For retail teams attending Fraud Prevention Summit, fraud is increasingly defined by two high-impact vectors: account takeover (ATO) and first-party fraud. Both exploit trust: the former by hijacking legitimate customer accounts, the latter by abusing refunds, chargebacks and policy loopholes while appearing ‘authentic’. Traditional controls at checkout alone are no longer sufficient. The most effective merchants are using digital identity verification as a journey-wide control, applied at the moments where risk truly changes…
Account takeover: protect the login, not just the payment
ATO typically begins long before a purchase: credential stuffing, phishing and social engineering target accounts because they come pre-verified with saved cards, addresses and loyalty value.
Best practice is layered and risk-based:
- Stronger authentication for risky logins: step-up checks when signals change (new device, unusual location, VPN, rapid login attempts, abnormal behaviour).
- Device and behavioural intelligence: recognise known-good devices and spot bot-like patterns before credentials are even validated.
- Credential hygiene: proactive password reset prompts after breach events and detection of compromised credentials.
- Secure account recovery: ensure “forgot password” is not the weakest link — require additional proof when risk is high.
Crucially, merchants are also protecting post-login moments: changes to delivery address, email, phone number, or payment methods. These are common ATO pivot points and should trigger verification or cooling-off periods.
First-party fraud: treat it as identity risk, not just disputes
First-party fraud (sometimes labelled “friendly fraud”) is often disguised as legitimate customer behaviour: “item not received”, “unauthorised purchase”, serial refunds, wardrobing, or chargebacks used as a customer service shortcut.
Best practice is to build an identity-led view of customer trust, using signals across the lifecycle:
- At account creation: verify identity proportionately based on risk (high-value categories, known fraud hotspots, suspicious device/email patterns). Prevent synthetic or disposable identities entering the ecosystem.
- At purchase: use risk-based identity checks for high-value baskets, expedited shipping, or unusual behaviour (multiple cards, rapid retries, mismatched addresses).
- At returns and refunds: apply identity verification to high-risk refund requests, especially where the customer is new, behaviour is inconsistent, or patterns indicate serial abuse.
Importantly, top merchants avoid heavy friction for everyone. They reserve stronger checks for the moments where loss exposure is highest.
High-risk moments: the ‘step-up’ strategy that keeps conversion intact
The most effective identity programmes in 2026 are built around step-up verification: keep the journey fast for trusted users, but increase scrutiny when risk changes. High-risk moments commonly include:
- new device or unusual login behaviour
- first purchase after account creation
- high-value orders or atypical basket composition
- address changes and reship requests
- high-frequency returns or disputes
- gift cards, digital goods, or click-and-collect abuse
Make identity verification operationally sustainable
Finally, identity controls must be measurable and manageable. Leading teams track false positives, friction rates, dispute outcomes and ATO rates by customer segment and channel. They also ensure customer support is equipped to handle verification challenges quickly, preventing identity controls from becoming a CX failure point.
Winning against ATO and first-party fraud isn’t a single silver bullet. It’s about deploying digital identity verification at the right points in the journey: protecting trust, reducing losses and keeping genuine customers moving.
Are you searching for Digital Identity Verification solutions for your organisation? The Fraud Prevention Summit can help!
Photo by Markus Spiske on Unsplash
