By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: RiskifiedPublished September 17, 2025

TL;DR: Returns, refunds and exchanges cost ecommerce merchants $394 billion worldwide, and Riskified’s playbook says stricter policy and fee changes often punish good customers while failing to definitively stop abuse. The underlying problem is that returns controls still treat trust as a transaction rule set, not an identity and behaviour problem.


At a glance

What this is: This playbook examines returns, refunds and exchange abuse in ecommerce and argues that merchants need identity-based controls to reduce fraud without degrading customer experience.

Why it matters: It matters to IAM and fraud teams because policy abuse sits at the boundary between customer identity, behavioural trust, and access to financial redress, where blunt controls can create false positives and customer friction.

By the numbers:

👉 Read Riskified’s playbook on returns, refunds, and exchanges abuse


Context

Returns abuse is a governance problem as much as a fraud problem. Merchants often respond by tightening rules, adding fees, or narrowing eligibility, but those measures can shift cost onto legitimate customers without reliably separating honest behaviour from abuse. The primary keyword here is returns, refunds and exchanges, and the real challenge is to manage them without creating unnecessary customer friction.

The identity angle is clear even though this is not a traditional IAM article. Returns and refund decisions depend on whether a customer, account, device, or behavioural pattern is trusted enough to receive money back, replacement stock, or discretionary policy treatment. That makes the problem adjacent to identity verification, fraud controls, and lifecycle trust decisions rather than simple checkout security.


Key questions

Q: What breaks when returns fraud controls rely only on policy rules?

A: Policy-only controls miss the identity and behavioural context that distinguishes a legitimate customer from a repeat abuser. They also treat every return request the same, which lets coordinated abuse blend into normal activity while increasing friction for honest customers. Effective controls must combine policy thresholds with account history, device linkage, and review signals.

Q: Why do returns and refunds need identity-based governance?

A: Because the decision is not just whether an item qualifies for return, but whether the requesting identity has behaved consistently enough to deserve trust. Identity-based governance helps merchants connect accounts, devices, and behaviour over time, which makes serial abuse easier to detect and reduces the need for broad punitive policy changes.

Q: How do merchants know if return controls are actually working?

A: They should look for lower abuse rates without a matching rise in false positives, customer complaints, or abandonment from legitimate shoppers. Useful signals include repeat-offender suppression, stable approval rates for low-risk customers, and reduced refund leakage on high-risk items. If friction rises everywhere, the controls are too blunt.

Q: Who is accountable when return policy enforcement harms good customers?

A: Accountability should sit with the combined fraud, customer experience, and policy governance owners, not with support teams alone. If a control punishes legitimate customers, the merchant has not only a fraud problem but also a governance problem, because the decision framework failed to balance protection and fairness.


Technical breakdown

Why returns fraud is an identity and trust problem

Returns abuse is often less about a single stolen credential and more about a pattern of policy exploitation by legitimate-looking accounts. Fraudsters can use repeated claims, serial item-switching, or coordinated refund requests that resemble normal customer behaviour until scale reveals the abuse. This is why static rule sets struggle. They see each request in isolation, while the real signal sits in account history, behavioural consistency, device continuity, and fulfilment outcomes. In identity terms, the merchant is deciding whether the requesting party is acting as the same trusted customer over time or as a synthetic or abused identity.

Practical implication: merchants need risk decisions that incorporate account behaviour, not just order status or policy thresholds.

How policy abuse defeats blunt control models

The common failure mode is to counter abuse with stricter return windows, higher fees, or narrower exceptions. Those controls can reduce visible loss, but they also encourage bad actors to adapt while increasing friction for legitimate customers. The deeper issue is that the same policy applies to all customers even though trust levels differ materially. An identity-based approach uses contextual signals such as prior abuse history, linkage across accounts, and trust score decay to decide when a return should be fast-tracked, reviewed, or denied. That moves the control from one-size-fits-all enforcement to differentiated governance.

Practical implication: replace universal return friction with risk-tiered treatment backed by identity and behaviour signals.

Where fraud operations and customer experience intersect

Returns and refunds are a rare security control point that directly affects revenue, loyalty, and support workload. If the control is too permissive, merchants absorb abuse. If it is too rigid, good customers pay for the fraud prevention gap through slower refunds, denied exchanges, or extra verification. The architecture challenge is to preserve customer experience while adding enough confidence to distinguish normal post-purchase behaviour from abuse. That usually requires cross-functional data sharing between fraud, customer service, and policy teams rather than isolated rule ownership.

Practical implication: build shared decisioning between fraud, support, and policy teams so prevention does not become a customer retention problem.


Threat narrative

Attacker objective: The attacker’s objective is to monetise policy loopholes by converting legitimate-looking purchase activity into repeated refunds, replacements, or other financial redress.

  1. Entry occurs when a legitimate customer account, repeat buyer profile, or low-friction checkout path is used to initiate returns or refunds requests that look normal at first glance.
  2. Escalation follows when the actor exploits policy gaps, serial claims, or linked-account patterns to extract refunds, replacements, or exchanges beyond intended eligibility.
  3. Impact is merchant loss through direct fraud cost, operational overhead, and stricter policies that also degrade the experience for legitimate customers.

NHI Mgmt Group analysis

Policy abuse is an identity trust problem disguised as a returns problem. Merchants often focus on the transaction that triggered the refund, but the real control question is whether the requesting identity has earned the same trust as a low-risk customer. That means account history, device continuity, and behavioural linkage matter more than a single order event. The field needs to move from transaction screening to lifecycle trust assessment, with fraud and IAM teams sharing the same view of identity risk.

Stricter return policies can reduce visible abuse while increasing governance debt. When merchants respond with tighter windows and more fees, they often create a second-order problem: good customers experience the control as punishment, while abusers adapt around the new threshold. The result is not better policy, but more exceptions, manual overrides, and support escalation. Practitioners should treat policy hardening as a temporary containment measure, not the endpoint of a fraud programme.

Behavioural identity linkage is the named concept this category now needs. Returns abuse becomes materially harder when merchants can connect claims, devices, payment behaviour, and account history into one trust picture. Without that linkage, each request looks plausible on its own, which is exactly how policy abuse survives at scale. Practitioners should design controls that evaluate the identity behind the claim, not just the claim itself.

Fraud controls that ignore customer experience eventually become business risk. The article’s central tension is not whether abuse exists, but whether merchants can stop it without converting prevention into a growth tax. That makes cross-functional governance essential, because customer service decisions, fraud scoring, and policy exceptions all shape the final outcome. Practitioners should align decision rights before they tighten the policy.

This category benefits from the same governance discipline seen in identity programmes. Trust should be measurable, reviewable, and linked to risk, not left as an ad hoc support judgment. That is where identity verification thinking, fraud operations, and policy enforcement intersect most clearly. Practitioners should build repeatable trust decisions instead of relying on static rule enforcement.

What this signals

Behavioural identity linkage is likely to become a core fraud governance pattern because static policy thresholds rarely distinguish repeat abuse from ordinary customer returns. Merchants that connect account history, device continuity, and exception patterns will be better placed to reduce loss without turning every legitimate claim into a manual review case.

The broader signal for identity and fraud teams is that customer trust is now operational, not abstract. If the merchant cannot explain why one customer gets fast approval and another gets challenged, the programme is already relying on invisible judgment instead of governed decisioning.


For practitioners

  • Implement behavioural linkage for refund decisions Link claims to account history, device patterns, fulfilment outcomes, and payment behaviour so repeated abuse is visible across otherwise normal-looking transactions.
  • Tier returns by trust level Use risk-based treatment for returns, exchanges, and exception handling so low-risk customers move quickly while suspicious cases receive additional review.
  • Reduce dependence on blunt policy tightening Measure whether stricter windows or higher fees actually reduce abuse or simply shift cost onto legitimate customers and support teams.
  • Unify fraud, support, and policy ownership Create shared decision criteria for exceptions, manual overrides, and disputed returns so each team applies the same trust standard.
  • Track identity-linked abuse patterns Monitor recurring return claims, linked accounts, and repeated exception requests as one pattern rather than isolated customer service cases.

Key takeaways

  • Returns abuse is not just a cost issue, it is a trust and identity governance issue that sits between fraud, policy, and customer experience.
  • The scale of the problem is material, with ecommerce returns, refunds, and exchanges costing $394 billion worldwide and creating pressure to harden policy in ways that can hurt good customers.
  • Merchants need behavioural linkage, risk-tiered treatment, and shared ownership across fraud and support if they want to reduce abuse without turning prevention into customer friction.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Identity-based trust decisions map to access and credential confidence.
NIST SP 800-53 Rev 5IA-2Identity proofing and authentication shape who can trigger high-trust refunds.
NIST SP 800-63SP 800-63BAssurance and authentication strength matter when account abuse drives refunds.
GDPRArt.32Customer identity and behavioural data used for fraud decisions must be protected appropriately.

Use PR.AC-1 to align returns risk decisions with verified identity and behavioural confidence.


Key terms

  • Policy Abuse: The misuse of a legitimate transaction flow to bypass merchant rules around quantity, eligibility, resale, refunds, or claims handling. It may not always be fraud in the narrow sense, but it still creates governance risk because the merchant loses control over how buying privileges are exercised.
  • Behavioural Identity Linkage: Behavioural identity linkage is the practice of connecting actions across accounts, devices, sessions, and payment methods so risk is judged over time rather than one event at a time. It helps merchants spot repeated abuse patterns that static policy checks often miss.
  • Risk-Based Decisioning: Risk-based decisioning is the practice of applying different verification paths based on the assessed risk of the applicant, transaction, or jurisdiction. In identity programmes, it lets low-risk cases move quickly while preserving deeper review for outliers, but the thresholds must be explicit and auditable.

What's in the full report

Riskified's full report covers the operational detail this post intentionally leaves for the source:

  • Survey findings on how hundreds of ecommerce peers are dealing with returns abuse and policy pressure in practice.
  • Economic modelling and cost insights that show where abuse is hitting merchant margins and operations most directly.
  • Industry-by-industry benchmarks that help teams compare their own returns and refund posture against peers.
  • The report’s identity-based approach for preventing abuse without compromising customer experience.

👉 Riskified’s full playbook covers the survey findings, economic modelling, and identity-based approach in more detail.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management for practitioners who need stronger trust controls. It helps security and identity teams connect governance decisions to real operational risk across their programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org