By NHI Mgmt Group Editorial TeamPublished 2026-02-13Domain: Cyber SecuritySource: Riskified

TL;DR: Peak Spring Festival travel and ecommerce activity creates ideal cover for industrialised fraud, with fraudsters 80 percent more likely to buy a last-minute ticket than good customers, according to Riskified. Static rules struggle when seasonal context, proxy use, and AI-assisted deception reshape normal buying patterns. Context-aware decisioning is now the decisive control.


At a glance

What this is: This analysis argues that Spring Festival transaction surges make fraud harder to spot because legitimate seasonal behaviour can look like suspicious activity to static systems.

Why it matters: Ecommerce and travel teams need controls that understand context, or they risk blocking good customers while missing organised fraud, including AI-assisted scams and triangulation schemes.

By the numbers:

👉 Read Riskified's analysis of Spring Festival fraud patterns in travel and ecommerce


Context

Spring Festival is not just a consumer event. It is a stress test for fraud controls because transaction volume, travel demand, and gift buying all change at once, while attackers hide inside legitimate seasonal behaviour. For ecommerce and travel merchants, the problem is not only fraud detection but identity and trust decisions made under peak demand.

The identity angle is real even though this is a fraud article. Fraudsters exploit customer context, payment trust, and identity signals across bookings and cross-border commerce, while AI can accelerate fake identities and phishing at scale. That makes fraud governance part of broader identity verification and risk decisioning, not a separate back-office function.


Key questions

Q: How should ecommerce teams handle fraud risk during seasonal traffic spikes?

A: They should shift from static thresholds to context-aware decisioning. Seasonal traffic changes normal behaviour, so teams need models that combine timing, geography, customer history, payment provenance, and channel risk. That reduces false declines while keeping visibility on fraud patterns that hide inside high-volume legitimate demand.

Q: Why do proxy use and last-minute bookings not always indicate fraud?

A: Because they can be legitimate in travel-heavy periods, especially when customers are booking from abroad or making urgent cross-border purchases. The control mistake is treating one signal as proof of fraud. Teams should evaluate the full journey before declining a transaction on the basis of a proxy or urgency alone.

Q: What do fraud teams get wrong about AI-generated attacks?

A: They often focus on whether the content looks convincing instead of whether the customer journey makes sense. AI can improve phishing, fake identities, and scam scale, but the decisive defence is behavioural context, identity linkage, and relationship-based scoring across transactions.

Q: How can merchants reduce fraud without blocking good customers?

A: Use layered controls that reserve strict checks for combinations of risk, not single signals. Combine seasonal baselines, account age, loyalty behaviour, payment provenance, and fulfilment patterns. That approach protects revenue while avoiding the conversion losses that come from blunt, over-restrictive rules.


Technical breakdown

Why seasonal context breaks static fraud rules

Static fraud systems usually rely on thresholds, velocity checks, device signals, and proxy detection. Those signals are useful, but they become unreliable when consumer behaviour shifts quickly, as it does during Spring Festival travel and gifting peaks. A proxy or a last-minute international booking may be genuinely normal in one context and highly suspicious in another. The technical problem is not signal collection, but lack of contextual weighting. Decision engines need to interpret intent, timing, route, and customer history together rather than treating each signal as a fixed rule.

Practical implication: tune fraud controls to seasonal context so legitimate high-value bookings are not auto-declined.

How triangulation fraud exploits payment and identity trust

Triangulation, mileage theft, and fake OTA schemes all abuse trusted transaction paths. In a triangulation scam, the fraudster sells a ticket to one victim and pays the merchant with stolen or separate illicit funds, which can bypass bank controls because the merchant sees a completed sale. Mileage theft and fake travel sites add identity abuse, where stolen loyalty accounts or convincing storefronts make the transaction appear normal. The shared technical pattern is trust laundering: attackers convert stolen value or stolen identity into a transaction that looks operationally valid long enough to clear.

Practical implication: correlate loyalty, payment, and account signals so trusted channels cannot be used to launder fraudulent transactions.

Why AI raises the ceiling on fraud operations

AI changes fraud by lowering the cost of creating convincing lures, fake identities, and large-scale targeting. That does not mean every AI-generated message is malicious, but it does mean the volume and quality of fraudulent attempts can rise faster than manual review teams can adapt. The control issue is twofold: first, attackers can generate better deception; second, defenders can no longer rely on simple pattern matching. Fraud programmes need models that learn from behavioural context and transaction relationships, not just from isolated indicators of compromise.

Practical implication: prepare for AI-assisted fraud by strengthening behavioural analytics and identity linkage across the customer journey.


Threat narrative

Attacker objective: The attacker wants to monetise seasonal trust by turning high-volume travel and ecommerce activity into approved fraudulent transactions.

  1. Entry occurs when fraudsters blend into legitimate Spring Festival shopping and travel traffic, or when they seed fake OTA websites and phishing lures into high-volume channels.
  2. Escalation happens when stolen miles, stolen funds, proxy identities, or convincing AI-generated scams are used to make fraudulent activity look like normal commerce.
  3. Impact follows when merchants approve bad orders, customers lose money or travel access, and airlines or OTAs absorb cancellations, chargebacks, and operational fallout.

NHI Mgmt Group analysis

Context-aware fraud decisioning is now an identity problem, not just a payments problem. Seasonal shopping spikes make static thresholds brittle because they cannot distinguish legitimate high-intent behaviour from fraud shaped by timing, geography, and travel context. When a proxy, a last-minute ticket, or a cross-border purchase can be either normal or malicious, identity and verification signals become central to fraud governance. Practitioners should treat context as part of the trust policy, not as an after-the-fact review note.

AI has expanded the fraud surface faster than merchant review models can mature. The article correctly points to AI-generated phishing, fake identities, and automation at scale. That raises the governance bar because the question is no longer whether an attack looks human, but whether the business can still distinguish legitimate customer journeys from synthetic ones at decision time. Practitioners should align fraud controls with adaptive identity verification and step-up logic.

Trust laundering is the right concept for triangulation fraud in travel. The attacker does not need to break payment systems outright if they can route stolen value through a merchant path that appears operationally valid. That is a governance failure across identity verification, payment risk, and loyalty account controls. Teams should map where trust is inherited too easily across booking, payment, and fulfilment flows.

Fraud prevention during peak seasons must be measured against good-customer friction, not only loss rates. The real risk is overcorrecting with rigid rules that block legitimate consumers while leaving adaptable fraud patterns intact. This is where identity verification governance, behavioural analytics, and fraud ops need shared metrics. Practitioners should evaluate whether the current control stack can separate seasonal intent from abuse without degrading conversion.

What this signals

Trust decisions are becoming more context-sensitive across fraud and identity programmes. Merchants that still rely on fixed rules will keep mistaking legitimate seasonal behaviour for abuse, while more adaptive fraud actors move faster through the gaps. The broader programme lesson is to treat trust as dynamic, with identity, payment, and behavioural signals evaluated together.

Trust laundering is the right lens for modern travel fraud. The attacker does not need to defeat every control if they can route stolen value through systems that inherit trust too easily. This is a useful concept for fraud, identity verification, and NHI governance alike because it highlights how upstream trust assumptions can be reused downstream without adequate revalidation.

As AI-generated scams become cheaper to produce, the highest-value control is not more manual review, but better signal correlation and stronger customer journey analysis. Teams that can separate intent from anomaly will preserve conversion while reducing exposure to industrialised fraud.


For practitioners

  • Calibrate decision thresholds for seasonal travel patterns Adjust fraud rules to account for known Spring Festival shifts such as last-minute international bookings, proxy usage, and cross-border shopping so legitimate activity is not automatically rejected. Use seasonal baselines rather than single global thresholds.
  • Link loyalty, payment, and booking signals Correlate frequent flyer activity, payment provenance, device reputation, and booking velocity so mileage theft and triangulation schemes cannot move through separately trusted systems. Shared scoring reduces the chance that one clean signal overrides a broader fraud pattern.
  • Strengthen identity verification for high-risk journeys Use step-up checks where account age, destination, ticket value, or account recovery history do not fit normal customer behaviour. Identity verification should be triggered by the full journey, not just by a single risky field.
  • Prepare for AI-assisted deception in fraud ops Train reviewers on synthetic identity patterns, AI-generated phishing, and large-scale scam variants so manual reviews focus on relationship signals and not just surface-level message quality. Add behavioural analytics that can learn from new fraud narratives quickly.

Key takeaways

  • Spring Festival traffic creates fraud conditions where legitimate behaviour and malicious behaviour can look similar to static systems.
  • The strongest risk patterns in this article are mileage theft, fake OTAs, triangulation fraud, and AI-assisted deception.
  • Merchants need context-aware decisioning, linked identity signals, and seasonal baselines to reduce fraud without harming good customers.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Identity and access control underpin the trust decisions abused in seasonal fraud.
NIST SP 800-53 Rev 5IA-5Authenticator management matters where stolen accounts and loyalty credentials are exploited.
GDPRArt.32The article touches customer data and identity signals used in fraud decisioning.
NIST AI RMFGOVERNAI-assisted fraud raises governance requirements for model oversight and accountability.

Review identity and fraud data handling under Art.32 where personal data is processed for risk scoring.


Key terms

  • Context-Aware Fraud Decisioning: A fraud control approach that evaluates a transaction using situational signals such as timing, geography, customer history, and channel risk. It reduces false declines by distinguishing normal seasonal behaviour from suspicious activity instead of relying on fixed thresholds alone.
  • Triangulation Fraud: A scheme where a fraudster sells goods or tickets to a victim and pays the merchant using stolen funds or another victim's money. The merchant sees a valid sale, but the transaction is actually laundering value through a trusted payment path.
  • Trust Laundering: The abuse of a legitimate, trusted process to make fraudulent activity appear valid long enough to pass controls. In travel and ecommerce, attackers exploit inherited trust across booking, payment, loyalty, and fulfilment systems to move stolen value through normal business flows.
  • Synthetic Identity: An identity assembled from real and fabricated data to look authentic enough for account creation, onboarding, or fraud operations. It is often used to scale deception because it can evade shallow checks while still behaving plausibly in customer journeys.

What's in the full article

Riskified's full analysis covers the operational detail this post intentionally leaves for the source:

  • Examples of how transaction context changes fraud decisions during peak travel and ecommerce periods
  • Details on the fraud patterns Riskified associates with last-minute bookings and cross-border demand
  • The article's broader explanation of how AI is amplifying scam quality and fraud scale
  • Vendor framing around AI-powered decisioning and merchant revenue protection

👉 Riskified's full article expands on the travel fraud schemes, seasonal context signals, and AI risk themes behind the analysis.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, workload identity, and identity lifecycle fundamentals. It helps security and identity practitioners build governance models that support broader trust decisions across modern environments.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-13.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org