Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Fraud rings and ATO patterns: what practitioners need to rethink


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Transaction volume across its Global Data Network grew 15.2% from Q1 2025 to Q1 2026 while global payment fraud block rates fell and account takeover rates dropped 28%, but coordinated fraud rings spanning 90+ businesses and a 383% rise in online gambling payment fraud show the risk is becoming less visible, not disappearing, according to Sift. Averages are no longer enough: network linkage, behavioural signals, and post-incident response now shape fraud governance.

NHIMG editorial — based on content published by Sift: Today’s fraud economy looks better on averages but harder to see in the network

By the numbers:

Questions worth separating out

Q: What breaks when fraud teams rely only on transaction-level rules?

A: Transaction-only rules miss coordinated abuse that is spread across devices, payment methods, and merchants.

Q: Why do account takeover attacks still succeed when MFA is enabled?

A: MFA protects the login step, but it does not govern what happens after the session is established.

Q: How do security teams know if fraud controls are actually working?

A: Look beyond block rates and measure whether suspicious activity clusters across accounts, devices, and merchants are shrinking.

Practitioner guidance

  • Implement cross-merchant linkage scoring Correlate devices, payment instruments, account attributes, and transaction histories so fraud rings can be detected as networks rather than isolated events.
  • Add post-authentication account-change monitoring Monitor recovery email edits, payout changes, password resets, and beneficiary changes after successful login because MFA at the front door does not prevent downstream account abuse.
  • Tune fraud policy by segment and payment method Set different thresholds for digital commerce, subscriptions, gaming, and low-value transaction flows, and review them against the actual cost of false positives.

What's in the full report

Sift's full article covers the operational detail this post intentionally leaves for the source:

  • The underlying Global Data Network methodology and how linkage scores are calculated across merchants.
  • Vertical-by-vertical fraud and ATO comparisons for teams that need implementation benchmarks.
  • The customer retention findings after fraud and account takeover incidents, including response-quality effects.
  • The full set of payment method and transaction value trade-offs that shape control tuning.

👉 Read Sift’s analysis of fraud rings, account takeover, and retention risk →

Fraud rings and ATO patterns: what practitioners need to rethink?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Fraud now behaves like an identity graph problem, not a transaction-only problem. The article’s linkage data shows why isolated scoring breaks down when the same device, payment instrument, or account pattern appears across many businesses. That shifts the governance question from 'did this transaction look bad' to 'does this identity have a networked abuse pattern'. Practitioners should treat graph correlation as part of core fraud and identity governance, not as an optional analytics layer.

A question worth separating out:

Q: Who is accountable when fraud prevention damages legitimate customers?

A: Accountability sits across fraud, IAM, product, and customer operations because blocking decisions affect access, revenue, and trust. Teams should define ownership for thresholds, appeals, and recovery paths, and map those responsibilities to risk governance so no single team optimises only for loss reduction at the expense of customer experience.

👉 Read our full editorial: Fraud detection is improving while networked attacks are harder to see



   
ReplyQuote
Share: