eCommerce fraud and identity abuse: what IAM teams are missing

TL;DR: Fraud in eCommerce now spans account takeovers, synthetic identities, bot-driven abuse, and policy manipulation, while merchants are still being asked to keep onboarding fast and friction low, according to Transmit Security’s summary of KuppingerCole’s FRIP for eCommerce Leadership Compass. The real issue is that fraud controls, CIAM, and identity governance are converging on the same trust boundary, and that boundary is being tested continuously.

NHIMG editorial — based on content published by Transmit Security: Protecting eCommerce Against Today’s Most Sophisticated Fraud Threats

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams handle fraud and identity abuse in eCommerce journeys?

A: They should treat fraud as an identity governance problem that spans onboarding, login, recovery, and transaction approval.

Q: Why do bot-driven attacks keep bypassing eCommerce controls?

A: Because many controls still focus on whether a request is technically valid rather than whether the behaviour fits a real customer pattern.

Q: What do teams get wrong about GenAI in fraud operations?

A: They often assume GenAI can compensate for weak data quality or inconsistent case records.

Practitioner guidance

• Align fraud and identity decisioning Bring CIAM, authentication risk, device intelligence, and fraud policy into one operating model so onboarding, login, and transaction controls use the same risk context.
• Segment customer journeys by abuse pattern Build separate policies for credential stuffing, synthetic identity creation, coupon abuse, and account takeover instead of relying on a single generic fraud rule set.
• Tune bot controls to behavioural thresholds Use velocity, session repetition, and device reputation together so legitimate automation is not treated the same as repeated policy evasion.

What's in the full article

Transmit Security's full post covers the operational detail this analysis intentionally leaves for the source:

• KuppingerCole’s evaluation criteria for product, innovation, and market leadership in FRIP for eCommerce.
• The vendor’s specific fraud coverage examples across CNP, BNPL, APP scams, synthetic identity, and policy abuse.
• Journey-level product capabilities such as mobile onboarding, liveness detection, compromised credential checks, and behavioural biometrics.
• How the combined CIAM and fraud platform is positioned for merchant workflow and analyst use cases.

👉 Read Transmit Security’s analysis of fraud reduction intelligence for eCommerce →

eCommerce fraud and identity abuse: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →