When it comes to online fraud, many organizations put a lot of focus on protecting existing accounts from account takeover and ensuring that credentials, PII, and other relevant account information remain safe. However, bad actors can do a lot of damage at the point of registration as well. Let's take a look at new account fraud - what it is, what bad actors stand to gain, how it happens, and why and how you can defend against it.
Account creation fraud–also referred to as new account fraud (NAF) or fake accounts fraud–is the act of fraudsters creating accounts on online services with malicious intent.
There are many variations in how and why fraudsters engage in this activity (and we will cover these below in detail), but the general ideas are the same:
A fraudster creates accounts on an online service with malicious intent using fake or stolen identity information.
A fraudster uses fake accounts to conduct fraudulent activity for the purpose of monetization (directly or indirectly).
With the surging use of online services, NAF has quickly become a pervasive issue across the globe. In fact, losses to new account fraud totaled an astounding $3.2 billion in the year 2022 alone. While NAF will have direct financial impacts on a business, an overabundance of fake accounts on any platform will also tarnish its reputation among users.
Not only is new account fraud common, but the problem is growing worse. As the Federal Trade Commission (FTC) reports, "Fraudsters using stolen identity information to open new bank accounts under a victim's name grew by 32% in 2022." This same level of fraudulent activity is seen across other important industries - from healthcare to ecommerce.
A bad actor goes through the account registration flow using fake or stolen account details, described in detail as follows:
Stolen account details, a.k.a. identity theft: The fraudster uses details of real people, such as a real and matching name and email address. In these cases, besides the service provider, the true identity owner is also a victim.
Fake account details, a.k.a. synthetic identities: The fraudster uses fake identity information or partially real identity information (such as a real name and ID with a fake email and phone number).
Depending on the registration flow for the specific service, the fraudster may need to go through verification processes such as email or phone number verification. The fraudster will obviously use details that they can verify if needed; this may include using online services that provide virtual/dummy email addresses and phone numbers. Or, in the case of a more sophisticated attack, the fraudster may first gain access to a victim’s email or phone or use social engineering to trick the victim into verifying their account details.
Once the fraudster manages to create the account, they may use it to conduct illegitimate activity, or they may sell this account on dark forums for others to leverage it. Depending on the specific service and the scam and goals of the fraudster (e.g., spamming, testing credit cards, gaining credits and promos), they will login to the account and use it to achieve their goals.
In many cases, in order to scale, fraudsters may use bots to register many accounts in short periods of time with minimal human labor. This means that the fraudster–a bot operator in this case–prepares a list of account details to be used by the bot and provides this list as input to the bot. The bot then registers the accounts accordingly.
The tactics of account creation fraud vary between different online services depending on the information required for account creation, the information verification processes, and eventually the ways that accounts can be used for illegitimate activity. Some examples of these differences between services are as follows:
Online retail and ecommerce: An email address and basic details such as gender and name are usually sufficient for account creation. A fake account may be used, for example, for credit card testing (i.e., simply verifying that account details and credit card details are valid) or as part of accounts referral chaining to collect referral bonuses.
Financial services: Account creation usually requires highly detailed account information such as an address, phone number, and social security number. A fake account may be used, for example, to access credit or apply for a loan. Often, fraudsters will create synthetic identities that pass simple identification checks in order to perpetrate this kind of fraud.
Online gaming platforms: A valid email address alone is sometimes sufficient to create an account. Once created, a fake account may be used, for example, to spam other players or to gain in-game assets that can then be transferred.
There are several approaches to the detection of new account fraud.
Account details assessment: Third-party vendors can verify the validity of provided details. For example, there are services that check the details against public records, check the reputation of email addresses/phone numbers, or force verification of email addresses/phone numbers using out-of-band verification requests (e.g., OTP sent to an email address/phone number).
Transaction assessment: The risk/legitimacy of an account creation attempt can be assessed based on the provided account details in combination with device and network attributes (e.g., IP, location, languages).
Behavioral assessment: The risk/legitimacy of an account creation attempt can be assessed based on the behavioral attributes of the user going through the account creation journey. Behavioral anomalies may include repeat account creations from the same device or behavioral patterns that reflect that the user is unfamiliar with the account details (e.g., a user is expected to be able to type their own name, ID, and email address fluently). The behavior of the user following account creation also reflects their intention. For example, if the user immediately creates referral codes and uses them to create more accounts, this reflects an intention for referral abuse.
Bot detection: Bots are powerful tools that criminals can utilize to conduct at NAF at scale. As artificial intelligence (AI) becomes more commonplace in the business world, there is also a proliferation of this technology in the underground. Looking to the future, it is likely that large language model (LLM) AI will be used as a tool for the creation of fraudulent identities at scale. As AI-generated synthetic identities increase in quality, it will take robust detection technology to tell the difference between human behavior and that of bots when creating new accounts.
While the ability to detect new account fraud is essential for protecting both businesses and users, prevention is always the best strategy. Unfortunately, once NAF is detected, it means that some fraudulent activity has already taken place. Whether it be an ecommerce platform or a financial services website, stopping bad actors in their tracks with a fraud prevention tool is the desired approach to fighting NAF.
Blocking or adding challenges to the account creation flow according to the risk level provided using the detection methods described above can help with new account fraud prevention. Challenges may include adding account verification steps such as email verification/phone number verification and using identity verification services (e.g., PingOne Verify). Onboarding and Know Your Customer (KYC) checks are a vital line of defense in certain industries to prove identities before an account is considered legitimate.
Applying online fraud detection and risk assessment as part of user journeys and transactions beyond the account creation process can also prevent the monetization of illegitimate accounts by fraudsters (in case they do manage to create an account without getting caught). Examples include invoking risk assessment when an account is being used as a referral or when a payment method is added to an account. Fraud detection software and risk models will identify the usage of the account as illegitimate based on the data collected during account creation in conjunction with the data collected on the user journey and transactions following account creation.
| Account Verification Steps | Organizations should verify the legitimacy of account details at the time of creation. For example, they can check the reputation of email addresses and phone numbers against public records. Businesses can also utilize MFA techniques like email magic links and SMS OTPs to force the verification of important account details. |
| Identity Verification / Identity Proofing | Organizations also need to check that new users are who they claim to be. Depending on the industry, there are different Know Your Customer (KYC) practices employed for identity verification. To illustrate, a bank might require a valid ID document for a new account, while ecommerce sites may only employ identity verification when selling extremely high-value or age-restricted goods. |
| Device & Network Reputation and Anomalies | Detecting anomalies and malicious intent based on device and network attributes of the client device registering and using the account. For example detecting traffic coming from anonymized networks, data centers, devices with abnormal hardware attributes, forged device attributes etc. |
| Behavioral Assessment / Bot Detection | Behavioral assessments protect against fraudsters and bots by monitoring new accounts for anomalous activity. The legitimacy of a new account is assessed based on the behavioral attributes of a user while they go through the account creation journey. This assessment should be able to identify non-human ways of interacting with a device to weed out bots and emulators. Repeat account creations from the same device or IP address, as well as behavioral patterns that show the user is unfamiliar with account details, are also key indicators of a bad actor or bot. Strange behavior immediately following account creation - like the use of referral codes to open multiple new accounts - is also a red flag. |
At Ping Identity, we’re well aware there is no single approach that covers all new account fraud for all services. As such, a combination of several tools that cover the entire identity lifecycle is the best way to stop NAF.
Not only do Ping Identity products work together to prevent fraud, but they also provide exceptional user journeys that help lessen login fatigue and lower abandonment rates.
PingOne Verify is a powerful tool that utilizes facial recognition technology and mobile scanners for ID documents to ensure people are who they claim to be. During account creation, PingOne Verify prevents NAF by verifying the legitimacy of a government-issued ID document and matching it against a selfie, adding liveness detection to ensure that the person completing the verification matches the person to whom the ID document belongs. This stops cybercriminals from creating accounts using stolen and synthetic identities.
PingOne Protect is a robust threat protection platform that covers attack vectors, assigns risk scores, and triggers mitigation tools like MFA to stop new account fraud. Since it’s specifically engineered to spot key NAF risk predictors, the platform will easily catch anomalous activity associated with bots and bad actors. This allows organizations to offer simple and convenient registration experiences with the confidence that cybercriminals won’t be able to take advantage of them.
Watch this video to learn more about PingOne Protect.
PingOne DaVinci is a no-code orchestration platform that allows organizations to integrate a variety of NAF detection and prevention tools - including connections with third-party vendors. Fraud prevention can be embedded directly into the account creation process, making registration smooth and easy for legitimate users while keeping fraudsters out.
