TL;DR: World Cup travel and ticketing create a high-noise fraud environment: same-day ticket purchases were nearly six times riskier than advance buys, last-minute flight bookings were 80% more likely to be fraudulent, and fraud activity rose 366% above baseline in Qatar 2022, according to Riskified. Behavioural context now matters more than isolated transaction checks.
At a glance
What this is: The article shows how World Cup travel and ticket purchases can resemble fraud patterns while still reflecting legitimate fan behaviour across airlines, hotels, tickets, and ground transport.
Why it matters: This matters because merchants need to reduce false positives without weakening fraud controls, especially where payment behaviour, device signals, and travel urgency can legitimately shift at the same time.
By the numbers:
- a fraudster is 80% more likely to buy a last-minute ticket than a good customer
- fraud activity increased steadily as the competition progressed, ultimately reaching levels 366% above the pre-tournament baseline
👉 Read Riskified's analysis of World Cup travel fraud patterns and merchant controls
Context
World Cup travel creates a fraud detection problem because genuine customer behaviour becomes more variable, not because the underlying risk disappears. International flights, event tickets, hotels, rideshares, and intercity travel can all change quickly as fans follow schedules, teams, and inventory. For ticketing and travel merchants, the challenge is separating legitimate travel volatility from signals that usually indicate account takeover, stolen cards, or synthetic identities.
This is a classic identity and trust boundary issue in fraud prevention. When device, network, and payment patterns shift together, rules that are tuned to normal shopping behaviour can misclassify real customers as risky and let coordinated fraud blend into the same pattern set. The article’s core lesson is that merchant controls need behavioural context, not just transaction-level thresholds.
Key questions
Q: How should merchants handle fraud risk during major sporting events?
A: Merchants should treat major sporting events as context-heavy buying periods, not as a reason to rely only on static fraud thresholds. The best approach combines timing, itinerary changes, device continuity, account history, and payment reuse so legitimate fan behaviour is not confused with account takeover or card testing. The goal is adaptive review, not blanket friction.
Q: Why do last-minute travel and ticket purchases look risky to fraud systems?
A: Last-minute purchases often look risky because fraudsters use urgency, scarce inventory, and changing travel patterns to reduce review time. In event settings, legitimate customers can behave the same way, so risk teams must judge whether the activity fits a plausible journey or a coordinated abuse pattern. Context is what separates demand from deception.
Q: What do fraud teams get wrong about event ticket purchases?
A: They often over-focus on order value or single-transaction anomalies and underweight the broader customer journey. Event tickets are high-liquidity digital goods, so a better model looks at account age, device reuse, repeated small orders, and cross-merchant behaviour. Without that wider view, merchants either miss fraud or block genuine fans.
Q: How can merchants balance fraud prevention with customer experience?
A: Merchants should escalate only when the full signal set supports it, rather than forcing manual review on every unusual booking. This means using device intelligence, behavioural history, and journey context to reserve friction for patterns that are truly inconsistent with legitimate travel demand. Good governance reduces both loss and conversion drag.
Technical breakdown
Why event travel breaks rules-based fraud models
Rules-based systems work best when customer behaviour is relatively stable. Event travel breaks that assumption because legitimate buyers may change cities, payment methods, devices, and timing in a compressed window. That creates overlap with account takeover, card testing, and synthetic identity patterns. Fraud teams therefore need to distinguish situational volatility from suspicious coordination, using context such as account tenure, purchase sequence, device continuity, and cross-merchant behaviour rather than single-order signals alone.
Practical implication: tune models to recognise event-driven volatility instead of treating every sudden itinerary change as suspicious.
Why transaction value and timing matter together
Fraud risk is not driven by amount alone. High-value international flights, mid-range ticket purchases, and last-minute bookings each create different incentives for attackers and different friction points for merchants. The article shows that risk rises sharply when urgency and value intersect, especially in constrained inventory environments where manual review windows shrink. That means scorecards need to weight temporal pressure and market scarcity alongside payment size and customer history.
Practical implication: combine time-to-event, order value, and inventory pressure into one decision layer.
How network-level identity signals improve fraud decisions
A single checkout rarely tells the full story. Network-level analysis links devices, accounts, payment instruments, and purchase pathways across merchants, which is essential when fraud rings distribute activity to look legitimate. This is where identity and fraud controls intersect: shared signals help identify repeated abuse without over-rotating on isolated anomalies. For travel and ticketing merchants, the goal is to see whether the behaviour fits a known customer journey or a coordinated abuse pattern.
Practical implication: expand review logic beyond the transaction and into account, device, and payment relationships.
Threat narrative
Attacker objective: The attacker’s objective is to convert high-demand event traffic into fraudulent ticket, travel, and payment revenue while blending in with legitimate buyers.
- Entry occurs through legitimate-looking travel and ticket purchases that mimic normal fan behaviour while hiding fraud indicators.
- Escalation happens when attackers exploit urgency, limited inventory, and changing itineraries to push transactions through weak review thresholds.
- Impact is fraudulent ticketing, payment abuse, and account or credential misuse that merchants may approve as genuine demand.
NHI Mgmt Group analysis
Identity signals and fraud signals are converging in event commerce. Ticketing and travel merchants are not just screening payments, they are judging whether a buyer’s behaviour is consistent with a legitimate trip. That makes identity assurance part of fraud prevention even when the transaction is not a traditional IAM use case. Practitioners should treat the customer journey as a trust problem, not a single checkout decision.
Behavioural volatility is the new normal for high-demand events. The article shows why static fraud rules fail when travel plans, devices, and payment methods change rapidly. This creates a verification trust gap: controls built for steady ecommerce patterns become less reliable when the customer is moving across cities, merchants, and channels. Teams need adaptive scoring that understands context before it escalates friction.
False positives become a business risk when fraud pressure rises. Merchants that overcorrect during peak demand can block legitimate fans, lose conversion, and still miss organised abuse that spreads across smaller orders. The governance issue is not whether to use stricter controls, but how to prove they are discriminating between changing customer behaviour and coordinated fraud. Practitioners should measure decision quality, not just block rates.
Cross-merchant visibility is the control gap the article points to most clearly. Fraud rings rarely present as isolated checkouts, and the same pattern can recur across accounts, devices, and payment credentials. In identity terms, this is a distributed trust problem that requires shared signal intelligence and lifecycle awareness across the customer journey. Merchants should build for correlation, not just screening.
Context-aware fraud governance is now a core commerce requirement. The named concept here is behavioural context routing, meaning fraud decisions are adjusted based on event timing, travel patterns, and network signals rather than a fixed threshold alone. That approach is more resilient when demand surges create legitimate anomalies. The practical conclusion is simple: merchants need governance that understands why a pattern exists before deciding what it means.
What this signals
Behavioural context is becoming a first-class control in fraud governance. Event-driven buying patterns create legitimate anomalies, which means teams should stop treating every deviation as suspicious and start scoring the customer journey as a whole. The most effective programmes will correlate timing, device stability, payment reuse, and travel sequence rather than relying on a single risk threshold.
Cross-channel visibility is now central to fraud decision quality. When tickets, flights, hotels, and ground transport all contribute to the same customer story, siloed controls produce inconsistent outcomes. Merchants that can see the pattern across touchpoints will be better positioned to reduce false positives and still stop coordinated abuse.
The governance challenge is not more friction, but better discrimination. Event peaks force teams to prove that their controls can separate fan behaviour from fraud rings at scale. For identity-adjacent programmes, that means aligning fraud, risk, and trust signals so the organisation can respond to volatility without normalising poor decision quality.
For practitioners
- Weight event timing in fraud scoring Add time-to-event and last-minute purchase pressure to risk models so same-day ticketing and urgent travel are evaluated in context, not treated as generic outliers.
- Correlate identity, device, and payment signals Link account history, device continuity, IP patterns, and payment reuse so fraud reviews can detect coordinated behaviour across merchants instead of only inspecting one order at a time.
- Separate legitimate travel volatility from abuse Build exception logic for fans who change cities, airlines, and accommodation quickly while still flagging repeated high-risk patterns such as small ticket orders and clustered payment attempts.
- Measure false positives by journey stage Track approval rates and review outcomes across the full travel journey, including flights, hotels, tickets, and ground transport, so control tuning reflects where genuine demand is being suppressed.
Key takeaways
- World Cup travel can make legitimate customer behaviour look like fraud, so static rules are not enough.
- Risk rises sharply when urgency, high-value purchases, and scarce inventory converge, which creates a narrow merchant decision window.
- Merchants need journey-level context across accounts, devices, and payment methods to reduce false positives without letting organised fraud blend in.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-1 | Identity-aware authentication and context-based decisions matter in fraud-heavy checkout flows. |
| NIST SP 800-53 Rev 5 | IA-2 | Strong identification and authentication help limit account misuse in travel and ticketing. |
| GDPR | Art.32 | Personal data and behavioural signals used in fraud scoring must be protected appropriately. |
Use context-aware authentication and risk decisions to distinguish legitimate fan travel from abuse.
Key terms
- Behavioral Context Routing: A fraud decision approach that evaluates the customer journey, not just the checkout event. It combines timing, device continuity, payment reuse, and travel sequence so merchants can tell the difference between legitimate volatility and coordinated abuse.
- Cross-Merchant Fraud Correlation: The practice of linking signals across multiple merchants, accounts, devices, and payment instruments to expose organised fraud patterns. It is especially useful where attackers distribute activity to make each transaction look normal on its own.
- Journey-Level Risk Scoring: A scoring method that measures risk across an entire purchase journey rather than one order. It helps merchants account for changes in itinerary, urgency, and channel mix while preserving the ability to detect account takeover and card testing.
What's in the full article
Riskified's full article covers the operational detail this post intentionally leaves for the source:
- Merchant-side tuning guidance for travel and ticketing risk models across the World Cup journey
- Detailed breakdown of the transaction patterns that changed in Qatar 2022 and why they matter for 2026
- Practical examples of when to authorise, decline, or step up verification based on behavioural signals
- Dark web and fraud-market observations that help teams understand how abuse campaigns are organised
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, workload identity, and identity lifecycle fundamentals. It supports practitioners building stronger identity control programmes across security, IAM, and adjacent risk functions.
Published by the NHIMG editorial team on 2026-06-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org