What Is Account Creation Fraud?

Account creation fraud–also referred to as new account fraud (NAF) or fake accounts fraud–is the act of fraudsters creating accounts on online services with malicious intent.

There are many variations in how and why fraudsters engage in this activity (and we will cover these below in detail), but the general ideas are the same:

• A fraudster creates accounts on an online service with malicious intent using fake or stolen identity information.

 

• A fraudster uses fake accounts to conduct fraudulent activity for the purpose of monetization (directly or indirectly).

The tactics of account creation fraud vary between different online services depending on the information required for account creation, the information verification processes, and eventually the ways that accounts can be used for illegitimate activity. Some examples of these differences between services are as follows:

• Online gaming platforms: A valid email address alone is sometimes sufficient to create an account. Once created, a fake account may be used, for example, to spam other players or to gain in-game assets that can then be transferred.

 

• Online retail and e-commerce: An email address and basic details such as gender and name are usually sufficient for account creation. A fake account may be used, for example, for credit card testing (i.e., simply verifying that account details and credit card details are valid) or as part of accounts referral chaining to collect referral bonuses.

 

• Financial services: Account creation usually requires highly detailed account information such as an address, phone number, and social security number. A fake account may be used, for example, to access credit.

A bad actor goes through the account registration flow using fake or stolen account details, described in detail as follows:

• Stolen account details, a.k.a. identity theft: The fraudster uses details of real people, such as a real and matching name and email address. In these cases, besides the service provider, the true identity owner is also a victim.

 

• Fake account details, a.k.a. synthetic identities: The fraudster uses fake identity information or partially real identity information (such as a real name and ID with a fake email and phone number).

Depending on the registration flow for the specific service, the fraudster may need to go through verification processes such as email or phone number verification. The fraudster will obviously use details that they can verify if needed; this may include using online services that provide virtual/dummy email addresses and phone numbers. Or, in the case of a more sophisticated attack, the fraudster may first gain access to a victim’s email or phone or use social engineering to trick the victim into verifying their account details.

Once the fraudster manages to create the account, they may use it to conduct illegitimate activity, or they may sell this account on dark forums for others to leverage it. Depending on the specific service and the scam and goals of the fraudster (e.g., spamming, testing credit cards, gaining credits and promos), they will login to the account and use it to achieve their goals.

In many cases, in order to scale, fraudsters may use bots to register many accounts in short periods of time with minimal human labor. This means that the fraudster–a bot operator in this case–prepares a list of account details to be used by the bot and provides this list as input to the bot. The bot then registers the accounts accordingly.

There are several approaches to the detection of account creation fraud.

1. Account details assessment: Third-party vendors can verify the validity of provided details. For example, there are services that check the details against public records, check the reputation of email addresses/phone numbers, or force verification of email addresses/phone numbers using out-of-band verification requests (e.g., OTP sent to an email address/phone number).

 

2. Transaction assessment: The risk/legitimacy of an account creation attempt can be assessed based on the provided account details in combination with device and network attributes (e.g., IP, location, languages).

 

3. Behavioral assessment: The risk/legitimacy of an account creation attempt can be assessed based on the behavioral attributes of the user going through the account creation journey. Behavioral anomalies may include repeat account creations from the same device or behavioral patterns that reflect that the user is unfamiliar with the account details (e.g., a user is expected to be able to type their own name, ID, and email address fluently). The behavior of the user following account creation also reflects their intention. For example, if the user immediately creates referral codes and uses them to create more accounts, this reflects an intention for referral abuse.

 

4. Bot detection: As mentioned above, bots are often used to scale account creation fraud. Using bot detection in the account creation journey can detect such bots.

Account creation fraud can be prevented by blocking or adding challenges to the account creation flow according to the risk level provided using the detection methods described above. Challenges may include adding account verification steps such as email verification/phone number verification and using identity verification services (e.g., PingOne Verify).

Applying fraud detection and risk assessment as part of user journeys and transactions beyond the account creation process can also prevent the monetization of illegitimate accounts by fraudsters (in case they do manage to create an account without getting caught). Examples include invoking risk assessment when an account is being used as a referral or when a payment method is added to an account. Fraud detection and risk models will identify the usage of the account as illegitimate based on the data collected during account creation in conjunction with the data collected on the user journey and transactions following account creation.

There’s no single approach that covers all account creation fraud for all services. A combination of several approaches is the best way to go. Ping can provide account details verification via PingOne Verify. PingOne Fraud and PingOne Risk cover transaction assessment, behavioral assessment, and bot detection. DaVinci can be used to orchestrate detection and enforcement, including connections with third-party vendors.