By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: SiftPublished July 6, 2026

TL;DR: Account creation fraud now costs victims $5.3 billion a year and added 10-hour average resolution times in 2023, according to Javelin Strategy’s 2024 Identity Fraud Study, while fraudsters use bots, synthetic identities, and rotating infrastructure to create “born bad accounts.” Registration controls alone do not close the lifecycle gap that follows signup.


At a glance

What this is: This is an analysis of account creation fraud and the finding that signup-time controls alone are not enough to stop “born bad accounts.”

Why it matters: It matters because identity teams must govern the full account lifecycle, or fraudulent accounts will pass onboarding, activate later, and become infrastructure for abuse across the platform.

By the numbers:

👉 Read Sift's analysis of account creation fraud detection and prevention


Context

Account creation fraud happens when an attacker uses stolen, false, or synthetic identity data to create an account that looks legitimate at signup but is fraudulent from the start. For IAM and fraud teams, the problem is not simply bad registration data. It is the gap between what the onboarding flow can verify and what the account can do after activation.

That gap matters because platforms often treat signup as the control point, then assume the account is trustworthy once it passes checks such as CAPTCHA, email verification, or document review. In practice, fraudsters adapt quickly, using automated registration tooling, device rotation, and synthetic identity construction to create accounts that survive long enough to monetize abuse.

The lifecycle lesson is clear. Account creation fraud is not just a front-door problem, but an identity governance problem that spans provisioning, monitoring, and post-activation review. That is a familiar failure mode across human IAM and NHI governance: if the account can persist, it can be weaponised.


Key questions

Q: What breaks when account creation controls only look at signup-time signals?

A: Fraudsters can pass the front door with synthetic identities, temporary infrastructure, or automated form completion, then activate the account later for abuse. When teams rely only on registration checks, they miss the behaviour that reveals intent after creation. The result is a trusted-looking account that was never trustworthy.

Q: Why do account creation fraud programs need lifecycle monitoring?

A: Because the real loss often happens after the account is created. Referral abuse, payment fraud, spam, and marketplace manipulation typically appear in the first days or weeks of activity. Lifecycle monitoring catches those patterns when the account begins to act, which is when fraud becomes visible.

Q: How do security teams know whether account creation fraud is outpacing controls?

A: Look for rising volume of new accounts with no organic activity, elevated chargebacks or disputes tied to recent registrations, and clusters of accounts sharing device or network traits. If fraud shows up only after activation, your onboarding checks are not enough on their own.

Q: Who is accountable when fraudulent accounts are allowed to persist after signup?

A: Accountability should sit with the teams that own the full lifecycle, not only the registration flow. Fraud, IAM, and platform operations all have a role because the failure is shared. If creation is treated as the end of governance, the organisation will keep absorbing avoidable loss.


Technical breakdown

Why registration checks fail against synthetic identities

Registration controls are designed to validate a single moment in time. CAPTCHA, phone verification, and document checks raise cost, but they do not prove the account is tied to a trustworthy identity. Synthetic identities are especially effective because they combine real and fabricated elements, which helps them pass automated checks and establish a clean early history. Once they survive onboarding, they can be used for promotion abuse, payment fraud, content spam, or marketplace manipulation. The technical weakness is not one control, but the assumption that identity proofing at signup is enough to establish long-term trust.

Practical implication: treat registration as an entry signal, not a trust verdict.

How bots and infrastructure evade velocity controls

Fraud operations scale by automating registration and rotating the indicators that simple rules depend on. They change email addresses, device fingerprints, IP addresses, and sometimes browser emulation patterns to avoid velocity-based detection. Headless browsers and device emulators can produce behaviour that is close enough to normal browsing to defeat basic bot controls. This makes network, device, and behavioural telemetry more valuable than form-field validation alone. The key technical point is that the same campaign can present as many distinct accounts while still leaving coordination signals in the background infrastructure.

Practical implication: correlate device, network, and behavioural signals across registrations, not just within one session.

Why account lifecycle monitoring catches what signup misses

Accounts that pass registration may still be fraudulent, but their intent often becomes visible after activation. Immediate referral abuse, early payment attempts, abnormal content creation, and repeated high-risk actions are strong post-registration indicators. Linking these behaviours back to shared fingerprints, shared network infrastructure, or similar identity patterns helps identify fraud rings rather than isolated bad signups. This is a lifecycle problem because the account becomes risky only after it begins to act. That means detection must continue after the onboarding event, not stop when the account is created.

Practical implication: build post-activation review into your fraud and identity workflow.


Threat narrative

Attacker objective: The attacker wants a persistent, believable account that can be monetised later for fraud, abuse, and platform exploitation.

  1. Entry begins when a fraudster creates a new account with stolen, false, or synthetic identity data that can pass registration checks.
  2. Escalation follows when automated tooling rotates email addresses, device fingerprints, IP addresses, and browser behaviour to avoid velocity-based detection.
  3. Impact arrives when the “born bad account” is used for promo abuse, payment fraud, marketplace manipulation, or multi-accounting at scale.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Account creation fraud is a lifecycle failure, not a signup failure. The article shows that once a fraudulent account survives registration, it can be reused for promotion abuse, payment fraud, and marketplace manipulation. That means the control boundary cannot stop at proofing or CAPTCHA. The relevant governance question is how identity teams monitor the account after activation, because that is where the monetisation happens.

Born bad accounts behave like unmanaged identities after creation. They are provisioned with no legitimate trust basis, then allowed to accumulate activity and reputation until they become useful to attackers. That pattern mirrors NHI sprawl, where an identity is created faster than it is governed. The practitioner implication is that lifecycle visibility matters as much here as it does for service accounts and tokens.

Account creation fraud exposes the weakness of static trust decisions. The same registration flow can look safe in isolation while still accepting coordinated fraud rings over time. Behavioural, device, and network telemetry are therefore not optional enrichment, they are the only way to see identity abuse as a sequence rather than a point event. Teams that treat onboarding as the whole control plane will keep missing the fraud that arrives later.

Identity trust should be measured by post-activation behaviour, not completion of form checks. The article’s core lesson is that successful fraud prevention depends on judging whether an account behaves like a trusted user after creation. That is a governance discipline, not just a detection rule. Practitioners need to align fraud operations, IAM review, and risk scoring around account lifecycle outcomes, not signup completion alone.

From our research:

  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity governance breaks down after creation rather than at creation.
  • For a broader lifecycle lens, the NHI Lifecycle Management Guide shows why provisioning, review, and offboarding must be managed as one control chain.

What this signals

Born bad accounts are the fraud equivalent of unmanaged identities: once an account survives the initial check, the governance problem shifts to monitoring, linkage, and offboarding. That is why teams need to think like identity operators, not just fraud screeners. The same lifecycle discipline that matters for service accounts also matters for user accounts that can be weaponised after signup.

With 97% of NHIs carrying excessive privileges according to the Ultimate Guide to NHIs, identity programmes already know what privilege drift looks like in machine estates. The account creation fraud lesson is similar. If you do not track how a newly created identity behaves after issuance, you will miss the point where trust turns into abuse.

Account age becomes an operational control: the first days and weeks after creation are where synthetic and coordinated fraud often reveal themselves. That means review queues, anomaly detection, and lifecycle monitoring should all be tuned around early-account behaviour, not just onboarding completion. Practitioners should expect this to become a standard part of broader identity governance.


For practitioners

  • Move controls beyond the registration form Correlate device, network, behavioural, and identity signals across the full account journey so high-risk accounts can be challenged after signup, not only at the door.
  • Flag post-activation abuse patterns early Watch for new accounts that immediately hit referral programs, register payment methods, or create content at abnormal volume, then route those accounts to review before they compound loss.
  • Link clusters instead of isolated accounts Use shared email patterns, IP infrastructure, and device identifiers to identify coordinated fraud rings that would look benign if each account were evaluated alone.
  • Treat account age as a risk signal Prioritise accounts in the first 30 to 90 days when fraud events cluster, because early lifecycle behaviour often reveals intent that initial verification missed.

Key takeaways

  • Account creation fraud is a lifecycle issue because fraudulent identities often become visible only after activation.
  • The scale is material, with Javelin reporting $5.3 billion in victim cost and a 35% annual increase in 2023.
  • Effective defence requires post-registration monitoring, account linkage, and lifecycle-based review rather than signup checks alone.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST-SP 800-53 Rev 5 Security and Privacy Controls set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Account creation fraud is an identity proofing and access grant problem.
NIST SP 800-63SP 800-63AIdentity proofing guidance fits account creation and synthetic identity risk.
OWASP Non-Human Identity Top 10NHI-02Lifecycle governance helps frame newly created fraudulent accounts as identities needing control.
NIST-SP 800-53 Rev 5 Security and Privacy ControlsIA-2Account authentication controls are central to limiting fraudulent account creation.

Strengthen identity proofing and authentication checks at registration, then validate behaviour after issuance.


Key terms

  • Account Creation Fraud: Account creation fraud is the creation of a new account using false, stolen, or synthetic identity data. The account may pass onboarding checks and still be fraudulent from the start, which makes lifecycle monitoring essential because the abuse often appears after the account is activated.
  • Synthetic Identity: A synthetic identity is a software-based actor that can authenticate, request access, and execute actions without being a human user. In practice, this includes AI agents, bots, service accounts, tokens, and other machine identities that need clear ownership, scope, and revocation.
  • Born Bad Account: A born bad account is an account that was never legitimate, even if it initially appears valid. The term matters because the threat is not takeover of a trusted identity, but the creation of a fraudulent one that can later be used as platform infrastructure.
  • Velocity-Based Detection: Velocity-based detection looks for too many actions from the same source in too short a time, such as repeated registrations from a device or IP range. It is useful, but fraudsters can evade it by rotating infrastructure and spreading activity across many low-signal attempts.

What's in the full article

Sift's full article covers the operational detail this post intentionally leaves for the source:

  • A practical breakdown of registration-time signals such as device, network, email, and behavioural indicators.
  • Examples of how fraud teams layer real-time blocking, review queues, and post-registration monitoring.
  • Guidance on identifying synthetic identity patterns and coordinated multi-account activity.
  • A lifecycle approach to reducing abuse after onboarding rather than stopping at initial verification.

👉 Sift's full post covers signal strategy, lifecycle monitoring, and fraud patterns across registration and activation

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org