Article

New Account Fraud: What It Is and How to Prevent It

Allowing fraudsters to sign up for online accounts without thoroughly scrutinizing them for signs of malicious intent is an easy pitfall to tumble into. As many organizations increasingly shift their business models into the digital space, they are also increasingly relying on automated digital onboarding processes to roll out the red carpet for new customers. Naturally, this red carpet doesn’t offer the same de facto security as in-person onboarding. How, then, should these businesses balance attracting the most customers without opening themselves up to increased account takeovers, dummy accounts opened with synthetic IDs, and other forms of new account fraud?

Thankfully, there are ways to circumvent both the risks and the damages of new account fraud. Let’s take a closer look at the crime, including prevention techniques, and the various stages involved when such attacks take place.

What Is New Account Fraud?

New account fraud is the process of a fraudster signing up for an account, such as a bank account, using a false identity. That false identity may be a product of them creating a completely fake identity (identity fraud), logging in using another user’s login credentials without authorization (account takeover), or using a combination of fake and real identity information (identity manipulation).

No matter what a new account fraudster’s methods and aims are, they commit the crime in the hope that their false account will make their identity, and therefore their culpability, harder to detect.

The financial damage associated with new account fraud is substantial. According to Javelin Strategy and Research, in 2021, nearly $7 billion of US consumers’ money was lost following new account fraud attacks.

Reduce Fraud Rates by 70–99%

Partner with SEON to reduce fraud rates in your business with real-time data enrichment, whitebox machine learning, and advanced APIs.

Ask an Expert

How Does New Account Fraud Work?

New account fraud works whenever fraudsters manage to signup for a service as someone they are not. However, it is worth noting that you cannot simply identify new account fraudsters based on the data they submit. This is because they often rely on existing people’s information to open new accounts. 

Here are three ways in which a new account may be fraudulently opened. 

  • Invented information: in that case, the fraudster simply imagines a person’s name and address and submits it at the account opening stage. If the company that verifies the account needs an email address, for instance, the fraudster will simply create one for that purpose.
  • Synthetic information: when fraudsters need certain documents to pass the account opening checks, they will simply steal them. Using a person’s real ID and a fake email address, for instance, is known as synthetic ID fraud. According to McKinsey & Company, this is the fastest growing form of financial crime in the US.
  • Stolen identity: fraudsters sometimes sign up for an account entirely as another person. This is sometimes known as an account origination attack. It will see the attacker gather information about their target, create a fake identity based on that information, and open an account with it. This is common with financial services, where the attacker will apply for loan applications or make unauthorized purchases. 

Note that new account fraud is also attempted at scale. Whether manually or using bots, fraudsters will try as many techniques as possible and repeat them numerous times to successfully open their accounts. While it may seem overwhelming and like you are fighting an uphill battle, you can actually leverage that fact against fraudsters: by identifying similarities between the fraudulent account opening attempts. 

What Are the Steps of an Account Origination Attack?

An account origination attack involves a fraudster signing up for an account, such as a bank or credit card account, that belongs to another person – although they can also create it from scratch, as is the case with new account fraud. The steps of such an attack generally involve gathering information about the target, creating a fake identity, finding a target financial institute, and ultimately using that organization to set up a fraudulent account to use for malicious purposes.

  1. The attacker gathers information about their target.
  2. The attacker creates a fake identity based on that gathered information (therefore involving identity theft) or just a portion of it (synthetic identity fraud).
  3. The attacker finds a financial institute, uses the falsified identity to set up a fraudulent account, and (if all goes to plan) has that account become verified and ultimately active.
  4. The attacker then exploits whatever benefits the new account offers by committing crimes such as applying for fraudulent loan applications or making unauthorized purchases. 

As touched on, the financial institution involved in an account origination attack is usually legitimate – but that’s not always the case. There can be instances where a financial institution may be in cahoots with an account origination fraudster. This further underscores the importance of researching any organization before you provide it with your personal information.

How Do You Prevent New Account Fraud?

To prevent new account fraud, you need to minimize vulnerabilities to such attacks, and also prepare an alert and response system to address them if and when they occur. In other words, such processes involve proactive and reactive measures, which respectively include the use of strong passwords and the reporting of suspicious activity.

Let’s take a closer look at these two examples, alongside some of the many other proactive and reactive approaches required.

TypeProactive ApproachesReactive Approaches
Password protection and multi-factor authentication (MFA)Strengthen your password protection by regularly updating your passwords with wording and characters that can’t be easily guessed – or even go a step further by using random password generator apps, such as LastPass. On top of this, using MFA as often as possible (even when an application doesn’t require you to use it) is a very worthwhile way to bolster your password protection measures.Change your password the moment that signs of new account fraud arise. Note that these signs could involve instances of identity theft, account takeover (ATO) fraud, and more. In fact, MFA should alert you the moment that someone signs into one of your accounts, so act accordingly – and as fast as possible – if this happens!
Cybersecurity softwareUtilize fraud prevention software and other cybersecurity systems to help warn you of potential incoming attacks, such as ATOs, which can lead to new account fraud.Ensure the best use of your cybersecurity applications by acting on any incident reporting software that your applications offer. By reporting a malicious account or webpage to your security software provider, you are helping that company fight new account fraud attempts that may occur in the future.
Link checking/link analysisHover your cursor over each link (or, if you’re on a touchscreen device, press down on each link) as this can reveal the full URL – and possibly even a preview of where the URL leads to – which will help you to gauge the legitimacy of a webpage before you access it.If you do access a dangerous webpage, make a note of the link that you opened, report it, and keep it for your own records. By remaining vigilant and informed about dangerous links, you may be able to find the source of the threat and help the authorities to determine who may be committing new account fraud.
Background checksCheck the details of any new accounts that you are suspicious of and enhance that check with the right approaches to your research. By staying alert to updates from cybersecurity authorities, you can help make your background checks both well-informed and up-to-date with industry best practices.If or when you find the culprit of a new account fraud attack, report (data protection laws allowing) the results of your background checks to the relevant authorities, as processes such as Know Your Customer (KYC) checks will help authorities track the attack’s source.

While it may sound obvious, the sad truth is that there is no combination of proactive and reactive approaches to combating new account fraud that will guarantee your digital safety. This is especially true in the context of new account fraud because many new account fraud attempts can occur following identity theft when the targeted individuals were using legitimate, and therefore pre-approved, account documentation anyway.

That said, the above points of advice, especially when used in conjunction with each other, are effective tips to practice when attempting to both prevent and mitigate new account fraud.

Main Challenges in New Account Fraud Prevention

There are many challenges that arise in the context of preventing new account fraud, including customer friction, exploitability, and operational obstacles – that is, integrating new workflows, absorbing costs, and the overall time taken to implement such fraud prevention.

Let’s go into more detail about these challenges.

Customer Friction

Off-putting customer ID checks are an obvious example here. For an organization to attempt new account fraud prevention, they may direct new customers through security checks before they can even start using their accounts, whether it’s a bank account, email account, or otherwise.

The result is that, when faced with this friction, many would-be successful account applicants become disinterested in providing accurate personal identity information. They may even abandon the process altogether. In either event, this makes it harder for organizations to compile an accurate knowledge base for new account fraud prevention, because the best data is simply not coming to fruition.

Exploitability

As touched on earlier, many new account fraudsters use identity theft in the hopes that their use of stolen legitimate ID documents will help them to avoid failing a background check.

The very fact that fraudsters can simply rely on identity theft to circumvent security checks is a testament to the exploitability of new account fraud prevention methods. For example, many such fraud prevention methods rely only on personal identity information (PII) rather than in-person meetings, which can lead to a dangerous number of false negatives at the onboarding stage.

Operational Obstacles

It is costly, time-consuming, and not always easy to manage the methods involved in new account fraud prevention.

While there are innumerable examples of such methods, consider how burdensome it can be for just one organization to adopt them. A robust prevention program should include contracting a fraud management service, implementing it, maintaining in-built MFA software, training staff on the best practices in fraud prevention, carrying out identity checks on every account assignee, and continually monitoring those accounts for signs of ATO.

Together, these approaches are just the most basic framework to prevent new account fraud, and each component of that has the potential to place significant strains on an organization’s resources. This fact alone can make fraud prevention tactics challenging to implement effectively.

How to Detect New Account Fraud

While every company has its own red flag system designed to detect fraudsters, common ones include:

  • A temporary/disposable email address: while some users genuinely rely on them for privacy reasons, they are also favored by fraudsters, scammers, and cybercriminals.
  • Virtual SIM/ invalid phone number: as phone verification becomes increasingly ubiquitous, phone numbers are great pointers in the fight to identify fraudsters.
  • Absence of social media profiles: thanks to data enrichment, it is possible to establish a link between phone numbers or email addresses and online profiles. If your customer has none, you have reasons to be suspicious.
  • Suspicious IP address: VPNs are increasingly popular, but some IP addresses may raise more eyebrows than others. For instance, those that point to Tor usage, low-reputation ISPs, or blacklisted IPs.
  • Non-matching data: a full name that isn’t the same as the one on a credit card can point to fraud. Similarly, an IP address that points to one country and an ID that points to another can be a red flag.
  • Emulator or virtual machine usage: fraudsters often rely on these tools to multiply their attempts when opening fraudulent accounts.
  • Previously seen device data: your computer, phone or tablet contains hundreds of software and hardware data points. If a device fingerprinting check returns a clean match, it means someone else has already signed up using the exact same configuration. It is unlikely and should be investigated. 

Note that red flags tend to vary depending on which industry you operate. For instance, iGaming operators will keep a watchful eye on the customer’s age. An ecommerce will double-check the shipping address, and a financial institution will be especially cautious about document verification. 

How Do Banks Prevent New Account Fraud?

There are many ways that banks try to prevent new account fraud, and prevent – rather than reactively combat – is the keyword. In other words, banks try to avoid new account fraud by ensuring that identity checks are carried out the moment they receive an application from someone interested in their bank.

This identity verification process involves document checks and fraud detection methods, including the cross-checking of utility bills with a person’s driving license and the assignment of a fraud risk score based on that person’s social media presence, email address accounts, and so on.

Most recently, these checks and anti-fraud measures by banks are being bolstered by an increasing reliance on biometric technologies, such as Face ID scans. This is crucial, as a person’s facial details and other physiological data are far harder to falsify than the info associated with general documentation.

Reduce Risk with SEON

Partner with SEON to minimize risk and reduce fraud rates in your business with ML, real-time data enrichment, and advanced APIs.

Ask an Expert

Are Merchants Liable for New Account Fraud?

Not intrinsically and legally speaking: The most liable organization in the event of a new account fraud attack is the financial institution that allowed the falsified, fraudulent account to be set up in the first place.

That said, merchants do have a duty of care to protect themselves, their staff, and their legitimate customers by flagging suspicious individuals, ideally at the onboarding stage before an online transaction can even take place. Of course, even if preventing new account fraud wasn’t part of merchants’ due diligence for customer safety, it would still be in their financial best interests to do so!

As such, merchants may be found liable for new account fraud if they fail to carry out their legal responsibility to do necessary checks, such as KYC and customer due diligence, and report any suspicious individuals accordingly. 

How SEON Helps Combat New Account Fraud

SEON is adept at helping fraud teams identify suspicious individuals and risks associated with fraudulent behavior. For example, SEON is equipped to assign a fraud risk score to people who have a suspiciously low online presence across ecommerce and social media, which may be a smoking gun in terms of new account fraud.

SEON runs a social media lookup to catch suspicious account activity such as this, and it carries out plenty of other checks as well, such as IP checks that can flag potentially harmful internet addresses. Another vital feature is its ability to flag users who fail a password request multiple times. This is a red flag for new account fraudsters who have stolen a password – but one that was thankfully changed by the time they tried to use it.

It is technology such as this that helps SEON to inform and enhance your attempts to detect, flag, and hopefully thwart any new account fraudsters who may otherwise threaten your organization.

Source: