By NHI Mgmt Group Editorial TeamPublished 2026-02-11Domain: Identity Beyond IAMSource: Riskified

TL;DR: Daily fraudulent order volume reaches its February peak on Valentine’s Day, 35 percent above the monthly average, while risk also rises for new customers and gift card abuse during the holiday rush, according to Riskified. The broader lesson is that seasonal commerce creates identity ambiguity that rules alone cannot resolve.


At a glance

What this is: This analysis shows how Valentine’s Day shopping creates a predictable fraud window, with fraud peaking on February 14 and gift cards and new customer activity becoming higher-risk channels.

Why it matters: Retailers and fraud teams need identity-aware controls because holiday volume, account takeover, and low-friction digital goods can overwhelm static rules and distort approval decisions.

By the numbers:

👉 Read Riskified's analysis of Valentine’s Day fraud patterns and holiday risk


Context

Valentine’s Day fraud is a governance problem as much as a revenue problem. When shopping volume rises sharply, legitimate urgency and fraudulent behaviour start to look similar, which makes static rules less reliable and increases the cost of false declines. For retailers, the challenge is not simply blocking fraud, but distinguishing real customers from organised abuse in a compressed buying window.

The identity connection is strongest where account takeover, proxy use, and low-data digital goods intersect. Gift cards are attractive to attackers because they are fast to monetise and provide fewer signals for traditional detection, while new-customer spikes reduce confidence in profile-based risk models. That makes this a useful case study for identity verification, fraud operations, and access governance teams that are trying to keep trust decisions accurate under pressure.


Key questions

Q: How should retailers reduce fraud during seasonal shopping spikes?

A: Retailers should combine behavioural scoring, device reputation, and network linkage before the peak period arrives. Seasonal spikes create legitimate noise, so the best controls focus on identity consistency and transaction clusters rather than rigid checkout rules that over-decline real customers.

Q: Why are gift cards a higher fraud risk than many physical goods?

A: Gift cards are easier to monetise quickly, require less fulfilment data, and often bypass shipping-based verification. That removes several of the strongest fraud signals, so teams need stronger account, device, and payment correlation before approving digital value purchases.

Q: What do fraud teams get wrong about new customers during promotions?

A: They often treat low history as either low risk or automatic fraud, when it is really a signal to collect better context. New customers need adaptive verification, not blanket denial, because acquisition traffic and attacker traffic can look similar at first glance.

Q: Who is accountable for fraud decisions when holiday traffic spikes?

A: Fraud, payments, product, and identity teams all share accountability because approval strategy affects conversion, customer trust, and loss rates. The right governance model sets risk thresholds in advance, defines escalation paths, and reviews outcomes after the promotion ends.


Technical breakdown

Why holiday volume breaks rule-based fraud detection

Holiday fraud patterns create a temporary mismatch between transaction volume and signal quality. Rule-based systems often key off velocity, shipping mismatch, or unusual purchase behaviour, but attackers know how to stay inside those thresholds while blending with genuine seasonal demand. In this kind of environment, the problem is not only bad data, it is crowded data. The more legitimate shoppers flood the channel, the harder it becomes to separate intent from opportunity without network-level behavioural context.

Practical implication: supplement static rules with behavioural clustering and network signals before peak trading windows.

Why gift cards are a high-risk digital asset

Gift cards are attractive to fraudsters because they convert stolen payment data into immediately usable value with limited fulfilment friction. Unlike physical goods, they often bypass shipping-address checks and can be resold quickly on secondary markets. The absence of a delivery trail removes one of the strongest confirmation signals in ecommerce fraud operations, which means account trust, payment trust, and device trust become much more important than product category alone.

Practical implication: apply tighter controls to digital gift card purchases, especially when account age and device reputation are weak.

Why new customer identity is harder to score during promotions

New customer risk rises when customer identity has little behavioural history attached to it. Fraud teams cannot rely on established purchase patterns, so they must infer trust from weaker signals such as device consistency, email domain quality, proxy usage, and cross-transaction linkage. That is an identity problem as much as a fraud problem, because the programme is trying to answer whether a claimant is a real customer, a reused account, or a coordinated fraud actor.

Practical implication: increase step-up verification for first-time buyers when promotion traffic creates low-signal, high-volume conditions.


Threat narrative

Attacker objective: The attacker wants to convert stolen payment credentials into fast, low-trace value during a period when genuine customer behaviour provides cover.

  1. Entry occurs when attackers target holiday traffic, reused accounts, or low-friction digital gift card flows that blend into legitimate seasonal purchasing.
  2. Escalation follows when the attacker uses proxy infrastructure, account takeover, or weak profile signals to complete purchase attempts without triggering standard checks.
  3. Impact is the rapid monetisation of stolen payment data through digital gift cards, which can be resold or spent before controls catch up.

NHI Mgmt Group analysis

Seasonal fraud is an identity ambiguity problem, not just a transaction anomaly problem. Holiday traffic compresses legitimate urgency and malicious intent into the same operational window, which weakens purely rules-based controls. The decisive issue is whether a programme can maintain trust decisions when the behavioural baseline shifts quickly. Practitioners should treat peak-season fraud as a trust-governance exercise, not a holiday exception.

Digital gift cards create a low-friction abuse path because they remove fulfilment signals that fraud teams often depend on. When shipping data disappears, the control surface narrows to payment, device, account history, and network intelligence. That makes gift card abuse structurally easier to hide inside legitimate commerce, especially when attackers use older accounts or proxy infrastructure. Practitioners should reweight risk models toward identity linkage and device consistency for digital value products.

Identity-based clustering is the right conceptual response to holiday fraud pressure. The article points to a broader shift away from isolated checkout rules toward networked analysis that ties behaviour across accounts, devices, and transactions. That is the more durable model because fraud actors can vary surface details while preserving the same underlying pattern. Practitioners should think in clusters, not single events.

Retail fraud teams need to distinguish customer acquisition risk from customer trust risk. New customer surges are not inherently suspicious, but they do reduce confidence in profile-based scoring. That means acquisition campaigns, promotions, and seasonal traffic need controls that can adapt to sparse history without defaulting to broad decline logic. Practitioners should align fraud policy with conversion goals, not treat them as competing silos.

What this signals

Retailers should expect fraud controls to face more pressure from identity ambiguity than from raw transaction volume alone. The operational lesson is to move beyond isolated checkout rules and build a richer trust model that can distinguish legitimate holiday urgency from coordinated abuse, especially where digital goods are involved.

Trust clustering: holiday programmes need a way to score linked behaviour across accounts, devices, payments, and domains rather than judging each order in isolation. That approach aligns with the identity-first direction many fraud and verification programmes are already taking, and it is the difference between broad friction and targeted intervention.

When seasonal demand and account takeover overlap, the programme needs better governance around escalation thresholds, manual review capacity, and post-event tuning. Otherwise the organisation learns too late that its fraud model was optimised for ordinary traffic, not adversarial volume.


For practitioners

  • Tighten controls on digital gift card flows Apply stronger step-up checks when buyers purchase gift cards with newly created accounts, suspicious proxies, or unusual recipient domains. Treat these purchases as a separate risk tier from physical goods because they provide fewer fulfilment signals.
  • Use networked identity clustering at peak season Correlate accounts, devices, emails, payment instruments, and IP reputation across the full holiday window instead of scoring each order in isolation. The goal is to detect repeated fraud patterns that only become visible across many transactions.
  • Raise scrutiny for first-time buyers during promotions Increase verification thresholds for new customers when volume spikes and historical behaviour is sparse. Use targeted friction rather than broad decline rules so genuine seasonal shoppers still convert.
  • Monitor account takeover indicators before peak dates Watch for older accounts used from new devices, proxy connections, or unfamiliar domains in shipping and recipient fields. Those signals often indicate that fraudsters are repurposing trusted identities to bypass controls.

Key takeaways

  • Valentine’s Day fraud is driven by identity ambiguity, where legitimate urgency gives attackers cover inside normal shopping behaviour.
  • Riskified’s analysis shows fraud peaks on February 14, with daily fraudulent order volume 35 percent above the monthly average and new-customer risk 8 percent higher than the prior two-week average.
  • Retailers should move to networked identity clustering and tighter gift card controls so peak-season fraud decisions stay precise under pressure.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Identity verification and access control shape approval decisions for suspicious purchase flows.
NIST SP 800-53 Rev 5IA-2Authentication strength matters when reused accounts drive fraud attempts.
GDPRArt.32Fraud scoring often processes personal data and requires proportionate security controls.

Document processing safeguards and access restrictions for any identity data used in fraud models.


Key terms

  • Identity-based clustering: Identity-based clustering is a fraud detection approach that links accounts, devices, payment instruments, and behavioural signals to identify related activity. It helps security and fraud teams see patterns that are invisible when each transaction is scored in isolation, especially during high-volume periods.
  • Account takeover: Account takeover is the unauthorised use of a legitimate customer account after credentials or session access have been compromised. In ecommerce, it often appears as normal-looking purchases made from unfamiliar devices, locations, or network paths, which makes linked behavioural analysis essential.
  • Step-up verification: Step-up verification is an additional trust check applied when a transaction or login looks riskier than normal. It can include extra authentication, manual review, or stronger identity proofing, and it is most effective when targeted at specific risk signals rather than applied uniformly.

What's in the full article

Riskified's full analysis covers the operational detail this post intentionally leaves for the source:

  • Category-level fraud patterns by February day, including how risk shifts across early planners, gift cards, and new customers.
  • Behavioural red flags seen in account takeover cases, including proxy use and unfamiliar recipient domains.
  • How identity-based clustering can improve approval rates without relying on brittle rules alone.
  • The article's full reasoning on balancing revenue protection against false declines during seasonal peaks.

👉 The full Riskified post covers the February fraud patterns, gift card abuse signals, and identity-based clustering approach.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management. It is designed for practitioners who need to connect identity controls to real operational risk across security programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org