By NHI Mgmt Group Editorial TeamPublished 2026-01-09Domain: Identity Beyond IAMSource: Riskified

TL;DR: November and December orders drive 31% of annual refund claims, while more than 55% of January claims come from pre-holiday purchases, showing how peak-season volume masks Item Not Received and Did Not Arrive abuse, according to Riskified. Static refund policies and manual backlogs are not enough when fraudsters time claims to overwhelmed operations.


At a glance

What this is: Riskified’s analysis says refund abuse spikes after the holiday rush, with pre-holiday purchases driving a disproportionate share of January claims and creating margin pressure for digital retailers.

Why it matters: Retailers need identity-aware refund controls because abuse at the claims layer can be scaled by operational overload, not just by bad orders, and that affects fraud, customer operations, and entitlement decisions.

By the numbers:

👉 Read Riskified’s analysis of post-holiday refund abuse and peak-season claims risk


Context

Refund abuse is a claims integrity problem that becomes easier to exploit when order volume spikes and teams are forced to decide quickly. In practice, the issue is not only whether a return or refund request is legitimate, but whether merchants have enough verified evidence to distinguish abuse from genuine customer friction.

The identity connection is indirect but real: refund claims rely on proving who is entitled to money, credit, or replacement, which means fraud controls, customer identity signals, and transaction history all matter. For retailers, this is a governance problem as much as a finance problem, because default approvals at scale create a predictable loss channel.


Key questions

Q: How should retailers reduce refund abuse during peak season?

A: Retailers should combine identity-linked evidence, claim risk scoring, and exception review for refund decisions during high-volume periods. The key is to stop treating every claim as a service case. When shipping data, account history, and timing are evaluated together, abusive claims become much easier to separate from genuine customer issues.

Q: Why do refund fraud losses rise after the holiday rush?

A: Refund fraud rises after the holiday rush because merchants are processing more claims, more exceptions, and more customer contacts at once. Attackers exploit that strain by submitting questionable Item Not Received and Did Not Arrive claims when teams are most likely to approve quickly to preserve service levels.

Q: What do retailers get wrong about refund abuse controls?

A: Many retailers focus on blanket refund rules instead of claim-specific evidence and operational context. That approach misses the fact that abuse often succeeds through process pressure, not technical compromise. Better controls use customer history, fulfilment verification, and risk scoring to make default approval much harder.

Q: How do you know if refund governance is working?

A: Refund governance is working when abusive claims fall without increasing legitimate customer friction. The clearest signals are a lower share of high-risk refunds, fewer default approvals under backlog pressure, and more consistent review decisions across peak and off-peak periods.


Technical breakdown

Why item not received claims are vulnerable during peak season

Item Not Received and Did Not Arrive claims depend on reconciling shipment, carrier, and merchant records. When order volume surges, that reconciliation breaks down operationally, not just technically. Fraudsters exploit the gap between delivery data and internal systems, knowing that delays, exceptions, and noisy fulfilment telemetry make manual validation harder. The result is a claims process that can be manipulated without breaching the payment system itself.

Practical implication: build claim validation rules that compare shipping evidence, account history, and purchase timing before refunds are approved.

How refund abuse turns operational strain into financial loss

Refund abuse succeeds when teams optimise for speed and customer satisfaction under pressure. If customer service agents are measured on queue reduction or retention, they may approve claims with weak evidence to avoid backlogs. This creates a policy bypass pattern where the control failure is not missing authentication, but inconsistent decisioning under load. The business impact compounds because every false approval also trains the organisation to expect exception handling.

Practical implication: separate service-level metrics from refund approval authority so operational pressure does not become a control weakness.

Identity-based refund controls and claims governance

Identity-based refund controls use behavioural, account, order, and fulfilment signals to decide whether a claim is credible. In fraud operations, this means moving from static policy thresholds to risk scoring that adapts to claim timing, customer history, and shipping anomalies. The goal is not to block legitimate returns, but to make abusive claims harder to approve by default. This is a governance pattern, not just a fraud model.

Practical implication: move high-risk refund decisions into a rules plus review model that uses identity-linked evidence rather than blanket approvals.


Threat narrative

Attacker objective: The attacker’s objective is to obtain illegitimate refunds, credits, or replacements while appearing to be a normal post-purchase customer request.

  1. Entry begins when fraudsters file Item Not Received or Did Not Arrive claims against orders placed during the holiday peak, using the volume surge to hide abuse inside legitimate refund traffic.
  2. Escalation occurs when overwhelmed merchant teams rely on incomplete delivery data and approve claims by default to preserve service levels.
  3. Impact is margin erosion at scale, because abusive refunds consume a material share of refunded dollars and convert operational strain into direct financial loss.

NHI Mgmt Group analysis

Refund abuse is an identity and entitlement problem, not just a customer service nuisance. Claims fraud works because merchants must decide whether the claimant is entitled to value, yet many operating models treat that decision as a lightweight service transaction. When fulfilment, account, and purchase history are not evaluated together, abusive claims can pass as routine exceptions. Practitioners should treat refund governance as a controlled entitlement process.

Peak-season volume creates a predictable control gap that fraudsters can time. The article’s timing data shows that abusive claims concentrate when teams are least able to validate them carefully. That means the real failure is not the holiday itself, but the absence of load-aware decisioning. Retailers should expect abuse to cluster around any period where support queues, shipping exceptions, and refund pressure rise together.

Identity-linked evidence is the missing layer in most refund workflows. A claim is more credible when it matches customer tenure, prior delivery outcomes, account stability, and device or channel consistency. Without those signals, merchants are left with a binary approve or deny model that attackers can game. The field should move toward entitlement proof, not just payment reconciliation.

Refund policy abuse exposes governance debt in retail operations. Many organisations have policies, but not enough adaptive controls to enforce them consistently under pressure. Static thresholds and manual reviews cannot scale cleanly when claims spike after major retail events. Practitioners should view this as a governance maturity issue, not a seasonal anomaly.

Refunduary: the concept that peak-season refund abuse is both cyclical and foreseeable, and therefore governable. The article shows that the timing, claim types, and financial impact are repeatable patterns, not random shocks. That makes the problem suitable for structured control design, case management, and fraud analytics. Teams should use the cycle itself as a trigger for tighter controls.

What this signals

Claims fraud becomes a control design problem whenever operational volume masks evidence quality. Retailers that wait for manual review to sort abusive claims will keep paying for backlog-driven decisions, especially during holiday and post-holiday peaks. The better model is to align entitlement proof with business pressure, then automate the lowest-risk decisions and escalate the rest.

Refund abuse also shows why fraud programmes need stronger links to identity and customer trust signals. When claims are validated against account stability, channel consistency, and fulfilment telemetry, the fraud team gains a sharper picture of intent. That is the difference between policy enforcement and exception management.

Retailers should expect more abuse wherever speed is rewarded more heavily than evidence. That is true in refunds, promotions, replacement requests, and other entitlement flows. The programme implication is clear: the controls that work in calm periods often fail when the business is busiest, so governance has to be designed for stress, not averages.


For practitioners

  • Implement identity-linked claim validation Require refund decisions to consider order history, fulfilment evidence, account age, and prior claim behaviour before approval. Do not rely on delivery status alone when INR and DNA claims surge.
  • Separate service goals from refund authority Keep customer service metrics focused on response time, but route high-risk refund approvals through fraud or operations review so queue pressure does not override control quality.
  • Use season-aware risk scoring Raise review thresholds automatically during Q4 and the January return wave, when claim volume and operational strain make default approvals more likely.
  • Measure abusive refund concentration Track what share of refunded dollars comes from high-risk claims, then segment by purchase window, claim type, and fulfilment exception so policy changes target the real loss drivers.

Key takeaways

  • Refund abuse is predictable because it concentrates when retailers are busiest and least able to validate claims carefully.
  • Riskified’s data shows that holiday purchases drive a large share of refund claims, and abusive claims consume a material portion of refunded dollars.
  • The practical response is identity-linked claims governance, not blanket approval rules or manual backlogs that reward operational pressure.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Claim approval depends on verifying who is entitled to value or service.
NIST SP 800-53 Rev 5IA-2Identity verification controls support higher-confidence refund decisions.
GDPRArt.5Customer and transaction data used in fraud checks must stay purpose-bound and minimised.

Limit refund-risk data use to what is necessary for fraud prevention and documented governance.


Key terms

  • Refund Abuse: Refund abuse is the misuse of return, replacement, or refund processes to obtain money or merchandise without a legitimate entitlement. It often exploits gaps between fulfilment data, customer support workflows, and fraud controls, especially when merchants are under operational pressure.
  • Item Not Received Claim: An Item Not Received claim asserts that a purchased item never arrived and asks the merchant to refund or replace it. In fraud operations, these claims require corroboration from shipping, tracking, and customer history because they are frequently abused when retailers are busiest.
  • Identity-Linked Evidence: Identity-linked evidence is the set of signals that connect a claim to a specific, credible customer and transaction context. It can include account history, delivery outcomes, device consistency, and prior claim behaviour, all of which help separate genuine service cases from fraudulent requests.

What's in the full report

Riskified's full report covers the operational detail this post intentionally leaves for the source:

  • Claim-type breakdowns that separate Item Not Received from other refund abuse patterns
  • Operational indicators used to decide when a refund claim should move from default approval to manual review
  • Seasonal timing analysis showing how post-holiday volume changes claim behaviour
  • Context for retailers trying to tune fraud thresholds without adding unnecessary friction

👉 Riskified’s full report covers the seasonal patterns, loss estimates, and refund abuse indicators in more detail.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management through practitioner-focused instruction. It is suitable for security teams that need a stronger governance lens across identity-driven control problems.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-01-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org