They should use risk-tiered friction rather than blanket challenge. That means light-touch verification for low-risk activity, stronger checks for high-risk behaviour, and clear review paths for exceptions. The goal is to make abuse expensive while keeping legitimate users moving through the flow with minimal disruption.
Why This Matters for Security Teams
Delivery platforms sit at the point where fraud pressure and conversion pressure collide. If every order gets the same heavy verification, legitimate customers abandon checkout. If every order gets a free pass, bots, promo abuse, account takeovers, and refund fraud scale quickly. The practical answer is not blanket challenge, but risk-tiered friction that adapts to behaviour, device signals, payment history, and delivery patterns.
This is also an identity problem, not just a fraud-scoring problem. Many abuse paths rely on non-human actors, scripted flows, and reused secrets, which is why NHI governance matters in the background even when the user journey looks customer-facing. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts in its Ultimate Guide to NHIs — The NHI Market, a visibility gap that directly affects detection and containment. Security leaders should align fraud controls with broader identity governance and the NIST Cybersecurity Framework 2.0, especially when automation is making decisions at volume.
In practice, many security teams discover conversion damage only after an overly aggressive challenge policy has already pushed legitimate customers to a competitor.
How It Works in Practice
Effective fraud reduction starts by separating low-risk, medium-risk, and high-risk activity, then assigning the least disruptive control that still makes abuse costly. Low-risk sessions should move quickly with passive checks in the background. Medium-risk events can trigger lightweight friction such as step-up verification, phone or email confirmation, or delayed fulfillment. High-risk behaviour should face stronger controls such as velocity limits, payment review, device binding, or manual exception handling.
The key is to make the decision in real time using context, not a fixed rule that treats all customers the same. A good fraud stack usually combines behavioural signals, historical trust, delivery address risk, payment instrument reputation, and account age. When the platform also uses service accounts, APIs, and orchestration jobs, those non-human identities need the same discipline: short-lived secrets, rotation, and tight privilege boundaries. Otherwise, abuse can be automated through backend pathways even if the front end is well defended.
- Use passive scoring first, then escalate only when risk crosses a threshold.
- Keep step-up checks proportionate to the value and sensitivity of the transaction.
- Define exception paths so support teams can resolve false positives quickly.
- Log the signal set behind each decision so thresholds can be tuned without guesswork.
Best practice is to measure fraud savings against abandonment rates, not fraud loss alone. That balance is easier to maintain when policies are reviewed continuously and when backend identities are governed as tightly as customer logins. Current guidance suggests using identity-centric controls alongside fraud models, because fraudsters often exploit automation, not just weak passwords. These controls tend to break down when high-volume promo campaigns or marketplace spikes create too many legitimate edge cases for static thresholds to handle.
Common Variations and Edge Cases
Tighter fraud controls often increase operational overhead, requiring organisations to balance conversion gains against support load and review costs. That tradeoff becomes more visible during peak delivery windows, new-market launches, or high-value campaigns, where false positives can spike and manual review queues can slow fulfilment.
There is no universal standard for this yet, but current guidance suggests calibrating friction by transaction type rather than by customer segment alone. For example, first-party fraud on a low-value order may justify a softer response than repeated delivery re-routing on a high-value order. Marketplace and aggregator models also need stronger supplier and driver identity controls, because abuse can originate from non-human workflows, stolen API keys, or compromised service integrations.
Where the business uses automation to approve orders, assign couriers, or trigger refunds, the fraud model must account for machine speed and machine scale. This is where broader governance from the Ultimate Guide to NHIs — The NHI Market and the NIST Cybersecurity Framework 2.0 becomes operationally useful: it helps teams reduce abuse without turning every legitimate customer into a suspect.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Fraud automation often abuses overprivileged non-human identities and secrets. |
| NIST CSF 2.0 | PR.AA-1 | Risk-tiered friction depends on reliable identity verification and access decisioning. |
| NIST CSF 2.0 | DE.CM-8 | Fraud controls need monitoring for anomalous activity across customer and backend flows. |
Inventory non-human identities, reduce standing privilege, and rotate secrets tied to fraud workflows.
Related resources from NHI Mgmt Group
- How can organisations reduce fraud without creating excessive user friction?
- How should crypto platforms implement Travel Rule compliance without creating excessive operational overhead?
- How should dating platforms reduce fraud without making signup unusable?
- How can organisations reduce manual review without losing control?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
