Demo Sift

Q2 2026 DIGITAL TRUST INDEX

The Fraud Economy Scales Up: Payment Attacks, Account Takeover, and Coordinated Fraud Rings

SCROLL TO EXPLORE ↓

Overview

What’s in
This Report

Fraud is becoming harder to evaluate in isolation. Attacks are more connected, risk is shifting across industries and payment methods, and customer retention increasingly depends on how businesses detect, communicate, and resolve fraud incidents.

At the same time, digital activity is growing. Transaction volume across the Sift Global Data Network increased 15.2% from Q1 2025 to Q1 2026, expanding both revenue opportunity and the attack surface for coordinated fraud. While global ATO and payment fraud benchmarks improved year over year, those averages can still hide concentrated risk across specific segments, payment types, and user clusters.

For fraud teams, the mandate is changing. Protecting growth requires earlier detection of connected attacks, more precise controls by payment method and customer value, smarter use of friction, and faster incident response. The strongest teams will be those that connect identity, payment, behavior, device, and outcome data into decisions that protect both revenue and trust.

credit_card_transaction
report-pill

+15.2%

Transaction volume growth across the Sift Global Data Network from Q1 2025 to Q1 2026.

report-pill-bottom
report-pill-share

01

CHAPTER 1

Fraud Rings Reveal the Limits of Isolated Detection

Fraud rings rarely look obvious at the point of attack. In a single account review or transaction decision, suspicious activity can appear low-signal, fragmented, or even legitimate. The pattern becomes clearer when accounts, cards, merchants, devices, transaction histories, and volume are evaluated together. By the time a fraud ring reaches critical mass, losses may already be close behind, with small variations continuing to hide around every corner and pressure teams for days or even months. Mean Global Linkage helps make that connected risk measurable by showing whether activity is isolated or tied to a broader network pattern.

Across the Sift Global Data Network, users associated with fraudulent chargebacks had 15.8x higher Mean Global Linkage than users without chargebacks, underscoring how coordinated risk becomes easier to identify through the network around them. Rings exploit partial visibility: each merchant sees only one piece of the activity, while the full pattern forms across the network. Network-level intelligence helps close that gap, surface coordinated attacks earlier, and support more confident decisions about when to investigate, apply friction, or block.

chapter-1-pill
fraud-rings-reveal-the-limits-of-isolated-detection
white_pills 2

15.8x

Higher Mean Global Linkage for users associated with fraudulent chargebacks versus users without chargebacks.

See the Full Report

Thank you, we will be in contact soon.

The ATO Ring That Looked Like Loyal Users

The most dangerous ATO attacks don’t always look suspicious. Fraudsters may spend months inside a legitimate account, mirroring the owner’s behavior before taking action. But coordinated loyalty fraud doesn’t rely on compromised accounts alone. In this loyalty program fraud ring identified across the Sift network, bad actors used a mix of ATO’d accounts and born-bad accounts to commit first-party payments fraud and mileage plan abuse. They accessed legitimate loyalty accounts, changed associated email addresses, and redeemed or transferred points before account holders knew anything was wrong.

The ring spanned more than 90 businesses across multiple industries and generated nearly 13,000 attempted transactions. Because the cluster included victimized customers, compromised accounts, and fraudsters operating through newly created accounts, it produced mixed risk signals, with manual blocks and accepts coexisting inside the same connected network. That overlap makes blunt rules the wrong response: blanket blocks can lock out legitimate customers, while isolated decisions miss the broader pattern. Targeted friction interrupts suspicious behavior at the right moment while protecting trusted customer relationships.

Fraud Ring At A Glance

~13k

attempted transactions

100+

fraudulent chargebacks

$223

avg transaction value

Signals To Watch For

Manual accepts and confirmed fraud coexisting within the same connected cluster, a common ATO pattern where compromised accounts can still appear legitimate

account-data-reused

Account data reused across businesses in connection with suspicious loyalty activity, which can indicate that attackers are using compromised account information beyond a single merchant

loyalty-account

Loyalty account email changes as a leading indicator of takeover

Inside an ATO Fraud Ring

High Risk Medium Risk Low Risk
HIGH RISK

Travel & Hospitality

Industry account · ATO fraud ring

IDENTITY ABUSE

Multiple identities confirmed

using this single account

ACCOUNT BLOCKED

Manually blocked

Reason: account takeover (ATO)

The Card-Testing Ring Hiding In Low-Value Transactions

Card testing is fraud infrastructure maintenance in production. Before attempting larger purchases or cash-out activity, fraudsters validate stolen cards through low-value, low-friction transactions at merchants where checkout leaves little time for additional verification. 

This food delivery ring followed that pattern closely. One email address cycled through 94 distinct credit cards, generating 390 transactions across five businesses while keeping average order value at $4.06, below common detection thresholds and going unnoticed by many cardholders. Chargebacks appeared at a single merchant, but the broader card footprint extended across the cluster. Once the pattern surfaced, the recommended response was to block associated users across the full ring.

Fraud Ring At A Glance

94 distinct cards,
1 email
$4.06 average
transaction value
390 transactions
Multiple
chargebacks, all
fraudulent

Signals To Watch For

single-identity

Single identity cycling through a high volume of payment methods in a short window

low-order-values

Consistently low order values designed to avoid detection

chargebacks-concentrated

Chargebacks concentrated at one merchant while the card footprint spans several others

high-manual-block-volume

High manual block volume with zero manual accepts

Inside a Card Testing Fraud Ring

High Risk Medium Risk Low Risk
HIGH RISK

Food & Delivery

Industry account · card testing ring

CHARGEBACK FIXED

Amount exceeding $800

Via Visa card · 2 days ago

ACCOUNT BLOCKED

Manually blocked

Food & Delivery industry account

FRAUD TRANSACTION RATE

0.6%

Fraud Ring Trend: Wallet Provisioning Abuse in U.S. iGaming

A pattern is emerging in U.S. iGaming environments where phishers steal a card primary account number (PAN) and one-time passcode, provision the card into a digital wallet on their own device, create a device-specific DPAN, and run a deposit-and-cash-out cycle. On the surface, the activity can resemble legitimate wallet traffic unless fraud teams can distinguish digital wallet indicators, issuer BIN data, and DPAN BIN mappings inside their decisioning logic.

In this pattern, the majority of chargebacks traced back to a single credit union that didn’t require OTP or 2FA to provision a card into a digital wallet. Because digital wallets treat provisioning controls as the issuer’s responsibility, merchants still need downstream controls to catch abuse that issuer-level verification misses.

Why It Gets Through

Provisioned DPANs can look like legitimate digital wallet traffic at the merchant layer

Weak issuer provisioning controls allow cards to be added to wallets without OTP or 2FA

Issuer BIN and DPAN BIN mismatches can create gaps in standard workflow rules

w_pills 2

Recommended Controls

Route digital wallet traffic at a lower score threshold than non-digital wallet traffic

recommend-controls-line

Send PSP-tagged digital wallet indicators and BIN metadata in every decisioning call

Verify issuer BIN versus DPAN BIN mapping in workflow rules to catch provisioning mismatches

recommend-controls-floating-line
account-takeover-concentrates-where-accounts-hold-value

02

CHAPTER 2

Account Takeover Concentrates Where Accounts Hold Value

ATO rates improved overall, but risk is concentrating in environments where compromised accounts can be monetized quickly. Global ATO block rates fell 28% from Q1 2025 to Q1 2026, yet Internet & Software was the only tracked vertical to worsen, rising 6%, the highest single-quarter industry reading in the network. At the same time, 22% of consumers reported* experiencing account takeover in the past year, showing that ATO remains a meaningful customer trust issue even when aggregate rates improve.

That concentration matters because ATO losses often happen before a chargeback appears. Attackers can drain loyalty value, exploit stored payment methods, or transfer account access before traditional fraud signals surface. Authentication helps, but it isn’t enough. With more than 65% of breached accounts estimated to have had MFA enabled at compromise, stronger defenses depend on connected signals, account-change monitoring, and downstream behavior analysis.

chapter-right-yellow-curve

ATO Block Rate By Industry (Q1 2025 to Q1 2026)

ATO attack rate ATO attack rate Percent of blocked, pending, or failed logins out of all login attempts

Overall ATO attack rate
Industry or geo-specific ATO attack rate
Q2 2026 Digital Trust Index: Fraud Ring Intelligence, ATO & Payment Fraud Benchmarks

22%

Consumers who reported experiencing account takeover in the past year.

Everyday Accounts Are ATO Targets

Banking and financial accounts remained the most commonly reported ATO target at 46%, but social media followed closely at 38%. Account value now extends beyond direct access to funds. Fraudsters also target platforms with stored credentials, stored value, frequent usage, or resale potential. Food and grocery delivery and gaming/gambling each reached 23%, while subscriptions followed at 22%, showing how everyday digital accounts can become monetizable assets once compromised.

Account Types Affected By ATO

Banking/financial 46%
Social media 38%
Food/grocery delivery 23%
Gaming/gambling 23%
Subscriptions 22%
Utilities 20%
Ticketing 15%
Cryptocurrency 12%
E-commerce 10%
Rideshare 10%
Travel/lodging 9%
Q2 2026 DIGITAL TRUST INDEX: FRAUD RING INTELLIGENCE, ATO & PAYMENT FRAUD BENCHMARKS

2FA Remains a Baseline, Not a Complete Control

Global two-factor authentication (2FA) rates held steady year over year, slipping slightly from 8.3% to 8.15%. That stability suggests 2FA has become a baseline control across many digital environments. The more important signal is how authentication use shifts by industry as fraud pressure changes.

Travel & Ticketing and Internet & Software increased 2FA adoption, while Digital Commerce moved in the opposite direction, falling to 1.59%. Those differences show why authentication works best as one adaptive layer in a broader strategy. Stronger ATO defense requires pairing login controls with behavioral signals, account-change monitoring, and downstream transaction analysis.

2FA Rate By Industry (Q1 2025 to Q1 2026)

Two-factor auth rate Two-factor auth rate Percent of logins sent to two-factor authentication out of all logins

Overall 2FA rate
Industry fraudulent 2FA rate
Q2 2026 Digital Trust Index: Fraud Ring Intelligence, ATO & Payment Fraud Benchmarks
everyday-accounts-are-ato-targets-ring

03

CHAPTER 3

Payment Fraud Is Shifting Across Industries and Methods

Payment fraud improved globally, but risk shifted sharply by industry, payment type, and price point. Overall block rates fell from 3.29% in Q1 2025 to 2.82% in Q1 2026, while 26% of consumers experienced online payment fraud in the past year. Even when aggregate fraud rates improve, payment fraud remains a common customer experience with direct implications for trust and retention.

The industry breakdown shows why averages aren’t enough. Travel & Ticketing posted the sharpest improvement, while Food & Delivery and Online Gambling worsened. That divergence aligns with emerging attack patterns, including persistent card testing in Food & Delivery and wallet provisioning abuse in Online Gambling. Payment fraud is redistributing, and proactive teams will recalibrate controls by vertical, payment method, and economic exposure instead of relying on network-wide averages.

chapter-left-yellow-curve
payment-fraud-is-shifting-across-industries-and-method

Payment Fraud Block Rate By Industry (Q1 2025 to Q1 2026)

Payment fraud attack rate Payment fraud attack rate Average blocked payment fraud rate by quarter

Average blocked payment fraud rate by quarter

Overall payment fraud attack rate
Industry or geo-specific payment fraud attack rate
Q2 2026 Digital Trust Index: Fraud Ring Intelligence, ATO & Payment Fraud Benchmarks

26%

Consumers who experienced online payment fraud in the past year.

Most Fraudulent Payment Types

Not all payment methods carry the same risk. Cryptocurrency reached a 9.46% payment fraud attack rate, Electronic Fund Transfer reached 8.36%, and Credit/Debit Card reached 4.48%, while In-app Purchase was lowest at 0.87%. That spread matters operationally: broad, uniform rules can miss where exposure is actually clustering. The right approach is to tune controls to payment-method-specific performance, fraud rates, and downstream customer impact.

Payment-type strategy should account for how quickly value can be moved, whether protections are mature, and how much visibility fraud teams have into issuer, wallet, and PSP metadata.

Payment Fraud Block Rate by Payment Type

Cryptocurrency 9.46%
Electronic Fund Transfer 8.36%
Credit/Debit Card 4.48%
Digital Wallet 4.09%
Financing 3.94%
Points 3.76%
Gift Cards and Vouchers 2.00%
In-app Purchases 0.87%
sift-transparent

Q2 2026 DIGITAL TRUST INDEX: FRAUD RING INTELLIGENCE, ATO & PAYMENT FRAUD BENCHMARKS

Payment Fraud Follows Stored Credentials and Frequent Use

Banking and financial accounts led reported payment fraud incidence at 35%, followed by social media and food/grocery delivery at 22% each, and igaming/online gambling at 21%. The pattern reflects where consumers store credentials, save payment methods, and transact often, making everyday digital accounts attractive targets once access or payment data is compromised.

Where Payment Fraud Occurred

0%
Banking / financial
0%
Social media
0%
Food / grocery delivery
0%
Gaming / gambling
0%
Subscriptions
0%
E-commerce
0%
Ticketing
0%
Travel / lodging
0%
Cryptocurrency
0%
Rideshare
0%
Utilities
Q2 2026 Digital Trust Index: Fraud Ring Intelligence, ATO & Payment Fraud Benchmarks

When Fraud Pressure Peaked

Fraud pressure did not peak evenly across industries, reinforcing that each vertical has its own fraud calendar. Across the Sift network, the highest overall fraud-pressure day in the past year was March 27, 2025, likely reflecting a mix of quarter-end activity, spring travel, tax-season identity abuse, and seasonal commerce. Industry peaks followed different patterns: Online Gambling peaked shortly after a major sports-betting period, Travel & Ticketing peaked during spring travel planning, and Digital Commerce and Food & Delivery peaked later in the year, when promotions, seasonal demand, and low-friction checkout flows can create more room for fraud testing. These dates can help fraud teams compare network-level peaks against their own spikes in traffic, declines, chargebacks, manual reviews, and step-up activity.

Top Fraud-Pressure Days By Industry (Q1 2025 to Q1 2026)

2025 2026 Apr '26
Internet & Software Feb 15, 2025
Travel & Ticketing Mar 21, 2025
Overall Mar 27, 2025
Digital Commerce Aug 27, 2025
Food & Delivery Sep 24, 2025
Finance & Fintech Dec 9, 2025
Online Gambling Feb 18, 2026
Q2 2026 DIGITAL TRUST INDEX: FRAUD RING INTELLIGENCE, ATO & PAYMENT FRAUD BENCHMARKS

Fraud Rates Mean Different Things At Different Price Points

A fraud rate only tells part of the story. The financial exposure behind each decision depends on average order value, which varies widely by industry. In Q1 2026, Internet & Software had an average order value of $342, compared with $14 in Food & Delivery, meaning the same fraud rate can create very different revenue and loss implications. Fraud teams need to calibrate decisions by both risk and transaction value, using different threshold strategies for higher-value categories like Internet & Software (B2B and B2C software as a service), Finance & Fintech, Travel & Ticketing, and Online Gambling than they would for lower-value, high-frequency categories like Food & Delivery.

Average Order Value By Industry (Q1 2026)

≥ $250 $150-249 $80-149 < $80
Global Average $130
Internet & Software $342
Finance & Fintech $262
Travel & Ticketing $200
Online Gambling $199
Digital Commerce $122
Commerce Marketplaces $95
Food & Delivery $14
Q2 2026 DIGITAL TRUST INDEX: FRAUD RING INTELLIGENCE, ATO & PAYMENT FRAUD BENCHMARKS

Blocking The Wrong Transaction Costs Money Too

Average order value shows what’s at stake in each decision, while false-positive cost shows the revenue impact when trusted customers are blocked. Across the Sift network in Q1 2026, the average false-positive cost was $135, but the impact varied significantly by industry, reaching $496 in Digital Commerce and $396 in Online Gambling compared with $24 in Food & Delivery. Those differences reinforce why fraud controls need to be calibrated to economic exposure, not just fraud prevalence. A strict threshold may reduce fraud, but in higher-value categories it can also turn away substantial legitimate revenue.

Cost of an Average False Positive By Industry (Q1 2026)

≥ $250 $150-249 $80-149 < $80
Overall $135
Digital Commerce $496
Online Gambling $396
Finance & Fintech $198
Travel & Ticketing $193
Internet & Software $95
Food & Delivery $24
Q2 2026 DIGITAL TRUST INDEX: FRAUD RING INTELLIGENCE, ATO & PAYMENT FRAUD BENCHMARKS
consumer-fraud-is-now-a-retention-problem

04

CHAPTER 4

Consumer Fraud Is Now a Retention Problem

Fraud incidents are now a common part of the digital customer experience. In the past year, 26% of U.S. consumers experienced payment fraud and 22% experienced account takeover, making fraud prevention inseparable from trust, retention, and brand perception.

The impact depends on both the type of fraud and the quality of the response. Payment fraud creates a steeper retention risk than account takeover, but in both cases, fast detection, clear communication, and quick resolution can determine whether customers recover confidence or leave permanently.

chapter-right-yellow-curve

Detection and Recovery Shape Trust

How customers discover an ATO incident reflects how quickly a business can detect and contain account abuse. The strongest outcome is proactive notification from the company before damage spreads. The weakest is when customers only realize something’s wrong after they’ve already lost access to their account.

How Consumers First Found Out About ATO

Company or platform notified me 37%
Noticed suspicious activity or unauthorized changes 30%
Friend, family member, or colleague alerted me 18%
Tried to log in and could not access my account 13%
Other 2%
Q2 2026 DIGITAL TRUST INDEX: FRAUD RING INTELLIGENCE, ATO & PAYMENT FRAUD BENCHMARKS

ATO Recovery Still Leaves a Trust Gap

Recovery speed can determine whether customers regain confidence or start looking elsewhere. Most ATO victims resolved the issue within a few days, but 20% didn’t, including 4% whose issue still wasn’t resolved at the time of the survey. Even when customers stay, trust takes a hit: 54% kept using the platform without hesitation, while 35% stayed with less trust and 11% left permanently. That means nearly half of ATO victims either questioned the brand or abandoned it altogether, creating a retention problem that can quickly become a customer acquisition problem.

ATO Resolution Effort

Resolved within a few days with some effort 44%
Resolved quickly with minimal effort 36%
Took significant effort, more than a week 11%
Took significant effort, more than a month 5%
Not fully resolved 4%
Q2 2026 DIGITAL TRUST INDEX: FRAUD RING INTELLIGENCE, ATO & PAYMENT FRAUD BENCHMARKS

Platform Retention Post-ATO

Continued using without hesitation 54%
Continued using, but with less trust 35%
Stopped using permanently 11%
Q2 2026 DIGITAL TRUST INDEX: FRAUD RING INTELLIGENCE, ATO & PAYMENT FRAUD BENCHMARKS

Payment Fraud Drives Higher Brand Abandonment

Consumers facing fraudulent charges from a merchant creates an even steeper brand abandonment risk. Only 28% of victims continued using the platform without hesitation, while 27% stopped using it permanently. Another 8% said their decision depended on how the company handled the incident, making response quality a direct revenue lever. When fraud drives customers away, the impact extends beyond the disputed transaction. Businesses have to regain trust, replace lost customers, and spend more to recover growth that better detection and recovery could have protected.

Payment Fraud Resolution Speed

Resolved quickly with minimal effort 38%
Resolved within a few days with some effort 36%
Took significant effort, more than a week 17%
Took significant effort, more than a month 5%
Not fully resolved 4%
Q2 2026 DIGITAL TRUST INDEX: FRAUD RING INTELLIGENCE, ATO & PAYMENT FRAUD BENCHMARKS

Platform Retention After Payment Fraud

Continued using without hesitation 37%
Continued using, but with less trust 28%
Stopped using permanently 27%
Depended on how the company handled it 8%
Q2 2026 DIGITAL TRUST INDEX: FRAUD RING INTELLIGENCE, ATO & PAYMENT FRAUD BENCHMARKS

What Consumers Expect After Fraud

After a fraud incident, customers want three things: speed, transparency, and proactive communication. Quick resolution had the strongest positive impact, with 82% of consumers saying it would improve their perception of the company. Proactive communication and transparent communication followed closely, each with a 76% combined positive impact.

The downside is just as clear. Slow resolution and opaque communication were the strongest drivers of negative perception, with 36% saying slow resolution would significantly worsen their view of the company and 46% saying the same about a lack of transparency. For fraud and trust and safety teams, incident response directly influences whether customers regain confidence, hesitate, or leave.

How Company Response Affects Consumer Perception After a Fraud Incident

Sig. improve Somewhat improve No effect Somewhat worsen Sig. worsen
Resolves the issue quickly 51% 31% 11% 5% 2%
Communicates proactively 36% 40% 15% 6% 3%
Communicates transparently 36% 39% 16% 7% 2%
Communicates reactively 22% 30% 21% 20% 7%
Does not communicate transparently 8% 12% 12% 22% 46%
Resolves the issue slowly 6% 12% 16% 30% 36%
Q2 2026 DIGITAL TRUST INDEX: FRAUD RING INTELLIGENCE, ATO & PAYMENT FRAUD BENCHMARKS
detection-and-recovery-shape-trust
Group 1000007604
quotation-mark

We talk a lot about fraud rates, but the real question is what your data is actually connected to. A 3% block rate at one merchant might be the tail end of an attack that started somewhere else entirely, and the merchant that absorbed the first wave had no way of knowing it. Network intelligence helps teams detect fraud faster because it expands what they're able to see in the first place.

Kevin Lee

Field Chief Technology Officer, Sift

Kevin Lee Image

05

CHAPTER 5

What Leading Teams Do Next

The strongest fraud programs look beyond aggregate fraud rates. A topline improvement can still hide a coordinated ring spreading across a new segment, a payment method absorbing more risk, or an ATO campaign targeting high-value accounts. Leading teams benchmark by industry, payment method, account behavior, and fraud ring connectivity so exposure surfaces before it becomes chargebacks, false declines, or customer churn.

Connected decisioning is what turns those signals into action. Identity, device, payment instrument, behavior, chargeback history, account changes, and customer outcomes need to resolve into one risk view instead of living in separate queues. That unified signal helps teams apply the right response at the right moment: friction when signals are mixed, a hard block when confidence is high, and fast recovery workflows when legitimate customers are affected.

The teams that win won’t be the ones blocking the most. They’ll be the ones blocking the right things, detecting coordinated attacks before losses spread, calibrating thresholds before false declines erode revenue, and treating post-incident review as part of the strategy. Fraud prevention and fraud response now have to operate as one program. The data shows where risk concentrates. The advantage goes to teams that can act on it fast enough.

*On behalf of Sift, Researchscape International polled 1,032 adults (aged 18+) across the United States via online survey in May 2026.

chapter-5
Benchmarking Your Fraud Program
white_pills 2

What’s New at Sift

drive-growth-with-fibr

Drive Your Business Forward with FIBR ®

Compare your own data against Sift benchmarks with FIBR, the first Fraud Industry Benchmarking Resource of its kind, delivering crucial fraud insights to businesses across industries and regions.

Discover Data