Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Digital commerce fraud and ATO risk: what teams need to change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Digital commerce fraud now spans payment fraud, account takeover, promotion abuse, and chargeback abuse, with fraud-as-a-service and AI-powered automation making attacks faster and more scalable across the customer journey, according to Sift. Static rules cannot keep pace with adaptive fraud operations, so identity risk must be assessed at signup, login, checkout, and post-purchase.

NHIMG editorial — based on content published by Sift: Digital commerce fraud, how it works and why it’s getting harder to stop

Questions worth separating out

Q: How should security teams handle account takeover in digital commerce?

A: They should treat account takeover as a trust compromise, not just a login anomaly.

Q: Why does digital commerce fraud force IAM and fraud teams to work together?

A: Because the same identity controls that protect access also determine whether a transaction should be trusted.

Q: What do security teams get wrong about promotion abuse?

A: They often treat promotion abuse as a marketing nuisance rather than an identity problem.

Practitioner guidance

  • Correlate identity signals across the full journey Link account creation, login, checkout, refund, and post-purchase events so one suspicious identity can influence later decisions instead of being reviewed in isolation.
  • Treat account takeover as a trust reset event When a credential compromise is suspected, reduce confidence in the session immediately and require step-up checks before access to stored payment methods, loyalty balances, or account changes.
  • Separate promotion controls from payment controls Track referral credits, sign-up bonuses, and first-order discounts with dedicated identity checks so fake or multi-accounts cannot drain acquisition budgets before the fraud is detected.

What's in the full article

Sift's full article covers the operational detail this post intentionally leaves for the source:

  • Journey-stage examples showing where fraud risk appears at signup, login, checkout, and post-purchase touchpoints.
  • Operational discussion of behavioural signals and device intelligence used to distinguish legitimate users from credential stuffing attempts.
  • Examples of how a risk score at checkout can be used to automate decisions without broad blocking.
  • The article’s explanation of why static rules fail once fraud actors adapt to a new control.

👉 Read Sift's analysis of digital commerce fraud, account takeover, and promotion abuse →

Digital commerce fraud and ATO risk: what teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Digital commerce fraud is an identity governance problem disguised as a payments problem. The article shows that login, account creation, and post-purchase actions all carry identity risk, not just checkout. That means the boundary between fraud prevention and IAM is increasingly artificial, especially where verified accounts, stored payment methods, and loyalty balances are involved. Teams that do not govern trust across the full customer lifecycle will keep detecting loss after the fact rather than preventing it.

A question worth separating out:

Q: How can organisations reduce fraud without hurting legitimate customers?

A: Use staged risk decisions instead of broad blocks. Reserve the strongest controls for high-risk actions such as payout changes, stored payment access, and refund requests. Then measure false positives against conversion, support load, and customer lifetime value so prevention and experience are governed together.

👉 Read our full editorial: Digital commerce fraud is outpacing static controls and rules



   
ReplyQuote
Share: