TL;DR: The FBI’s 2023 Internet Crime Report shows complaints up almost 10%, losses above $12.5 billion, and $2.5 billion in fraud starting at the online account level, according to Arkose Labs’ analysis of IC3 data. The pattern is clear: account registration and sign-in are now the front line for fraud deterrence, not just authentication.
At a glance
What this is: This is an analysis of FBI IC3 fraud data showing that rising losses and complaint volume increasingly start at account sign-in and registration.
Why it matters: It matters because IAM, NHI, and fraud teams need to treat account entry as a governance boundary, where identity controls must stop abuse before funds, credentials, or customer trust are lost.
By the numbers:
- The IC3 received an almost 10% increase in complaints compared with the prior year, averaging more than 2,400 complaints per day.
- Potential losses exceeded $12.5 billion in 2023, a 22% increase from 2022.
👉 Read Arkose Labs' analysis of FBI IC3 fraud trends and account-entry abuse
Context
Fraud increasingly begins where identity is first presented, not where a transaction is approved. In this analysis of FBI IC3 data, Arkose Labs argues that login and registration have become the highest-value control points because attackers can scale abuse with bots, phishing, and account takeover attempts faster than organisations can respond.
That shifts the problem from isolated fraud events to identity governance at the account-entry layer. For IAM, NHI, and fraud teams, the practical question is no longer whether attackers will try to steal credentials, but whether the organisation can detect and disrupt abuse before it becomes a monetised account compromise.
Key questions
Q: How should security teams stop fraud at account sign-in and registration?
A: Security teams should treat sign-in and registration as high-risk control points. Combine behavioural analytics, device fingerprinting, velocity checks, and adaptive challenges so suspicious attempts are blocked before a valid session forms. The goal is to reduce attacker ROI early, not to investigate every compromised account after loss has already occurred.
Q: Why do bots make online fraud harder to control?
A: Bots make fraud harder to control because they turn one attacker into many attempts. They can automate retries, rotate infrastructure, and probe weak points at scale until some percentage succeeds. That means fraud controls must focus on volume, repetition, and abnormal behaviour, not only on single login events.
Q: What breaks when fraud controls sit after authentication instead of before it?
A: Controls break when they are placed too late because the attacker has already gained a session or validated account state. At that point, downstream fraud can move through payments, support channels, or sensitive data faster than manual review can respond. Early disruption is the only way to prevent cheap, repeatable abuse from turning into business loss.
Q: Who is accountable when account compromise turns into financial fraud?
A: Accountability usually spans IAM, fraud operations, and business owners because the failure is both identity and monetisation related. IAM owns entry assurance and session controls, fraud teams own detection and response, and business owners own the risk tolerance for high-value account actions. Clear ownership matters because attackers exploit gaps between those functions.
Technical breakdown
Why account sign-in is the fraud supply chain entry point
Fraud operations often start with account creation, sign-in, or credential validation because those steps are reusable across many downstream attacks. Once attackers can pass the entry check, they can test stolen credentials, automate sign-up abuse, or pivot into account takeover and payment fraud. Bot automation makes this more efficient because the same infrastructure can run at scale, retry failed attempts, and shift tactics quickly. The important architectural point is that identity entry is no longer just an authentication control. It is also a fraud-intelligence boundary that needs behavioural signals, device signals, and rate controls to distinguish legitimate users from coordinated abuse.
Practical implication: treat sign-in and registration as fraud control points, not only authentication workflows.
How automated bots change the economics of fraud
Bots lower the cost of persistence for attackers. Instead of manually testing one target at a time, adversaries can run credential stuffing, sign-up abuse, phishing-assisted logins, and repeated MFA challenge attempts until a path succeeds. This matters because even a small success rate becomes profitable when attempts can be multiplied across thousands of accounts. The attacker does not need perfect stealth, only enough scale to keep the return on effort positive. That changes how defenders should think about control design. Classic point-in-time authentication is necessary but not sufficient when abuse is distributed, adaptive, and economically motivated.
Practical implication: build friction and detection into high-volume entry flows so scale does not become the attacker’s advantage.
Why top-of-funnel controls matter more than post-compromise cleanup
Top-of-funnel defence means stopping abuse at the earliest account interaction, before the attacker acquires a working session or validated identity. In fraud-heavy environments, that is often the only point where the organisation can still influence attacker ROI. Once an account is accessed, the downstream cost rises sharply because payment methods, personal data, and trust relationships can all be monetised. This is why step-up challenges, behavioural scoring, and adaptive blocking are not merely user-experience choices. They are containment controls that reduce the number of fraudulent sessions that ever become business losses.
Practical implication: move fraud detection upstream so abuse is blocked before session establishment or account approval.
Threat narrative
Attacker objective: The attacker’s objective is to convert account access into monetisable fraud while keeping acquisition costs low enough to preserve profit.
- Entry begins at account registration or sign-in, where attackers use phishing, credential theft, or automated bots to test access paths at scale.
- Escalation follows when the attacker obtains a valid session, bypasses 2FA or MFA capture, or converts the initial login into account takeover and fraudulent activity.
- Impact appears as monetised fraud, including payment theft, investment scams, business email compromise, and losses tied to compromised personal data.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Account entry is now a governance boundary, not a login screen. The article’s core signal is that fraud starts before most IAM teams consider a user “inside” the system. That means access governance, fraud telemetry, and step-up controls now overlap at the first interaction, not after authentication succeeds. Practitioners should treat registration and sign-in as policy-enforced control planes, not simple front-end flows.
Bot-driven fraud collapses the old separation between authentication and abuse prevention. If attackers can automate retries, rotate infrastructure, and adapt prompts in real time, then a pure identity check cannot carry the full burden of trust. This is where NIST SP 800-63 Digital Identity Guidelines and Zero Trust thinking converge: identity assurance must be paired with continuous context evaluation. The implication is that teams need to decide where authentication ends and abuse detection begins.
Identity blast radius is the right named concept for this problem. Once an attacker validates one account, the value of that foothold depends on how much downstream monetisable capability the account can reach. That blast radius can include payment methods, personal data, support channels, and business communications. The practitioner conclusion is that reducing account privileges and controlling session reuse matter as much as blocking the first login attempt.
Fraud operations exploit the same lifecycle gaps that identity programmes often leave under-owned. Registration abuse, weak sign-in protections, and delayed response to credential misuse create openings across human identity, machine-assisted workflows, and account recovery paths. The field should stop treating fraud as a separate security problem and start treating it as an identity governance failure with direct financial impact. Practitioners need joined-up ownership across IAM, fraud, and customer security.
Economic deterrence is the most credible anti-fraud strategy when attacker volume is the constraint. The article’s argument is less about blocking every attempt and more about breaking the attacker’s return on investment. That aligns with modern identity defence: make abuse expensive, noisy, and hard to repeat at scale. For practitioners, the measure of success is not just fewer login attempts, but lower fraud conversion from those attempts.
From our research:
- From our research: The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Our research also shows that organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- For teams dealing with account-entry abuse, the next step is to align sign-in telemetry with identity lifecycle and secrets governance, as outlined in Ultimate Guide to NHIs , Key Research and Survey Results.
What this signals
The practical signal for identity teams is that fraud defence now belongs in the same operating model as access governance. Organisations that still separate authentication, abuse detection, and recovery controls will keep paying for the gap in the form of repeatable account-entry losses.
Identity blast radius: the smaller the set of actions an account can take before trust is earned, the less profitable the compromise becomes. That means teams should review what a newly created or newly verified account can change, access, or transfer before it is fully trusted.
For practitioners
- Instrument registration and sign-in as fraud control points Apply behavioural scoring, device reputation, and rate limiting to account creation and login flows so suspicious patterns are challenged before a working session is issued.
- Add friction where attackers scale cheaply Use step-up verification for risky account recovery, repeated failures, and abnormal geovelocity so automation cannot convert unlimited retries into cheap compromise.
- Tie authentication telemetry to fraud response Feed login anomalies, MFA fatigue signals, and sign-up abuse indicators into the same response workflow that handles payment fraud and account abuse escalation.
- Reduce the monetisable reach of a single account Limit what a newly verified or suspicious account can access until trust is established, including payment changes, credential resets, and high-risk contact updates.
Key takeaways
- The article shows that fraud now concentrates at the identity entry layer, where login and registration controls determine whether attackers can convert intent into loss.
- The scale is material: IC3 reported more than $12.5 billion in potential losses and more than 2,400 complaints per day, which means this is a governance problem, not a nuisance.
- The most effective response is to shrink attacker ROI by hardening top-of-funnel controls, limiting account blast radius, and tying identity telemetry to fraud action.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | The post focuses on account assurance and sign-in risk. | |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Continuous verification fits adaptive abuse detection at account entry. |
| NIST CSF 2.0 | DE.CM-1 | Fraud telemetry depends on continuous monitoring of identity events. |
Use phishing-resistant authentication and risk-based step-up checks for high-risk account entry.
Key terms
- Account Entry: The first authenticated or semi-authenticated interaction where a user creates, validates, or resumes identity access. In fraud scenarios, this is a governance boundary because attackers can exploit it to gain sessions, test stolen credentials, or establish a foothold for monetisable abuse.
- Bot-Driven Fraud: Fraud activity amplified by automation that allows attackers to repeat attempts, vary inputs, and scale abuse across many accounts. The identity risk is not only volume but adaptability, because bots can keep probing until they find a path past controls designed for individual users.
- Identity Blast Radius: The amount of damage a compromised account can cause before trust is reduced or access is constrained. In practice, smaller blast radius means fewer actions, lower privilege, and less monetisable reach, which reduces the business value of a successful compromise.
Deepen your knowledge
NHI governance, machine identity security, and secrets management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance, it is worth exploring.
This post draws on content published by Arkose Labs: FBI IC3 fraud trends and why account entry matters. Read the original.
Published by the NHIMG editorial team on 2026-05-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
