digital grocery growth expands exposure to fraud, loyalty abuse, promotions abuse, and false declines.

Why it matters: It matters to identity and security practitioners because fraud controls, access policy, and customer trust increasingly overlap in high-volume commerce environments.

By the numbers:

👉 Read Riskified's analysis of fraud and policy abuse in online grocery


Context

Online grocery is a fast-moving digital commerce problem with a fraud and policy-abuse layer. As delivery and pickup become default behaviours, retailers absorb more account abuse, promotion gaming, loyalty fraud, and false-decline risk at the same time they are trying to reduce friction.

For identity and trust teams, the interesting part is the boundary between customer verification, account protection, and transaction decisioning. This is not classic IAM or NHI governance, but it still depends on reliable identity signals, risk scoring, and policy choices that shape who is trusted and when.


Key questions

Q: How should grocers reduce fraud without creating excessive false declines?

A: Grocers should use risk-based decisioning that combines account behaviour, basket context, fulfilment signals, and redemption history rather than relying on static rules alone. The goal is to stop abuse while preserving normal repeat shopping patterns. Teams should also monitor false declines as a customer-retention issue, not only a fraud metric.

Q: Why do loyalty programmes attract fraud and abuse?

A: Loyalty programmes hold convertible value, so attackers can monetise points, discounts, and rewards without stealing payment cards. Once account trust is broken, the loyalty balance becomes a target. Security teams should connect account access signals with redemption controls so value extraction is harder to hide.

Q: What do security and fraud teams get wrong about promotion abuse?

A: They often treat promotions as a marketing problem instead of a governed trust decision. That creates reusable abuse paths through coupon testing, account creation, and repeated redemption. Teams should design promotion rules with abuse detection and identity-risk signals built in from the start.

Q: How can organisations tell if fraud controls are too aggressive?

A: A strong signal is rising legitimate-order rejection, customer complaints, manual-review load, and repeat-purchase drop-off at the same time fraud losses appear stable. That combination usually means the policy is overblocking. The right response is to recalibrate thresholds, not simply tighten them further.


Technical breakdown

Why fast checkout and delivery models attract abuse

Digital grocery compresses the time available to evaluate risk. When checkout, fulfilment, and customer account interactions happen in a single flow, fraudsters can test weak points faster than manual review teams can respond. High order velocity also makes it easier to hide abuse inside normal buying patterns. The control challenge is not just stopping obviously bad activity, but distinguishing legitimate repeat behaviour from coordinated abuse across many low-value actions. That requires transaction context, behavioural signals, and policy thresholds that can adapt to speed without defaulting to blunt rejection.

Practical implication: reduce dependence on static rules and tune risk decisions to account behaviour, basket composition, and fulfilment context.

How loyalty and promotions become identity-adjacent attack surfaces

Loyalty points and promotional offers act like valuable stored value, which makes them attractive to account takeover, coupon abuse, and resale schemes. Once an attacker can access a customer account, rewards and discounts can be extracted with relatively low friction. The identity angle is that account trust becomes the gateway to financial abuse, even if no payment card is stolen. Good governance links login anomalies, order anomalies, and reward redemption patterns instead of treating them as separate problems. That makes customer identity assurance part of fraud prevention, not just sign-in control.

Practical implication: correlate account access signals with loyalty redemption and promotional abuse detection before rewards can be converted into loss.

Why false declines are a governance problem, not only a fraud problem

A false decline is a control failure as much as a commercial one. If legitimate customers are repeatedly blocked, the business loses revenue and often loses the customer entirely. In high-frequency retail, overly aggressive controls can damage trust faster than fraud losses accumulate. The technical problem is balancing precision and recall in a live decision system where the cost of one bad decline is immediate and visible. Mature programmes measure not only fraud prevented but also customer friction, manual-review volume, and downstream retention impact.

Practical implication: track false-decline rates alongside fraud loss so policy tuning reflects both security and customer experience.


Threat narrative

Attacker objective: The attacker’s objective is to monetise trusted customer accounts, promotions, and loyalty balances while avoiding detection and minimising manual review.

  1. Entry begins with account creation abuse, credential stuffing, promotion code testing, or loyalty account takeover in a consumer commerce flow.
  2. Escalation occurs when attackers use trusted customer identities to extract discounts, points, refunds, or high-value baskets that look legitimate on the surface.
  3. Impact is revenue loss, chargebacks, reward depletion, and customer churn caused by both fraud success and incorrect declines of valid orders.

NHI Mgmt Group analysis

Policy abuse is the core governance problem in digital grocery, not just classic fraud. The article shows that speed, promotions, and loyalty incentives expand the decision surface attackers can game. That means the control question is not only whether a transaction is fraudulent, but whether a business policy has created a reusable abuse path. Practitioners should treat promotion design, refund logic, and loyalty redemption as governed trust decisions, not marketing details.

Customer identity is now part of fraud prevention architecture. In commerce environments, account trust, behavioural history, and transaction context sit on the same risk chain. When those signals are split across different teams, attackers can exploit the seams. The boundary between digital identity and fraud governance is therefore operational, not theoretical, and teams need shared risk logic rather than isolated controls.

False declines are a security control metric as much as a revenue metric. Excessive blocking signals that policy is too coarse for the channel, which often pushes customers toward competitors and creates pressure to weaken controls later. Mature governance tracks rejection quality, not just rejection volume. The practical conclusion is that a fraud programme that cannot measure customer harm will eventually become a business risk itself.

Risk-based automation must be calibrated to the channel, not copied from other ecommerce flows. Grocery buying patterns differ from apparel, electronics, or travel because repeat purchasing, recurring delivery, and low-margin baskets are normal. That makes one-size-fits-all review thresholds unreliable. Practitioners should tune decisioning to the specific economic and behavioural profile of grocery commerce.

Fraud tooling should be judged by reduction in policy abuse, not only by blocked transactions. The article’s most useful signal is that abuse patterns change when incentives change. That means practitioners need controls that adapt as promotions, fulfilment options, and basket values evolve. In practice, the goal is governed trust that protects growth without creating blind spots.

What this signals

Policy abuse in commerce behaves like an identity problem once accounts become the trust anchor. The practical implication is that fraud teams and identity teams need shared risk logic, because a customer account can be the entry point for promo abuse, loyalty theft, and repeat-order manipulation. This is especially true when business models reward speed and convenience over inspection.

The next governance step is more precise instrumentation, not more blanket blocking. Programmes need to separate normal repeat behaviour from coordinated abuse, then measure whether the control stack is reducing chargebacks without pushing up customer churn.

Abuse detection should be tuned to the economics of the channel. Grocery is not a high-ticket discretionary category, so small decisions accumulate quickly across large order volumes. That means threshold design, review capacity, and customer friction metrics must be managed as a single operating model.


For practitioners

  • Map abuse paths across the customer journey Trace where account takeover, reward redemption, promo use, and checkout decisioning intersect so the same identity signal informs every control point. This helps prevent attackers from moving from login abuse to value extraction without friction.
  • Tune rules to grocery-specific behaviour Build separate thresholds for recurring baskets, delivery cadence, and low-margin repeat orders rather than reusing generic ecommerce risk policies. Grocery has a different baseline, and controls that ignore that baseline will create unnecessary false declines.
  • Measure false declines as a business-risk metric Track rejected legitimate orders, customer complaint rates, and repeat purchase drop-off alongside chargebacks and fraud loss. This makes it possible to see when overblocking is doing more damage than the fraud it prevents.
  • Correlate loyalty abuse with account behaviour Link login anomalies, redemption patterns, and order history so suspicious use of points or promotions is evaluated in context. A loyalty balance should not be treated as isolated value once account trust has been questioned.

Key takeaways

  • Digital grocery growth expands the attack surface for fraud, loyalty abuse, and promotion gaming at the same time.
  • The hardest governance problem is balancing abuse prevention with customer trust, because false declines can be as costly as fraud.
  • Practitioners should align identity signals, risk scoring, and policy design so account trust cannot be reused for value extraction.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Identity trust and access decisions shape fraud exposure in commerce flows.
NIST SP 800-53 Rev 5AC-2Account management matters when customer accounts drive loyalty and promo abuse.
ISO/IEC 27001:2022A.5.15Access control policies govern trust decisions across commerce and identity signals.

Document and enforce access policies that support fraud decisioning and customer account protection.


Key terms

  • Policy Abuse: Policy abuse is the exploitation of business rules, promotions, refunds, or loyalty mechanics in ways the organisation did not intend. It often sits between fraud and misuse, where the activity may look legitimate in isolation but becomes harmful at scale or in repeated patterns.
  • False Decline: A false decline is a legitimate transaction rejected by fraud or risk controls. In retail channels, it is both a customer-experience failure and a control-quality signal because overly aggressive decisioning can suppress revenue, increase churn, and eventually push teams to weaken defences.
  • Loyalty Fraud: Loyalty fraud is the theft, misuse, or resale of points, rewards, or promotional value. It usually depends on account trust and can occur without payment-card compromise, which makes identity signals and redemption monitoring central to detection and containment.

What's in the full article

Riskified's full article covers the operational detail this post intentionally leaves for the source:

  • How to use past transactions from other merchants to score order risk more precisely.
  • Which carts, categories, and transaction characteristics signal suspicious behaviour in real buying flows.
  • How to protect loyalty, reduce chargebacks, and limit policy abuse without collapsing customer trust.
  • How to automate fraud detection so manual review volume and support calls fall at the same time.

👉 The full Riskified article covers transaction signals, loyalty protection, and automation details for grocery fraud teams.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity. It gives identity and security practitioners a structured way to govern trust, access, and lifecycle decisions across modern programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org