By NHI Mgmt Group Editorial TeamPublished 2026-03-19Domain: Identity Beyond IAMSource: Prove Identity

TL;DR: Spark Wallet said bot fraud was draining rewards spend and slowing onboarding, with fake accounts bypassing earlier identity checks until it used Prove identity verification and authentication tools to block bots and simplify sign-up. The case shows that fraud controls must reduce abuse without creating avoidable customer friction.


At a glance

What this is: This case study shows how a fintech says it reduced bot fraud while making onboarding faster by using identity verification and authentication signals to block fake account creation.

Why it matters: It matters because fraud teams, IAM leads, and identity architects have to balance verification strength with conversion, especially where rewards, account opening, and authentication flows attract abuse.

By the numbers:

👉 Read Prove Identity's case study on stopping bot fraud in fintech onboarding


Context

Bot fraud in onboarding is a trust and economics problem as much as a security problem. When fake accounts can pass early checks, teams end up adding more friction, which then harms legitimate users and shifts the cost of verification into abandonment and support overhead. In fintech, where rewards and incentives are part of the product, the identity boundary becomes part of revenue protection, not just access control.

The identity angle is straightforward: onboarding controls must distinguish a real customer from a synthetic account without turning verification into a conversion blocker. That is why identity verification, behavioural signals, and authentication telemetry increasingly need to work together rather than as separate point solutions. For practitioners, this is a familiar pattern that also appears in account opening, fraud prevention, and privileged workflow approval.


Key questions

Q: How should security teams stop bot fraud without hurting onboarding conversion?

A: Use layered identity signals and risk-based challenge steps instead of forcing every user through the same verification path. The best control pattern is adaptive: low-risk users move quickly, while suspicious automation receives stronger checks or blocking. Pair fraud loss metrics with abandonment data so you can see whether the control is actually working.

Q: Why do rewards and incentive programmes attract bot abuse?

A: Rewards create an immediate financial target, which makes onboarding fraud profitable at scale. Attackers do not need long dwell time if they can create enough synthetic accounts to extract value quickly. That is why incentive-heavy flows need stronger identity assurance than ordinary sign-up journeys.

Q: What do teams get wrong about identity verification for bot defence?

A: They often treat identity verification as a one-time gate instead of a continuous trust decision. Bots can pass a narrow check and still behave fraudulently later, especially if the environment relies on static proofing methods. Effective defence uses ongoing signal correlation and reviews where the fraud actually appears in the journey.

Q: Who should be accountable when onboarding fraud keeps getting through?

A: Accountability should sit across fraud operations, IAM, and product teams because the failure spans trust, access, and user experience. If only one team owns the control, the programme usually optimises for its own metric and misses the broader risk. Clear ownership prevents blind spots between verification design and abuse response.


Technical breakdown

Why bot fraud bypasses traditional onboarding checks

Bot fraud usually succeeds when attackers can automate account creation faster than a verification flow can raise suspicion. Scripts reuse disposable infrastructure, vary phone numbers or devices, and exploit weak confidence signals such as low-friction form fills or one-time checks. Liveness tests, document scans, and simple CAPTCHA-style barriers can slow the attacker, but they do not prove that the same person remains behind each step. In high-volume consumer onboarding, the control problem is identity continuity, not just initial proofing.

Practical implication: move beyond single-point verification and evaluate whether your onboarding flow can distinguish repeatable automation from a stable human identity.

How risk signals improve identity verification and authentication

Risk scoring works by combining multiple signals into a single reputation view. In this case, the article points to phone number tenure, device tenure, SIM swap activity, velocity, and behavioural anomalies as the inputs behind a Trust Score. That approach is useful because bot traffic often looks legitimate in one dimension but becomes obvious when signals are correlated. The technical advantage is not certainty, but a better probability threshold for allowing, challenging, or blocking the session.

Practical implication: tune fraud decisions around correlated signals, then review which inputs actually predict abuse in your onboarding population.

Balancing fraud prevention with customer experience

The hardest part of bot mitigation is not detection alone, but applying controls without making legitimate sign-up difficult. Passive authentication and pre-fill reduce typing and repeated checks, which matters in mobile journeys where users abandon long forms quickly. For identity programmes, this is also a governance issue: if the control raises friction too often, teams will quietly weaken it, creating a loop where the process looks secure but fails in practice. Effective design treats usability as a control requirement, not a marketing concern.

Practical implication: measure abandonment alongside fraud loss so that security controls are judged on both protection and completion rates.


Threat narrative

Attacker objective: The attacker wants to monetise synthetic accounts by extracting rewards, abusing onboarding incentives, and scaling fraud faster than the business can detect it.

  1. Entry begins with scripted account creation that imitates real users during onboarding and reward sign-up flows.
  2. Credential or identity signals are then probed with disposable phone numbers, devices, or low-trust attributes to pass weak checks.
  3. Impact occurs when fake accounts consume incentives, distort revenue, and force defenders to add more friction for legitimate customers.

NHI Mgmt Group analysis

Bot fraud is an identity assurance problem, not just a fraud operations problem. When fake accounts can clear onboarding, the issue is that the trust boundary is too shallow, not that the fraud team is underpowered. Identity verification has to operate as a live control plane across proofing, authentication, and behavioural review. For practitioners, the governance question is whether the programme can stop synthetic identities before they become funded or rewarded accounts.

Synthetic identity friction is a lifecycle failure mode: once a fake account enters the system, every downstream reward, entitlement, or authentication decision becomes more expensive. That is why the value of a control is not only in blocking abuse, but in preventing the creation of a persistent fraudulent identity record. In IAM terms, the onboarding event is the first access decision, and it should be treated with the same discipline as privileged access approval.

Signal fusion is now the practical standard for consumer identity risk. No single attribute, such as a document scan or a phone number, is enough to establish trust when attackers can automate at scale. The better model is layered and probabilistic: combine device history, tenure, velocity, and behavioural patterns, then define a clear action threshold. For practitioners, that means tuning for business outcomes, not for the illusion of perfect verification.

Frictionless identity controls are becoming a competitive requirement, not a nice-to-have. If the control stack causes abandonment, teams will either lose customers or weaken the control later. That creates governance debt, where a supposedly secure process survives only because it has not yet been challenged at scale. The practical conclusion is that fraud prevention, authentication, and conversion must be designed as one programme.

What this signals

Synthetic identity controls will increasingly be judged on economic outcomes, not just fraud scores. As onboarding volumes rise, teams need a control model that preserves conversion while cutting abuse, and that means tying risk decisions to abandonment, incentive leakage, and downstream account quality. Where fraud and IAM share signals, the governance model must make those signals visible to both teams.

Identity programmes that stop at proofing will keep missing the real abuse window. The practical shift is toward continuous assurance across session, device, and behaviour, especially in consumer journeys that attract automated sign-up. For identity leaders, this is a reminder that verification and authentication are now part of one operational lifecycle, not separate projects.


For practitioners

  • Separate synthetic-account detection from generic onboarding checks Measure bot behaviour against the specific steps where fake accounts enter your funnel, then add controls before rewards, funded actions, or account activation. Use challenge escalation only where risk signals justify it.
  • Correlate identity signals before you block or challenge Combine device tenure, phone reputation, velocity, and behavioural patterns into one risk decision rather than relying on a single signal. Review false positives by segment so the threshold reflects your customer mix.
  • Treat abandonment as a control metric Track completion rate, support contacts, and retry frequency alongside fraud losses so you can see when verification is pushing real users away. This helps prevent teams from solving fraud by weakening the control.
  • Harden reward-triggered workflows first Prioritise any journey where incentives, cashback, or bonuses can be monetised quickly. These flows attract bot abuse faster than standard account creation, so they should have the strongest risk thresholds.
  • Map onboarding controls to identity governance ownership Assign clear accountability for proofing, authentication, and fraud decision tuning across fraud, IAM, and product teams. Without ownership, teams tend to optimise the same flow in conflicting ways.

Key takeaways

  • Bot fraud thrives when onboarding controls can validate a form but not a human.
  • The operational evidence is clear: fake accounts create real revenue loss and real user friction at the same time.
  • Teams that correlate risk signals and measure abandonment can tighten fraud controls without damaging conversion.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST AI RMF set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63BThe article centers on authentication assurance and identity proofing friction.
NIST CSF 2.0PR.AC-1Identity proofing and access control determine whether synthetic users enter the system.
GDPRArt.32Identity verification systems processing personal data need appropriate security safeguards.
NIST AI RMFMANAGEFraud risk scoring and human oversight fit the AI RMF manage function where automated decisions are used.

Use SP 800-63B to balance authentication strength with usable onboarding and adaptive risk checks.


Key terms

  • Bot Fraud: Bot fraud is the use of automated scripts or synthetic accounts to imitate legitimate users and exploit digital services. In onboarding and account-opening flows, it typically aims to extract incentives, distort metrics, or bypass identity checks at scale.
  • Identity Verification: Identity verification is the process of testing whether a person or account truly corresponds to the claimed identity. In modern digital journeys it combines documentary, device, behavioural, and authentication signals to reduce fraud without creating unnecessary user friction.
  • Trust Score: A trust score is a risk-based measurement that condenses multiple identity and device signals into a single reputation value. It helps teams decide whether to allow, step up, or block a session based on observed behaviour and historical confidence.
  • Synthetic Identity: A synthetic identity is a fabricated or blended persona built from real and fake attributes to pass onboarding checks. It can appear legitimate at first, then be used for fraud, rewards abuse, or longer-term account exploitation.

What's in the full article

Prove Identity's full case study covers the operational detail this post intentionally leaves for the source:

  • How Spark Wallet configured Prove Pre-Fill, Prove Auth, and Trust Score in its mobile onboarding flow
  • The fraud and revenue impact narrative from Spark Wallet's CEO, including how fake-account losses affected incentives
  • The practical experience of reducing user friction while keeping bots out of the sign-up journey
  • The webinar and consultation path mentioned by Prove for teams evaluating a similar onboarding model

👉 The full Prove Identity case study covers the onboarding flow, fraud signals, and customer experience details behind Spark Wallet's results.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, secrets management, and identity lifecycle controls. It is a useful fit for practitioners who need to connect identity assurance to broader security and fraud programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-19.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org