Which verticals lose the most to fraud, and why the patterns differ
A breakdown of the five verticals that lose the highest percentage of revenue to fraud — iGaming, Crypto/Web3, FinTech, AdTech, and E-commerce — and the structural factors that make each one a target.
Not all industries face the same fraud landscape. Some sit on top of attack surfaces that are inherently more attractive to professional fraud operations; others have characteristics that limit the attack volume even when defenses are weak.
This piece walks through the five verticals that consistently lose the highest percentage of revenue to fraud-adjacent issues — iGaming, Crypto/Web3, FinTech/lending, AdTech, and E-commerce — and explains the structural factors that make each vertical attractive to attackers. Written for product, operations, and risk leaders trying to understand whether the fraud loss numbers they see are typical for their category or whether something is off.
Why fraud isn't evenly distributed
Attackers operate on unit economics. The math for any fraud operation is: cost of attack < value extracted. Verticals that maximize the right side of this inequality attract the most professional attention.
Three structural factors determine value extraction:
Factor 1: Speed of monetization. How quickly can the attacker convert fraud success into cash? iGaming has fast monetization (claim bonus, play through wagering, withdraw). E-commerce has slower monetization (order item, receive item, resell). Crypto can have extremely fast monetization (claim airdrop, sell on DEX). Faster monetization attracts more sophisticated operations.
Factor 2: Per-unit value. What's the financial value of a single successful fraud event? Synthetic identity loan fraud might extract $15K–25K per successful bust-out. Bonus abuse might extract €50–500 per account. Click fraud might extract pennies per click but at massive volume. Higher per-unit value attracts more focused attacks; high-volume low-value categories attract more industrial automation.
Factor 3: Detection difficulty. Verticals where fraud blends with legitimate behavior are harder to defend. Synthetic identity is hard because documents look real and behavior looks normal for 12–18 months. Collusion is hard because each player looks legitimate individually. Click fraud is hard because individual clicks look like normal user behavior.
The five verticals below score high on at least two of these three factors. They're not the only verticals with fraud problems — every consumer-facing platform faces some — but they're the ones where the math most strongly favors attackers.
iGaming: 8–20% of GGR
The industry where the dollar amounts are most discussed because regulators require disclosure. Mature iGaming markets in regulated jurisdictions typically lose 8–15% of gross gaming revenue to fraud-adjacent issues. Less mature markets and operators with weaker defenses can lose up to 20%.
The structural factors:
- High bonus budgets attract bonus abuse. Operators spend 5–15% of revenue on welcome bonuses, risk-free bets, and promotional offers. The bonus budget is a target. Attackers create multi-accounts to claim these offers repeatedly.
- Fast monetization through wagering and withdrawal. Bonus claim, minimum wager, withdrawal — total time from fraud to cash is often hours, not days. This makes operations economically efficient even at moderate per-account value.
- Mature attacker infrastructure. iGaming has been a major target for over a decade. Professional bonus farming operations exist at scale. KYC bypass services are a mature industry. Document acquisition markets are established.
- Player protection regulations create attacker advantage. Operators face friction in aggressively challenging users (false positives generate complaints and regulatory attention). Attackers face less friction in iterating against the defenses.
The fraud categories that drive losses: bonus abuse and multi-accounting (highest volume), collusion in poker formats, risk-free bet exploitation, account takeover for accounts with deposits. Each requires different countermeasures.
The honest assessment: most operators undermeasure their fraud rate. They count what they catch and miss what they don't. The actual rate is typically 1.5–2× higher than the reported number.
Crypto and Web3: 50–80% on Sybil-vulnerable distributions
The newest entry on the high-fraud list and arguably the most extreme. Token launches, NFT mints, airdrops, and other distribution mechanisms routinely see 50–80% of distribution go to farming operations rather than legitimate participants.
The structural factors:
- Distribution events are large, fast, and high-value. A token launch might distribute $50–500M in value over hours. The window for attack is narrow but the value at stake is enormous.
- Composability favors automation. Web3 design philosophy emphasizes permissionless access. The same property that makes Web3 powerful makes it attractive to attackers — they can interact with protocols without the friction that traditional finance requires.
- Sybil-resistance is structurally hard. Distinguishing one entity controlling 1,000 wallets from 1,000 separate entities each controlling one wallet is a fundamental cryptographic problem. Standard approaches (proof of activity, social graphs, on-chain reputation) all have known evasions.
- Anti-detect browser infrastructure adapted for Web3. The same tools used in iGaming bonus farming work for Web3 distribution farming, often more effectively because Web3 platforms tend to have weaker defenses.
The fraud categories: Sybil attacks on token distributions, airdrop farming with pre-warmed wallets, KYC bypass on centralized exchanges, fake trading volume on DEXs, scam wallet attribution. Each is a different problem; each requires different countermeasures.
The honest assessment: the 50–80% farming rate on airdrops is widely reported and consistent with the data Tracio sees at customer deployments. Protocols that don't actively defend can expect most of their distribution to reach farmers. Protocols that defend properly can flip this to 90%+ legitimate distribution.
FinTech and lending: 3–10% of portfolio
A broad category that includes consumer lending, BNPL, neobanks, payment platforms, and crypto-FinTech bridges. Losses vary widely by sub-category, but the consolidated industry average sits around 3–10% of portfolio.
The structural factors:
- Per-incident value is high. Synthetic identity loan fraud extracts $15K–25K per successful bust-out. Account takeover on accounts with payment methods can extract similar amounts. Per-incident value justifies sophisticated attack operations.
- KYC creates a false sense of security. Document verification catches casual fraudsters and misses sophisticated ones. The KYC industry is mature, but so is the KYC bypass industry. Document acquisition markets and identity-as-a-service operations defeat standard verification.
- Bureau data lags real-time. Credit bureaus update on 24–72 hour cycles. Attackers exploit this window for loan stacking — submitting applications to multiple lenders within an hour, all approving because none see the others yet.
- Friendly fraud and chargeback abuse. A non-trivial portion of FinTech fraud is consumer-initiated: legitimate customers disputing transactions to get refunds while keeping goods, or claiming fraud on legitimate purchases.
The fraud categories: account takeover (highest volume), synthetic identity (highest per-incident value), loan stacking (specific to lending products), card-not-present fraud, friendly fraud and chargeback abuse. The category mix varies dramatically by product type — a consumer lender's fraud landscape looks different from a payment processor's.
The honest assessment: FinTech operators tend to measure fraud more rigorously than other verticals because regulators require it. The published numbers are more reliable than in iGaming. The 3–10% range reflects honest measurement; the underlying losses don't typically exceed this range significantly even at poorly defended operators because product limits, account-level fraud controls, and bureau coordination cap the per-account exposure.
AdTech: 15–30% of ad spend
The vertical where the absolute dollar number is largest because the underlying market is largest. Global ad fraud losses are estimated at $84B in 2025, expected to exceed $100B in 2026. Different studies put the percentage of ad spend lost to fraud anywhere from 15% to 30%.
The structural factors:
- Bot traffic looks like legitimate traffic in pre-bid signals. The Imperva-reported 49.6% of internet traffic that's automated is a baseline; on ad-monetized inventory specifically, the percentage is often higher because attackers specifically target ad-monetized destinations.
- Multiple parties in the value chain creates accountability gaps. Advertiser → ad exchange → SSP → publisher → user. When fraud happens, each party has incentive to blame the others. Detection responsibilities are unclear.
- Post-bid analysis catches fraud after payment. The dominant verification model (MOAT, IAS, DV) analyzes impressions after they're served and counted. By the time fraud is confirmed, the budget is spent. Pre-bid detection is the underinvested layer.
- Domain spoofing exploits SSP trust. Buying inventory on premium domains via SSPs is convenient but creates an attack surface. Spoofers misrepresent inventory; SSPs sometimes have weak verification; advertisers pay premium prices for impressions on shadowy destinations.
The fraud categories: click fraud (bots clicking paid ads), impression fraud (fake views), conversion fraud (fake conversions in affiliate networks), domain spoofing, ad stacking, pixel stuffing. Each requires different detection approaches.
The honest assessment: AdTech is the vertical where the gap between sophisticated buyers and unsophisticated buyers is largest. Major advertisers with dedicated brand safety teams catch most of the fraud. Smaller and mid-size advertisers operating through agencies often lose 25%+ of spend without ever seeing it. The category-wide average is high partly because the long tail is weakly defended.
E-commerce: 3–8% of revenue
The broadest vertical, ranging from large marketplaces to single-product Shopify stores. Industry-wide loss to fraud is estimated at 3–8% of revenue across the category, with significant variance by sub-segment.
The structural factors:
- Promo budgets attract abuse. Welcome discounts, referral credits, loyalty programs, and seasonal promotions create budgets that attackers target. Promo abuse follows the same pattern as iGaming bonus abuse but at lower per-incident value and higher volume.
- Returns fraud is industry-structural. Generous return policies are competitive table stakes; they're also exploitable. Wardrobing, empty-box returns, friendly fraud chargebacks. Estimated 5–10% of returns are fraudulent.
- Card-not-present payment makes card testing attractive. Attackers test stolen card numbers against e-commerce checkouts at scale, identifying which cards still work before using them for larger purchases. Most e-commerce platforms see significant card testing traffic without realizing it.
- Inventory snipe attacks on limited drops. Sneakers, gaming consoles, limited NFTs — anywhere inventory is scarce and demand is high, automated buying creates a parallel resale market.
The fraud categories: promo abuse, returns fraud, card-not-present payment fraud, card testing, account takeover on accounts with saved payment methods, inventory hoarding bots. The mix varies dramatically by product type — a luxury fashion retailer's fraud landscape looks different from a generic Shopify store.
The honest assessment: most e-commerce operators don't separate fraud loss from other loss categories cleanly. Chargebacks get treated as a cost of business. Returns fraud is mixed with legitimate returns. Promo abuse hides in marketing performance metrics. The 3–8% range reflects what serious operators measure; less rigorous operators often have higher actual losses they can't see.
What these verticals have in common
Despite the different attack mechanisms, the five high-fraud verticals share four characteristics that explain why they're targets:
Common factor 1: High-velocity money movement. Either fast monetization (iGaming, Crypto), large per-incident value (FinTech), or massive aggregate value (AdTech, E-commerce).
Common factor 2: Multi-accounting as a vulnerability. All five verticals are vulnerable to attacks where one entity creates multiple accounts to extract value that's intended per-user. Welcome bonuses, airdrops, free trials, promo codes, fresh credit lines.
Common factor 3: Detection difficulty against modern automation. None of the five verticals can defend with KYC alone or IP blocking alone. All require multi-layer detection that includes device intelligence to catch the patterns that simpler defenses miss.
Common factor 4: Underinvestment in measurement. In every one of these verticals, the typical operator measures less rigorously than the actual loss warrants. The number on the dashboard is usually 60–70% of the actual number. The hidden loss accumulates without ever being visible to leadership.
What works across all five
The detection architecture that's effective across all five verticals shares common elements regardless of the specific fraud category being defended:
Element 1: Device intelligence as the foundation. Multi-account detection, ATO defense, Sybil resistance, and click fraud prevention all benefit from the ability to identify the same device across multiple sessions, accounts, or actions. This is the most universal building block.
Element 2: Cross-account linking. Within a single platform, identifying that "different" accounts share underlying characteristics is critical. Across multiple platforms (via anonymized cross-customer signals), the same approach catches coordinated campaigns.
Element 3: Real-time verdicts. Defenses that detect fraud after it happens are useful for refund claims and bureau reports, but they don't prevent the loss. Real-time detection at the critical decision moment (signup, claim, login, transaction) is what actually moves the loss numbers.
Element 4: Layered architecture. No single signal holds up against modern attackers. Network signals, device signals, behavioral signals, coherence checks, cross-platform intelligence — the combination is what works.
Element 5: Polymorphic client-side code. Attackers reverse-engineer static detection and ship evasions. Rotating code denies them the time to do this effectively.
What to do next
If you're operating in any of these five verticals, three actions produce immediate value:
Action 1: Measure honestly. Sample-audit your fraud rate across your category's specific mechanisms. The result will likely surprise you. The first honest measurement is the hardest because it forces uncomfortable conversations, but it's the foundation for everything else.
Action 2: Identify your highest-leverage defense point. iGaming: signup and bonus claim. Crypto: distribution event verification. FinTech: login and loan application. AdTech: pre-bid impression evaluation. E-commerce: checkout and returns.
Action 3: Deploy multi-layer detection at that point. Single-layer defenses fail against sophisticated attackers. The architecture that holds up is layered, with coherence checks across layers, polymorphic client code, and cross-customer signal sharing.
The honest expectation: deployment improves fraud loss by 50–80% in the first 90 days for most platforms. Mature platforms with better baseline defense see smaller improvements; less mature platforms see larger ones. The ROI math works in every vertical: detection infrastructure costs are tiny relative to fraud loss for any platform above modest revenue scale.
Where Tracio fits
Tracio is device intelligence purpose-built for high-fraud verticals. The architecture covers the signals that hold up across all five verticals — network, device, behavioral, coherence, cross-customer — with vertical-specific rule templates for iGaming, Crypto, FinTech, AdTech, and E-commerce.
Deployment is fast: one SDK on the page, server-side verify calls at the decision points. The polymorphic JavaScript layer rotates daily. The verdict returns in under 50 milliseconds.
The free tier covers 2,500 verifications per month — enough to run a meaningful pilot on a subset of your traffic and produce data that demonstrates your actual fraud rate.
Want to see what your fraud rate actually looks like?
Start your free trial — 2,500 verifications free, no credit card. Book a demo to walk through the fraud patterns specific to your vertical with our team.